Without the opportunity to choose how information is used, EU data subjects are unable to legitimize their fundamental right to privacy. Choice, therefore, is the keystone to the safe harbor. Choice must be given as to the use of the information and as to whom the information may be transferred. Data subjects have either opt-out or opt-in rights depending on the type of data.

An Action Plan for the Choice Principle:

1. Determine the types of data requested by your organization.

• If the data requested is of a sensitive nature, ensure that the data subjects have given explicit opt-in consent to the use of the information or to the transfer of the information to third parties not acting as agents.
  
  • Sensitive information is defined as personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual.
  • The opt-in consent must be unambiguous.
  • Opt-in consent should be made in writing and documented.
  
  
• Is there an exception to the opt-in requirement? An organization does not have to provide explicit opt-in choice with respect to sensitive data "when the processing is:
  
  
  (1) in the vital interests of the data subject or another person;
  
  (2) necessary for the establishment of legal claims or defenses;
  
  (3) required to provide medical care or diagnosis;
  
  (4) carried out in the course of legitimate activities by a foundation, association or any other non-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects;
  
  (5) necessary to carry out the organization's obligations in the field of employment law; or
  
  (6) related to data that are manifestly made public by the individual."
  
  
  
  
• If the data requested is of a non-sensitive nature, ensure that the data subjects has not opted-out to the use of the information or the transfer of the information to third parties not acting as agents.

• Choice must be based on complete information as to the use of the EU data subject's personal data.

• For choice purposes, "third parties" do not include agents of organization.

• For websites, the opt-out option could be presented in the form of a check box.
  
• Additionally, ensure that there are means and a location where they can opt-out of the transfer or use of their information at a later date other than when the information was first requested.
  
  • For websites, the fact that individuals can opt-out at any time might require a dual location for the choice selection form. The first location is where the individuals first register. If not given the opportunity to update information at the initial registration section, a second section with a separate opt-out form may be required for subsequent opt-out decisions. A standard mailing address may also be used.
    
  • In order to aid authentication of the data subject, a form for subsequent choices could be password protected.
    

• Any subsequent change in the use of personal data requires additional consent.
  
• Regularly audit the company's uses of information and ensure updating of the privacy policy to reflect these changes.