16
or an oral statement. This could include ticking a box when visiting an
internet website, choosing technical settings for information society
services or another statement or conduct which clearly indicates in
this context the data subject’s acceptance of the proposed processing
of his or her personal data. Silence, pre-ticked boxes or inactivity
should not therefore constitute consent. Consent should cover all
processing activities carried out for the same purpose or purposes.
When the processing has multiple purposes, consent should be given
for all of them. If the data subject’s consent is to be given following a
request by electronic means, the request must be clear, concise and
not unnecessarily disruptive to the use of the service for which it is
provided.
(33) It is often not possible to fully identify the purpose of personal data
processing for scientific research purposes at the time of data collection.
Therefore, data subjects should be allowed to give their consent to
certain areas of scientific research when in keeping with recognised
ethical standards for scientific research. Data subjects should have
the opportunity to give their consent only to certain areas of research
or parts of research projects to the extent allowed by the intended
purpose.
(34) Genetic data should be defined as personal data relating to the
inherited or acquired genetic characteristics of a natural person which
result from the analysis of a biological sample from the natural person
in question, in particular chromosomal, deoxyribonucleic acid (DNA) or
ribonucleic acid (RNA) analysis, or from the analysis of another element
enabling equivalent information to be obtained.
(35) Personal data concerning health should include all data pertaining to
the health status of a data subject which reveal information relating
to the past, current or future physical or mental health status of the
data subject. This includes information about the natural person
collected in the course of the registration for, or the provision of, health
care services as referred to in Directive 2011/24/EU of the European
Parliament and of the Council (9) to that natural person; a number,
symbol or particular assigned to a natural person to uniquely identify
the natural person for health purposes; information derived from the
testing or examination of a body part or bodily substance, including
from genetic data and biological samples; and any information on,
for example, a disease, disability, disease risk, medical history, clinical
treatment or the physiological or biomedical state of the data subject
independent of its source, for example from a physician or other health
professional, a hospital, a medical device or an in vitro diagnostic test.
(36) The main establishment of a controller in the Union should be the
place of its central administration in the Union, unless the decisions
on the purposes and means of the processing of personal data are
taken in another establishment of the controller in the Union, in which
case that other establishment should be considered to be the main
establishment. The main establishment of a controller in the Union
should be determined according to objective criteria and should imply
the effective and real exercise of management activities determining
themain decisions as to the purposes andmeans of processing through
stable arrangements. That criterion should not depend on whether the