https://gdprhub.eu/api.php?hidebots=1&urlversion=1&days=7&limit=50&target=AEPD_%28Spain%29_-_E%2F03882%2F2020&action=feedrecentchanges&feedformat=atomGDPRhub - Changes related to "AEPD (Spain) - E/03882/2020" [en]2024-03-19T12:38:31ZRelated changesMediaWiki 1.39.6https://gdprhub.eu/index.php?title=Article_6_GDPR&diff=40405&oldid=40381Article 6 GDPR2024-03-18T15:39:13Z<p><span dir="auto"><span class="autocomment">Necessity</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 15:39, 18 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l258">Line 258:</td>
<td colspan="2" class="diff-lineno">Line 258:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The concept of "necessity" is used five of the six legal basis (Article 6(1)(b) to (f) GDPR). Only consent does not contain the requirement, as consent must be "specific" anyways. The concept of "necessity" must be interpreted in the light of applicable European law and is also known under Article 52(1) of the Charter of Fundamental Rights. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The concept of "necessity" is used five of the six legal basis (Article 6(1)(b) to (f) GDPR). Only consent does not contain the requirement, as consent must be "specific" anyways. The concept of "necessity" must be interpreted in the light of applicable European law and is also known under Article 52(1) of the Charter of Fundamental Rights. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The CJEU generally follows a concept of strict necessity and a narrow interpretation.<blockquote><u>Case Law:</u> In [[CJEU - C-524/06 - Huber|C‑524/06 - ''Huber'']] on a German central register to manage matters in relation to foreign nationals the CJEU held that the “''concept'' [of necessity] ''...has its own independent meaning in Community law and ... must be interpreted in a manner which fully reflects the objective of'' [Directive 95/46/EC]”.<ref>CJEU, Case C‑524/06, ''Huber'', 18 December 2008, margin number 52 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=76077&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=3377266 here]).</ref> The CJEU held that such a register must not contain any information other than what is necessary for the purpose of implementing specific laws on foreign nationals.</blockquote>From a systematic point of view any legal basis under Article 6(1) GDPR constitutes an exemption to the general prohibition of data processing. As such, the exemption itself and all the wording it carries, including the "necessity" requirement, must be interpreted narrowly.<blockquote><u>Case Law:</u> In [[CJEU - C‑13/16 - Rīgas satiksme|C‑13/16 - ''Rīgas satiksme'']] on the use of personal data after a traffic accident the CJEU held: “''As regards the condition relating to the necessity of processing personal data, it should be borne in mind that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary''”.<ref>CJEU, Case C‑13/16, ''Rīgas satiksme'', 4 May 2017, margin number 30 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=190322&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=3378015 here]).</ref> In joined Cases C‑92/09 and C‑93/09 ''- Volker und Markus Schecke and Eifert'' on a European law requiring the publication of recipients of agricultural subsidies the CJEU held that: "''limitations in relation to the protection of personal data must apply only in so far as is strictly necessary''".<ref>CJEU, Joined Cases C‑92/09 and C‑93/09, ''Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen'', paragraph 86, 9. November 2010 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=79163&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3378952 here]).</ref></blockquote>Despite the narrow interpretation of strict necessity, a controller is not prohibited from using personal data, just because there is a theoretical alternative that does not include the use of personal data, only realistic alternative must be considered. Processing that is "useful" but not objectively "necessary" is not covered and hence not allowed. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The CJEU generally follows a concept of strict necessity and a narrow interpretation.<blockquote><u>Case Law:</u> In [[CJEU - C-524/06 - Huber|C‑524/06 - ''Huber'']] on a German central register to manage matters in relation to foreign nationals the CJEU held that the “''concept'' [of necessity] ''...has its own independent meaning in Community law and ... must be interpreted in a manner which fully reflects the objective of'' [Directive 95/46/EC]”.<ref>CJEU, Case C‑524/06, ''Huber'', 18 December 2008, margin number 52 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=76077&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=3377266 here]).</ref> The CJEU held that such a register must not contain any information other than what is necessary for the purpose of implementing specific laws on foreign nationals.</blockquote>From a systematic point of view any legal basis under Article 6(1) GDPR constitutes an exemption to the general prohibition of data processing. As such, the exemption itself and all the wording it carries, including the "necessity" requirement, must be interpreted narrowly.<blockquote><u>Case Law:</u> In [[CJEU - C‑13/16 - Rīgas satiksme|C‑13/16 - ''Rīgas satiksme'']] on the use of personal data after a traffic accident the CJEU held: “''As regards the condition relating to the necessity of processing personal data, it should be borne in mind that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary''”.<ref>CJEU, Case C‑13/16, ''Rīgas satiksme'', 4 May 2017, margin number 30 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=190322&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=3378015 here]).</ref> In <ins style="font-weight: bold; text-decoration: none;">[[CJEU - Joined Cases C-92/09 and C-93/09 - Volker and Markus|</ins>joined Cases C‑92/09 and C‑93/09 ''- Volker und Markus Schecke and Eifert''<ins style="font-weight: bold; text-decoration: none;">]] </ins>on a European law requiring the publication of recipients of agricultural subsidies the CJEU held that: "''limitations in relation to the protection of personal data must apply only in so far as is strictly necessary''".<ref>CJEU, Joined Cases C‑92/09 and C‑93/09, ''Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen'', paragraph 86, 9. November 2010 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=79163&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3378952 here]).</ref></blockquote>Despite the narrow interpretation of strict necessity, a controller is not prohibited from using personal data, just because there is a theoretical alternative that does not include the use of personal data, only realistic alternative must be considered. Processing that is "useful" but not objectively "necessary" is not covered and hence not allowed. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>For example [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en EDPB Guidelines 2/2019 on Article 6(1)(b)] have clarified that assessing what is "necessary" involves a factual analysis of the processing operations and their purpose(s) and whether less intrusive alternatives that achieve the same goal exist. If there are realistic, less intrusive processing operations, then the other more intrusive ones must be excluded – i.e. they are not "necessary" under EU law. Thus, Article 6(1)(b) does not “''cover processing which is useful but not objectively necessary for performing the contractual service''”.<ref>EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, 8 October 2019’ (Version 2.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf here]).</ref> </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>For example [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en EDPB Guidelines 2/2019 on Article 6(1)(b)] have clarified that assessing what is "necessary" involves a factual analysis of the processing operations and their purpose(s) and whether less intrusive alternatives that achieve the same goal exist. If there are realistic, less intrusive processing operations, then the other more intrusive ones must be excluded – i.e. they are not "necessary" under EU law. Thus, Article 6(1)(b) does not “''cover processing which is useful but not objectively necessary for performing the contractual service''”.<ref>EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, 8 October 2019’ (Version 2.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf here]).</ref> </div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40381:rev-40405 -->
</table>Sflhttps://gdprhub.eu/index.php?title=Article_6_GDPR&diff=40381&oldid=40284Article 6 GDPR2024-03-17T12:04:21Z<p><span dir="auto"><span class="autocomment">(4) Further processing</span></span></p>
<a href="https://gdprhub.eu/index.php?title=Article_6_GDPR&diff=40381&oldid=40284">Show changes</a>2A01:4F8:231:1DE2:0:0:1001:3