An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (a) to be disclosed to a third party2 or (b) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual. Individuals must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise choice.
For sensitive information (i.e., personal information specifying medical or health conditions, personal sexuality, racial or ethnic origin, political opinions, religious, ideological or trade union-related views or activities, or information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings), they must be given affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized by the individual through the exercise of opt in choice. In any case, an organization should treat as sensitive any information received from a third party where the third party identifies and treats it as sensitive.
In observing the Choice Principle, organizations should take note of Article 4(3) FADP, which provides, “Personal data may only be processed for the purpose indicated at the time of collection, that is evident from the circumstances, or that is provided by law.”
It is not necessary to provide choice when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organization (Art. 10a FADP). The Onward Transfer Principle, on the other hand, does apply to such disclosures.