Article 6 GDPR: Difference between revisions

From GDPRhub
 
(36 intermediate revisions by 5 users not shown)
Line 216: Line 216:




<span id="4"> 4.  Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject"s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in [[Article 23 GDPR#1|Article 23(1)]], the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia: </span>
<span id="4"> 4.  Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in [[Article 23 GDPR#1|Article 23(1)]], the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia: </span>


::<span id="4a"> (a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;</span>
::<span id="4a"> (a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;</span>
Line 237: Line 237:
Paragraphs 2 and 3 deal with the options for Member States to implement laws that make processing under 6(1)(c) and (e) necessary.  
Paragraphs 2 and 3 deal with the options for Member States to implement laws that make processing under 6(1)(c) and (e) necessary.  


Paragraph 4 is actually linked to the "purpose limitation" principle in [[Article 5 GDPR|Article 5(1)(b) GDPR]] and further expands on what a "compatible purpose" is. <blockquote><u>EDPB Guidelines</u>: on this Article, please see [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-82020-targeting-social-media-users_en Guidelines 8/2020 on the targeted addressing of users of social media] </blockquote>
Paragraph 4 is actually linked to the "purpose limitation" principle in [[Article 5 GDPR|Article 5(1)(b) GDPR]] and further expands on what a "compatible purpose" is. <blockquote><u>EDPB Guidelines</u>: On this Article, please see EDPB 'Guidelines 05/2020 on consent under Regulation 2016/679', 4 May 2020 (Version 1.1) (available [https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en here]); EDPB, 'Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms', 17 April 2024 (available [https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-082024-valid-consent-context-consent-or_en here]); EDPB, 'Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects', 8 October 2019 (Version 2.0) (available [https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en here]); EDPB, 'Guidelines 8/2020 on the targeting of social media users', 13 April 2021 (Version 2.0) (available [https://www.edpb.europa.eu/system/files/2021-04/edpb_guidelines_082020_on_the_targeting_of_social_media_users_en.pdf here]); EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1.0) (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</blockquote>


=== (1) Legal basis for processing ===
=== (1) Legal basis for processing ===
Line 243: Line 243:
==== Overview ====
==== Overview ====
===== Prohibition - with six exceptions =====
===== Prohibition - with six exceptions =====
Article 6(1) GDPR generally prohibits processing operations (<span id="1">"''processing shall be lawful only if''")</span> unless at least one of the six legal basis under (a) to (f) are fulfilled.  
Article 6(1) GDPR generally prohibits the processing of personal data unless at least one of the six legal bases listed under points (a) to (f) is fulfilled. This provision states that “''[p]rocessing shall be lawful only if''” one of these conditions applies, effectively setting a default position against unauthorized data processing.  


The general prohibition of data processing flows from the fact that under Article 8(2) of the Charter, the right to data protection is a fundamental rights ("''data must be processed ... on the basis of the consent of the person concerned or some other legitimate basis laid down by law''"). It is therefore important that the requirement to have a legal basis is interpreted in the light of the Charter and the principle of proportionality in Article 52(1) CFR. The system of Article 6(1) as a general prohibition, unless there is a justification is criticized in some Member States,<ref>See an overview on German criticism in ''Buchner/Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 14 (C.H. Beck 2020, 3rd Edition).</ref> but not unusual for a fundamental right. Just like other fundamental rights (e.g. the right to property, freedom of expression or the right to physical integrity), the default position is, that others may not interfere with a data subject"s right to data protection, unless there is a justification.
This general prohibition flows from the fact that under Article 8(2) CFR, the right to data protection is recognized as a fundamental right ("''data must be processed ... on the basis of the consent of the person concerned or some other legitimate basis laid down by law''"). Therefore, the requirement to have a legal basis for processing personal data must be interpreted in light of the Charter and the principle of proportionality outlined in Article 52(1) CFR.
 
The system established by Article 6(1) GDPR—as a general prohibition unless there is a justification—has been criticized in some Member States for being overly restrictive. However, this approach is not unusual when dealing with fundamental rights. Just like other fundamental rights—such as the right to property, freedom of expression, or the right to physical integrity—the default position is that others may not interfere with a data subject’s right to data protection unless there is a justified legal basis.
 
It is therefore important that the requirement to have a legal basis is interpreted in the light of the Charter and the principle of proportionality in Article 52(1) CFR. The system of Article 6(1) as a general prohibition, unless there is a justification is criticized in some Member States,<ref>See an overview on German criticism in ''Buchner/Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 14 (C.H. Beck 2020, 3rd Edition).</ref> but not unusual for a fundamental right. Just like other fundamental rights (e.g. the right to property, freedom of expression or the right to physical integrity), the default position is, that others may not interfere with a data subject's right to data protection, unless there is a justification.  
 
{{Quote-CJEU|"[...] the first subparagraph of Article 6(1) of the GDPR sets out an exhaustive and restrictive list of the cases in which processing of personal data can be regarded as lawful. Thus, in order to be capable of being regarded as such, processing must fall within one of the cases provided for in that provision [...]".|CJEU - C‑621/22 - Koninklijke Nederlandse Lawn Tennisbond|29|<small> See also: [[CJEU - C-252/21 - Meta Platforms and Others (General terms of use of a social network)]], margin number 90; [[CJEU - C-439/19 - Latvijas Republikas Saeima (Penalty points)]], margin number 99; [[CJEU - C‑708/18 - Asociaţia de Proprietari bloc M5A-ScaraA]]<nowiki>, margin number 37 and 38; [CJEU - C-582/14 - Breyer]] margin number 57; [CJEU - C-468/10 and C-469/10 - ASNEF and FECEMD (Joined Cases), margin numbers 36. </nowiki></small>}}


===== No hierarchy =====
===== No hierarchy =====
Line 251: Line 257:


===== Multiple legal bases =====
===== Multiple legal bases =====
While at least one legal basis has to be fulfilled, it is possible that there are multiple legal basis that a controller can rely at the same time ("<span id="1">''at least one''")</span>.  
While at least one legal basis has to be fulfilled, it is possible that there are multiple legal basis that a controller can rely at the same time ("<span id="1">''at least one''")</span>. However, as long as one of the legal bases in Article 6(1) GDPR applies, it is not necessary to determine whether that processing also falls within the scope of another legal basis.<ref>CJEU, Case C-621/22, ''Koninklijke Nederlandse Lawn Tennisbond,'' 4 October 2024, margin number 32 (available [[CJEU - C‑621/22 - Koninklijke Nederlandse Lawn Tennisbond|here]]).</ref>


Using multiple legal basis may however raise transparency issues under Article 5(1)(a), if a data subject for example thinks that personal data is processed solely based on consent (which can be withdrawn at any time), while in fact the controller also relies on another legal basis like a legal obligation (which does not allow for a withdrawal by the data subject). The data subjects would the be tricked into thinking that they have more agency than they really have.<ref>''Buchner/Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 23 (C.H. Beck 2020, 3rd Edition).</ref>
Using multiple legal basis may however raise transparency issues under Article 5(1)(a), if a data subject for example thinks that personal data is processed solely based on consent (which can be withdrawn at any time), while in fact the controller also relies on another legal basis like a legal obligation (which does not allow for a withdrawal by the data subject). The data subjects would the be tricked into thinking that they have more agency than they really have.<ref>''Buchner/Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 23 (C.H. Beck 2020, 3rd Edition).</ref>


===== Necessity =====
===== Necessity =====
The concept of "necessity" is used five of the six legal basis (Article 6(1)(b) to (f) GDPR). Only consent does not contain the requirement, as consent must be "specific" anyways. The concept of "necessity" must be interpreted in the light of applicable European law and is also known under Article 52(1) of the Charter of Fundamental Rights.  
The concept of "necessity" is used five of the six legal basis (Article 6(1)(b) to (f) GDPR). Only consent does not contain the requirement, as consent must be "specific" anyways. The concept of "necessity" must be interpreted as in the light of applicable European law and is also known under Article 52(1) of the Charter of Fundamental Rights. Therefore, its interpretation must fully reflect the objectives of data protection law.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 28 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref> 
 
{{Quote-EDPB|"Assessing what is ‘necessary’ involves ascertaining whether in practice the legitimate data processing interests pursued cannot reasonably be achieved just as effectively by other means less restrictive of the fundamental rights and freedoms of data subjects. If there are reasonable, just as effective, but less intrusive alternatives, the processing may not be considered to be ‘necessary’. In this context, the CJEU expressly recalled that the condition relating to the need for processing must be examined in conjunction with the ‘data minimisation’ principle enshrined in Article 5(1)(c) GDPR, in accordance with which personal data must be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’. The Court also emphasised that a processing should be carried out ‘only in so far as is strictly necessary’ for the purposes of the legitimate interest identified. This requirement of strict necessity is also emphasised, for instance, in Recital 47 GDPR, which states that ‘[t]he processing of personal data strictly necessary for the purposes of preventing fraud […] constitutes a legitimate interest of the data controller concerned.’"|EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 29|4=https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf|Footnotes (including references to the CJEU case law) were omitted in this quote.}}


The CJEU generally follows a concept of strict necessity and a narrow interpretation.<blockquote><u>Case Law:</u> In [[CJEU - C-524/06 - Huber|C‑524/06 - ''Huber'']] on a German central register to manage matters in relation to foreign nationals the CJEU held that the “''concept'' [of necessity] ''...has its own independent meaning in Community law and ... must be interpreted in a manner which fully reflects the objective of'' [Directive 95/46/EC]”.<ref>CJEU, Case C‑524/06, ''Huber'', 18 December 2008, margin number 52 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=76077&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=3377266 here]).</ref> The CJEU held that such a register must not contain any information other than what is necessary for the purpose of implementing specific laws on foreign nationals.</blockquote>From a systematic point of view any legal basis under Article 6(1) GDPR constitutes an exemption to the general prohibition of data processing. As such, the exemption itself and all the wording it carries, including the "necessity" requirement, must be interpreted narrowly.<blockquote><u>Case Law:</u> In [[CJEU - C‑13/16 - Rīgas satiksme|C‑13/16 - ''Rīgas satiksme'']] on the use of personal data after a traffic accident the CJEU held: “''As regards the condition relating to the necessity of processing personal data, it should be borne in mind that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary''”.<ref>CJEU, Case C‑13/16, ''Rīgas satiksme'', 4 May 2017, margin number 30 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=190322&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=3378015 here]).</ref> In joined Cases C‑92/09 and C‑93/09 ''- Volker und Markus Schecke and Eifert'' on a European law requiring the publication of recipients of agricultural subsidies the CJEU held that: "''limitations in relation to the protection of personal data must apply only in so far as is strictly necessary''".<ref>CJEU, Joined Cases C‑92/09 and C‑93/09, ''Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen'', paragraph 86, 9. November 2010 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=79163&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3378952 here]).</ref></blockquote>Despite the narrow interpretation of strict necessity, a controller is not prohibited from using personal data, just because there is a theoretical alternative that does not include the use of personal data, only realistic alternative must be considered. Processing that is "useful" but not objectively "necessary" is not covered and hence not allowed.  
The CJEU generally follows a concept of strict necessity and a narrow interpretation. In [[CJEU - C-524/06 - Huber|C‑524/06 - ''Huber'']] on a German central register to manage matters in relation to foreign nationals the CJEU held that the “''concept'' [of necessity] ''...has its own independent meaning in Community law and ... must be interpreted in a manner which fully reflects the objective of'' [Directive 95/46/EC]”.<ref>CJEU, Case C‑524/06, ''Huber'', 18 December 2008, margin number 52 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=76077&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=3377266 here]).</ref> The CJEU held that such a register must not contain any information other than what is necessary for the purpose of implementing specific laws on foreign nationals.


For example [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en EDPB Guidelines 2/2019 on Article 6(1)(b)] have clarified that assessing what is "necessary" involves a factual analysis of the processing operations and their purpose(s) and whether less intrusive alternatives that achieve the same goal exist. If there are realistic, less intrusive processing operations, then the other more intrusive ones must be excluded – i.e. they are not "necessary" under EU law. Thus, Article 6(1)(b) does not “''cover processing which is useful but not objectively necessary for performing the contractual service''”.<ref>EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, 8 October 2019’ (Version 2.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf here]).</ref>  
From a systematic point of view any legal basis under Article 6(1) GDPR constitutes an exemption to the general prohibition of data processing. As such, the exemption itself and all the wording it carries, including the "necessity" requirement, must be interpreted narrowly.<blockquote>Regarding the use of personal data after a traffic accident the CJEU held:
{{Quote-CJEU|"As regards the condition relating to the necessity of processing personal data, it should be borne in mind that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary [...]"|CJEU - C-13/16 - Rīgas satiksme|30.}}
Regarding an European law requiring the publication of recipients of agricultural subsidies the CJEU held that:
{{Quote-CJEU|"[...] limitations in relation to the protection of personal data must apply only in so far as is strictly necessary [...]"|CJEU - Joined Cases C-92/09 and C-93/09 - Volker and Markus|86.}}
Regarding the handling of personal data in documents published in commercial registers, the CJEU elaborated:
{{Quote-CJEU|"That requirement of necessity is not met where the objective of general interest pursued can reasonably be achieved just as effectively by other means less restrictive of the fundamental rights of data subjects, in particular the rights to respect for private life and to the protection of personal data guaranteed in Articles 7 and 8 of the Charter, since derogations and limitations in relation to the principle of protection of such data must apply only in so far as is strictly necessary [...]"|CJEU - C-200/23 - Agentsia po vpisvaniyata|111.}}Regarding a sports federation's disclosure of its members personal data to third parties, namely, in this case, a company that sells sports products and a provider of casino games, for advertising or marketing purposes, in particular so that that company and provider may send advertising messages and special offers to those members,  the CJEU held:
 
{{Quote-CJEU|"[...] as regards the condition that such processing be necessary for the purposes of that interest and, in particular, the existence of means that are less restrictive of the fundamental rights and freedoms of data subjects and equally appropriate, it must be stated that it would, in particular, be possible for a sports federation [...], wishing to disclose its members’ personal data to third parties for consideration, to inform its members beforehand and to ask them whether they want their data to be transmitted to those third parties for advertising or marketing purposes.
 
[...]
 
That solution would make it possible for the members concerned, in accordance with the data minimisation principle referred to in paragraph 43 of the present judgment, to retain control over the disclosure of their personal data and thus to limit the disclosure of those data to what is in fact necessary and relevant in relation to the purposes for which those data are transmitted and processed [...]".|CJEU - C‑621/22 - Koninklijke Nederlandse Lawn Tennisbond|51 et seq.}}
 
Despite the narrow interpretation of strict necessity, a controller is not prohibited from using personal data, just because there is a theoretical alternative that does not include the use of personal data, only realistic alternative must be considered. Processing that is "useful" but not objectively "necessary" is not covered and hence not allowed.<ref>Bucher, Petri, DS-GVO BDSG, Article 6 GDPR, margin numbers 15 (C.H. Beck 2024, 4th Edition); Kastelitz; Hötzendorfer; Tschohl, in Knyrim, DatKomm, Article 6 GDPR, margin numbers 19 (Manz 2020).</ref></blockquote>For example [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en EDPB Guidelines 2/2019 on Article 6(1)(b)] have clarified that assessing what is "necessary" involves a factual analysis of the processing operations and their purpose(s) and whether less intrusive alternatives that achieve the same goal exist. If there are realistic, less intrusive processing operations, then the other more intrusive ones must be excluded – i.e. they are not "necessary" under EU law.<ref>EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, 8 October 2019’ (Version 2.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf here]).</ref>  
{{Quote-EDPB|"Article 6(1)(b) will not cover processing which is useful but not objectively necessary for performing the contractual service  or for taking relevant pre-contractual steps at the request of the data subject, even if it is necessary for the controller’s other business purposes."|Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects', 8 October 2019 (Version 2.0), margin number 25.|4=https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en}}


==== (a) Consent ====
==== (a) Consent ====
Line 267: Line 289:
Like other rights, the right to data protection can be waived by the data subject, by providing consent to the processing of their personal data. Given that data subjects are usually the weaker party in any transaction,<ref>This includes limited economic powers, the lack of legal or technical training or the lack of alternative providers without similar data practices.</ref> the GDPR foresees a number of conditions that controllers have to comply with to obtain ''valid'' consent. This approach is very similar to other protections when fundamental rights are waived (e.g. gifting real estate may need the involvement of a notary, surgeries require detailed information and consent under Article 3(2) of the Charter). Compared to the waiver of other fundamental rights, consenting to data procession is has however become rather ubiquitous.
Like other rights, the right to data protection can be waived by the data subject, by providing consent to the processing of their personal data. Given that data subjects are usually the weaker party in any transaction,<ref>This includes limited economic powers, the lack of legal or technical training or the lack of alternative providers without similar data practices.</ref> the GDPR foresees a number of conditions that controllers have to comply with to obtain ''valid'' consent. This approach is very similar to other protections when fundamental rights are waived (e.g. gifting real estate may need the involvement of a notary, surgeries require detailed information and consent under Article 3(2) of the Charter). Compared to the waiver of other fundamental rights, consenting to data procession is has however become rather ubiquitous.


Consent is the most prominent legal basis, as it is the only one that data subjects are regularly confronted with. However, it is not the prime or even the most desirable legal basis. Typically consent is the "last option", as Article 6(1)(b) to (e) GDPR provide for a legal basis for most daily processing operations, without the need to seek consent.<blockquote><u>Example:</u> Josephine is the new data protection officer for an online shop. She realizes that the check-out page requires consent under Article 6(1)(a) to the processing of personal data for processing the payment and for delivering the products. As this is already covered by "necessary for the performance of a contract" under Article 6(1)(b), she removes this consent clause. This is not just more transparent for data subjects, as they are not tricked to believe that they can withdraw the consent, but it also makes the online form quicker to click through.</blockquote>Consent is regularly criticized in the legal literature and by the public. Criticism seems to be largely fed by bad consent ''practices'', but not necessarily by shortcomings of the letter of the law. If the conditions for consent are properly applied, it allows data subjects to exercise their right to informational self-determination. While it is correct that data subjects can be overwhelmed with these decisions, a liberal legal order requires that data subjects have agency over their rights, which includes waiving them. Given that Article 8(2) of the Charta explicitly foresees consent as one of the legal bases for data processing, consent is here to stay.<blockquote><u>EDPB Guidelines</u>: [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en Guidelines 5/2020 on consent under the GDPR] with detailed analysis by the authorities, see also [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032022-deceptive-design-patterns-social-media_en Guidelines 03/2022 on deceptive design patterns in social media platform interfaces: how to recognise and avoid them] </blockquote>
Consent is the most prominent legal basis, as it is the only one that data subjects are regularly confronted with. However, it is not the prime or even the most desirable legal basis. Typically consent is the "last option", as Article 6(1)(b) to (e) GDPR provide for a legal basis for most daily processing operations, without the need to seek consent.<blockquote>{{Quote-example|Josephine is the new data protection officer for an online shop. She realizes that the check-out page requires consent under Article 6(1)(a) to the processing of personal data for processing the payment and for delivering the products. As this is already covered by "necessary for the performance of a contract" under Article 6(1)(b), she removes this consent clause. This is not just more transparent for data subjects, as they are not tricked to believe that they can withdraw the consent, but it also makes the online form quicker to click through.}}</blockquote>Consent is regularly criticized in the legal literature and by the public. Criticism seems to be largely fed by bad consent ''practices'', but not necessarily by shortcomings of the letter of the law. If the conditions for consent are properly applied, it allows data subjects to exercise their right to informational self-determination. While it is correct that data subjects can be overwhelmed with these decisions, a liberal legal order requires that data subjects have agency over their rights, which includes waiving them. Given that Article 8(2) of the Charta explicitly foresees consent as one of the legal bases for data processing, consent is here to stay.<blockquote>The EDPB provides highly relevant information in connection with the consent: [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en Guidelines 5/2020 on consent under the GDPR]. But also other, less specific guidelines and opinions by the EDPB touch the topic of consent and are therefore also quite relevant: see, inter alia,  [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032022-deceptive-design-patterns-social-media_en Guidelines 03/2022 on deceptive design patterns in social media platform interfaces: how to recognise and avoid them] and [https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-082024-valid-consent-context-consent-or_en Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms].  </blockquote>


===== Joint reading of provisions =====
===== Joint reading of provisions =====
Line 281: Line 303:
There is a slightly different concept of "''explicit consent''" in [[Article 9 GDPR|Articles 9(1)(a)]], [[Article 22 GDPR|22(2)(c)]] and [[Article 49 GDPR|49(1)(a)]] GDPR. See the commentary on [[Article 9 GDPR|Article 9(1)(a) GDPR]] for explicit consent.
There is a slightly different concept of "''explicit consent''" in [[Article 9 GDPR|Articles 9(1)(a)]], [[Article 22 GDPR|22(2)(c)]] and [[Article 49 GDPR|49(1)(a)]] GDPR. See the commentary on [[Article 9 GDPR|Article 9(1)(a) GDPR]] for explicit consent.
=====Capacity=====
=====Capacity=====
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> National law determines if a data subject lacks the legal capacity to make legally binding declarations.  
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> National law determines if a data subject lacks the legal capacity to make legally binding declarations, including declarations under the GDPR.  


In the case of minors acting in the context of an "information society service", [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16 while Member States may not reduce that age limit to below 13. There is currently no rule in the GDPR about the age for consent if no "information society service" is involved, including any offline context.
In the case of minors acting in the context of an "information society service", [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16 year. Member States may reduce that age limit - but not below 13 year. There is currently no rule in the GDPR about the age for consent outside of "information society services". This means there is also no rules in the GDPR for the age of consent in any offline context.
=====Freely given=====
=====Freely given=====
Consent has to be freely given, which means that the data subjects must have the option to freely and genuinely choose to say "yes" to the processing of their personal data. Just like other legally relevant declaration, consent is void if the data subject was for example physically forced to consent. However, the notion of "freely given" is much broader under Article 6(1)(4) GDPR, as illustrated by the rules in [[Article 4 GDPR|Articles 4(11)]], [[Article 7 GDPR|7]] or [[Article 8 GDPR|8]] GDPR, as well as Recital 43. If consent is "freely given" under the GDPR requires a wholistic and also economic analysis of the options for a data subject. The wholistic approach should lead to better results than previous approaches, but also uses vaguer concepts.  
Consent has to be freely given, which means that the data subjects must have the option to freely and genuinely choose to say "yes" to the processing of their personal data. Just like other legally relevant declaration, consent is void if the data subject was for example physically forced to consent. However, the notion of "freely given" is much broader under Article 6(1)(4) GDPR, as illustrated by the rules in [[Article 4 GDPR|Articles 4(11)]], [[Article 7 GDPR|7]] or [[Article 8 GDPR|8]] GDPR, as well as Recital 43. If consent is "freely given" under the GDPR requires a holistic and also economic analysis of the options for a data subject. The wholistic approach should lead to better results than previous approaches, but also uses vaguer concepts.  


====== Power imbalance ======
====== Power imbalance ======
Line 292: Line 314:
*Employer-employee-relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref>
*Employer-employee-relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref>
*Use of major digital services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref>, for example because of a "network effect".<ref>Communication networks often require all parties to use the same system - making a switch very difficult for single users. See ''Bucher/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 7 GDPR, margin number 53a (C.H. Beck 2020).</ref>
*Use of major digital services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref>, for example because of a "network effect".<ref>Communication networks often require all parties to use the same system - making a switch very difficult for single users. See ''Bucher/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 7 GDPR, margin number 53a (C.H. Beck 2020).</ref>
In other words, employers, governments or companies (especially those with a dominant market position) will typically be able to force data subjects to consent against their true wishes. In this perspective, Recital 43 GDPR highlights that if there is a "''clear imbalance between the data subject and the controller''" consent should not be considered a valid legal basis for the processing.<ref>Recital 43 sentence 1 GDPR.</ref><blockquote><u>Example:</u> A sales representative has to "consent" that his mobile phone is tracked to ensure that he does not cheat on his time sheet and does not use the company car for private trips. Obviously the employee will be able to challenge the consent, if he only agreed to keep his job.</blockquote>
In other words, employers, governments or companies (especially those with a dominant market position) will typically be able to force data subjects to consent against their true wishes. In this perspective, Recital 43 GDPR highlights that if there is a "''clear imbalance between the data subject and the controller''" consent should not be considered a valid legal basis for the processing.<ref>Recital 43 sentence 1 GDPR.</ref><blockquote>{{Quote-example|A sales representative has to "consent" that his mobile phone is tracked to ensure that he does not cheat on his time sheet and does not use the company car for private trips. Obviously the employee will be able to challenge the consent, if he only agreed to keep his job.}}</blockquote>


====== Conditional consent ======
====== Conditional consent ======
Recital 43 and [[Article 7 GDPR|Article 7(4) GDPR]] further deal with the situation of "bundled consent", i.e. when the performance of a contract is made conditional on consent. While such bundled consent is not automatically void, the law requires that "''utmost account shall be taken''" if the provision of a contract is made conditional on consent.<blockquote><u>Example:</u> An app that costs € 1,99 per month requires that any new users agree to the terms and conditions when singing up. On the next screen the users must also consent to the sharing of their personal data with third parties for advertisement reasons. The use of personal data is not necessary for using the app. Necessary processing to use the core functions of the app can however be based on Article 6(1)(b) GDPR. </blockquote>For further indications on the issue of bundled consent and the criteria to assess the freely given requirement, see [[Article 7 GDPR|Article 7(4) GDPR]].
Recital 43 and [[Article 7 GDPR|Article 7(4) GDPR]] further deal with the situation of "bundled consent", i.e. when the performance of a contract is made conditional on consent. While such bundled consent is not automatically void, the law requires that "''utmost account shall be taken''" if the provision of a contract is made conditional on consent.<blockquote>{{Quote-example|An app that costs € 1,99 per month requires that any new users agree to the terms and conditions when singing up. On the next screen the users must also consent to the sharing of their personal data with third parties for advertisement reasons. The use of personal data is not necessary for using the app. Necessary processing to use the core functions of the app can however be based on Article 6(1)(b) GDPR.}}</blockquote>For further indications on the issue of bundled consent and the criteria to assess the freely given requirement, see [[Article 7 GDPR|Article 7(4) GDPR]].
=====Informed=====
=====Informed=====
Consent must be informed. This is especially challenging in highly complex technological environments. As controller may have the technical, practical and legal knowledge to understand the relevant processing information and take months or years to develop this understanding, while an average data subject may not have any relevant education or knowledge but most make a choice within seconds or at best minutes. Under the GDPR, the controller must overcome this information asymmetry to get valid consent.  
Consent must be informed. This is especially challenging in highly complex technological environments. As controller may have the technical, practical and legal knowledge to understand the relevant processing information and take months or years to develop this understanding, while an average data subject may not have any relevant education or knowledge but most make a choice within seconds or at best minutes. Under the GDPR, the controller must overcome this information asymmetry to get valid consent.  
Line 308: Line 330:
Consent should be sought using clear and plain language and be provided in an intelligible and easily accessible form.<ref>See Articles 5(1)(a) and 7(2) GDPR and Recital 42.</ref> Especially euphemisms and wording that is more inspired by marketing than the facts is not clear. Equally, overly legal and technical descriptions are not clear and plain either.
Consent should be sought using clear and plain language and be provided in an intelligible and easily accessible form.<ref>See Articles 5(1)(a) and 7(2) GDPR and Recital 42.</ref> Especially euphemisms and wording that is more inspired by marketing than the facts is not clear. Equally, overly legal and technical descriptions are not clear and plain either.


Under [[Article 7 GDPR|Article 7(2) GDPR]] information to the data subject in the moment of consent under Article 6(1)(a) must be distinguished from any other matter. Just adding a link to the very broad information that needs to be provided under [[Article 13 GDPR|Articles 13]] and [[Article 14 GDPR|14]] GDPR is therefore not leading to valid consent. Simply linking to a lengthy privacy policy is also not making information "''easily accessible''", as data subjects will hardly find the relevant information needed to make a decision on the specific processing that is based on consent.<blockquote><u>Common Misunderstanding:</u> A mere confirmation that users "agree to the privacy policy" is in most cases not easily accessible, if the privacy policy usually concerns a lot of additional information and is not limited to only processing under Article 6(1)(a) GDPR. If the privacy policy also concerns multiple processing operations such cases consent is also not "specific" (see below).</blockquote>Overall the controller has the (sometimes difficult) task to explain the use of personal data in a short, clear and plain way, without using overly technical or legal jargon, so that an average data subjects have a clear understanding of what they should consent to.  
Under [[Article 7 GDPR|Article 7(2) GDPR]] information to the data subject in the moment of consent under Article 6(1)(a) must be distinguished from any other matter. Just adding a link to the very broad information that needs to be provided under [[Article 13 GDPR|Articles 13]] and [[Article 14 GDPR|14]] GDPR is therefore not leading to valid consent. Simply linking to a lengthy privacy policy is also not making information "''easily accessible''", as data subjects will hardly find the relevant information needed to make a decision on the specific processing that is based on consent.<blockquote>{{Quote-common-mistake|A mere confirmation that users "agree to the privacy policy" is in most cases not easily accessible, if the privacy policy usually concerns a lot of additional information and is not limited to only processing under Article 6(1)(a) GDPR. If the privacy policy also concerns multiple processing operations such cases consent is also not "specific" (see below).}}</blockquote>Overall the controller has the (sometimes difficult) task to explain the use of personal data in a short, clear and plain way, without using overly technical or legal jargon, so that an average data subjects have a clear understanding of what they should consent to.  


=====Specific=====
=====Specific=====
In accordance with the principle of transparency from [https://gdprhub.eu/index.php%3Ftitle=Article_5_GDPR Article 5(1)(b) GDPR] consent must be provided for specific and legitimate purposes. When the processing has multiple purposes, consent should be given for all of them separately.<ref>Recital 32 sentences 5, 6 GDPR.</ref> A blanket consent to all kinds of purposes is therefore not valid. For example, "''I agree to the processing of my data for advertisement, product improvement and the sharing with business partners''" is not specific and therefore invalid.<blockquote><u>Example:</u> An online shop has a checkout page, where users must "consent to the use of your data for marketing, the transfer to non-EU providers and the sparing of data with partners". Any consent to these three purposes, would usually fail the "specific" element required for consent. Equally, just naming "partners" is likely not specific enough if there are specific known recipients.</blockquote>The principle of specificity of consent in [[Article 4 GDPR|Article 4(11) GDPR]] is confirmed by Article 6(1)(a) which requires consent to be given for “''for one or more specific purposes”.'' This seems in line with the case law of the Court of Justice of the EU, according to which consent must refer to specific processing activities, clearly identified, <ref>CJEU, C‑673/17, Planet49, 1 October 2019, margin number 58-60 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> also in order to allow the user to effectively understand the operations being carried out.<ref>CJEU, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]). This reading seems to be confirmed by ''Bucher, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 20 (C.H. Beck 2020).</ref>
In accordance with the principle of transparency from [https://gdprhub.eu/index.php%3Ftitle=Article_5_GDPR Article 5(1)(b) GDPR] consent must be provided for specific and legitimate purposes. When the processing has multiple purposes, consent should be given for all of them separately.<ref>Recital 32 sentences 5, 6 GDPR.</ref> A blanket consent to all kinds of purposes is therefore not valid. For example, "''I agree to the processing of my data for advertisement, product improvement and the sharing with business partners''" is not specific and therefore invalid.<blockquote>{{Quote-example|An online shop has a checkout page, where users must "consent to the use of your data for marketing, the transfer to non-EU providers and the sharing of data with partners". Any consent to these three purposes, would usually fail the "specific" element required for consent. Equally, just naming "partners" is likely not specific enough if there are specific known recipients.}}</blockquote>The principle of specificity of consent in [[Article 4 GDPR|Article 4(11) GDPR]] is confirmed by Article 6(1)(a) which requires consent to be given for “''for one or more specific purposes”.'' This seems in line with the case law of the Court of Justice of the EU, according to which consent must refer to specific processing activities, clearly identified, <ref>CJEU, C‑673/17, Planet49, 1 October 2019, margin number 58-60 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> also in order to allow the user to effectively understand the operations being carried out.<ref>CJEU, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]). This reading seems to be confirmed by ''Bucher, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 20 (C.H. Beck 2020).</ref>
=====Unambiguous=====
=====Unambiguous=====
Consent must be given unambiguously in the form of clear and affirmative action, however no specific form is required. Consent must be an unambiguous act, including any oral, written or other form of signifying the agreement to have personal data processed.<ref>Recital 32 sentence 1 GDPR.</ref> In a digital environment consent is typically given by checking a box ("opt-in"), choosing technical settings that indicate the data subject’s acceptance of the proposed processing or clicking a button.<ref>Recital 32 sentence 2 GDPR.</ref> <blockquote><u>Example:</u> At a wedding, the photographer asks a group to stand underneath the tree if they want to be on the picture, which will go to the couple"s wedding website. Marcel and Alex make their way underneath the tree and waive at the camera. They have given unambiguous consent.</blockquote>Conversely, silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice where a pre-checked checkbox which the user had to deselect in order to refuse their consent cannot show any active behaviour.<ref name=":0">CJEU, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Similarly, actions which are not clearly affirmative include the simple use of a webpage. A user may simply ignore that a webpage uses data in a certain way. This ambiguity extends to assigning certain actions a legal meaning through a disclaimer (e.g. "''by using our webpage you agree to X''"). Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref> <blockquote><u>Case Law:</u> In [[CJEU - C-673/17 - Planet49|C‑673/17 - ''Planet49'']] a pre-checked checkbox which the data subject had to deselect in order to refuse their consent was not seen as valid consent, because not deactivating the box cannot be seen as active behaviour.<ref name=":0" /></blockquote>
Consent must be given unambiguously in the form of clear and affirmative action, however no specific form is required. Consent must be an unambiguous act, including any oral, written or other form of signifying the agreement to have personal data processed.<ref>Recital 32 sentence 1 GDPR.</ref> In a digital environment consent is typically given by checking a box ("opt-in"), choosing technical settings that indicate the data subject’s acceptance of the proposed processing or clicking a button.<ref>Recital 32 sentence 2 GDPR.</ref> <blockquote>{{Quote-example|At a wedding, the photographer asks a group to stand underneath the tree if they want to be on the picture, which will go to the couple"s wedding website. Marcel and Alex make their way underneath the tree and waive at the camera. They have given unambiguous consent.}}</blockquote>Conversely, silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the CJEU where a pre-checked checkbox which the user had to deselect in order to refuse their consent cannot show any active behaviour.<ref name=":0">CJEU, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Similarly, actions which are not clearly affirmative include the simple use of a webpage. A user may simply ignore that a webpage uses data in a certain way. This ambiguity extends to assigning certain actions a legal meaning through a disclaimer (e.g. "''by using our webpage you agree to X''"). Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref> <blockquote>{{Quote-CJEU|"[T]he data subject’s consent may make such processing lawful provided that the data subject has given his or her consent ‘unambiguously’. Only active behaviour on the part of the data subject with a view to giving his or her consent may fulfil that requirement.
 
 
[…]
 
 
In that regard, it would appear impossible in practice to ascertain objectively whether a website user had actually given his or her consent to the processing of his or her personal data by not deselecting a pre-ticked checkbox nor, in any event, whether that consent had been informed. It is not inconceivable that a user would not have read the information accompanying the preselected checkbox, or even would not have noticed that checkbox, before continuing with his or her activity on the website visited."|CJEU - C-673/17 - Planet49|54 et seq}}
</blockquote>


=====Withdrawal=====
=====Withdrawal=====
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [https://gdprhub.eu/index.php%3Ftitle=Article_7_GDPR Article 7(3) GDPR].<blockquote><u>Example:</u> An fitness app allows customers to opt-in to share their sports data online with a simple button. To stop the online sharing, the app requires sending an email to the app provider, including the app ID and a verification that the sender is actually the data subject.</blockquote>
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [https://gdprhub.eu/index.php%3Ftitle=Article_7_GDPR Article 7(3) GDPR].<blockquote>{{Quote-example|An fitness app allows customers to opt-in to share their sports data online with a simple button. To stop the online sharing, the app requires sending an email to the app provider, including the app ID and a verification that the sender is actually the data subject.}}</blockquote>


===== Duty to demonstrate consent =====
===== Duty to demonstrate consent =====
[[Article 7 GDPR|Article 7(1) GDPR]] further requires that a controller can demonstrate that the data subject has given consent. This goes beyond the mere burden of proof under Article 6(1)(a) GDPR and [[Article 5 GDPR|Article 5(2) GDPR]] and requires appropriate documentation or other options to demonstrate consent, like documentation that technical measures were in place, requiring clicking a check-box before proceeding.<blockquote><u>EDPB Guidelines:</u> on this provision there are [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en EDPB Guidelines 05/2020 on consent under Regulation 2016/679]</blockquote>
[[Article 7 GDPR|Article 7(1) GDPR]] further requires that a controller can demonstrate that the data subject has given consent. This goes beyond the mere burden of proof under Article 6(1)(a) GDPR and [[Article 5 GDPR|Article 5(2) GDPR]] and requires appropriate documentation or other options to demonstrate consent, like documentation that technical measures were in place, requiring clicking a check-box before proceeding.
 
{{Quote-EDPB|"For instance, the controller may keep a record of consent statements received, so he can show how consent was obtained, when consent was obtained and the information provided to the data subject at the time shall be demonstrable. The controller shall also be able to show that the data subject was informed and the controller´s workflow met all relevant criteria for a valid consent. The rationale behind this obligation in the GDPR is that controllers must be accountable with regard to obtaining valid consent from data subjects and the consent mechanisms they have put in place. For example, in an online context, a controller could retain information on the session in which consent was expressed, together with documentation of the consent workflow at the time of the session, and a copy of the information that was presented to the data subject at that time. It would not be sufficient to merely refer to a correct configuration of the respective website."|EDPB, 'Guidelines 05/2020 on consent under Regulation 2016/679', 4 May 2020 (Version 1.1), margin number 108.|4=https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf}}


==== (b) Contract ====
==== (b) Contract ====
Most daily business requires rather simple and foreseeable processing of personal data. To ensure that these standard processing operations are not limited and do not need the data subject"s consent, Article 6(1)(b) GDPR legalizes these processing operations by law. <blockquote><u>Example:</u> A data subject buys a product in an online shop. To perform this contract the controller may need to process the data subject"s credit card details. The details may be transferred to financial institutions for payment purposes. The buyer’s name and physical address can be shared with the shipment service for product delivery. </blockquote>While contract and consent must be clearly separated, Article 6(1)(b) GDPR is usually also based on a (civil law) agreement of the data subject and therefore related to the notion of informational self-determination.<ref>Scholars suggest that, together with consent ([https://gdprhub.eu/index.php%3Ftitle=Article_6_GDPR Article 6(1)(a) GDPR]), contract is the only legal basis covered by [https://gdprhub.eu/index.php%3Ftitle=Article_6_GDPR Article 6] in which processing is based on the data subject's will. A direct will in the case of consent, and indirect in the case of contract (by agreeing to the Terms). See ''Resta'', in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 6 GDPR p. 69 (Wolters Kluwer 2018), which, in turn, refers to Pelino, Bistolfi, Bolognini, Il regolamento privacy europeo (Giuffrè 2018).</ref>
Most daily business requires rather simple and foreseeable processing of personal data. To ensure that these standard processing operations are not limited and do not need the data subject"s consent, Article 6(1)(b) GDPR legalizes these processing operations by law. <blockquote>{{Quote-example|A data subject buys a product in an online shop. To perform this contract the controller may need to process the data subject"s credit card details. The details may be transferred to financial institutions for payment purposes. The buyer’s name and physical address can be shared with the shipment service for product delivery.}}</blockquote>While contract and consent must be clearly separated, Article 6(1)(b) GDPR is usually also based on a (civil law) agreement of the data subject and therefore related to the notion of informational self-determination.<ref>Scholars suggest that, together with consent ([https://gdprhub.eu/index.php%3Ftitle=Article_6_GDPR Article 6(1)(a) GDPR]), contract is the only legal basis covered by [https://gdprhub.eu/index.php%3Ftitle=Article_6_GDPR Article 6] in which processing is based on the data subject's will. A direct will in the case of consent, and indirect in the case of contract (by agreeing to the Terms). See ''Resta'', in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 6 GDPR p. 69 (Wolters Kluwer 2018), which, in turn, refers to Pelino, Bistolfi, Bolognini, Il regolamento privacy europeo (Giuffrè 2018).</ref>


The EDPB has issued its [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR] with a detailed analysis of Article 6(1)(b) GDPR.  
The EDPB has issued [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR] with a detailed analysis of Article 6(1)(b) GDPR.  


===== Necessary =====
===== Necessary =====


General information on necessity can be found above under the overview on Article 6(1) under "necessity". The concept of necessity means that processing must be limited to what is strictly necessary. This does not mean that only indispensable processing is allowed. Unreasonable alternatives are not taken into account, but merely "useful" additional processing is not "necessary"<blockquote><u>Example:</u> A gym that is requesting core information from customers (e.g. name, address) can use the "necessary" for the performance of a contract clause. However, the use of entry and exit data to measure the use of the gym is only "necessary" under the contract if the gym is paid per entry, not per month. There may be other legal basis to process such data, but it is not "necessary" under the contract.</blockquote>
General information on necessity can be found above under the overview on Article 6(1) under "necessity". The concept of necessity means that processing must be limited to what is strictly necessary. This does not mean that only indispensable processing is allowed. Unreasonable alternatives are not taken into account, but merely "useful" additional processing is not "necessary"<blockquote>{{Quote-example|A gym that is requesting core information from customers (e.g. name, address) can use the "necessary" for the performance of a contract clause. However, the use of entry and exit data to measure the use of the gym is only "necessary" under the contract if the gym is paid per entry, not per month. There may be other legal basis to process such data, but it is not "necessary" under the contract.}}</blockquote>
Usually most contracts are imposed by the controller, not the data subject. If a controller could arbitrarily add elements to the scope of its contracts as to make any processing activity "necessary", then the reference to "necessity" itself would become useless (and contracts would become, indeed, a tool to bypass e.g the requirement to ask for valid consent under Article 6(1)(a) for any where there is no other legal basis. <blockquote><u>Case Law:</u> In it"s [[EDPB - Binding Decision 3/2022 - 'Meta (Facebook)'|Binding Decision 3/2021 on Meta (Facebook)]] the EDPB held that adding elements in terms and conditions that are aimed at making behavioral advertisement do not make the "necessary" under Article 6(1)(b) GDPR, as the core contract has to be determined not by artificially added elements, but by the expectations of data subject. In the case of Facebook, data subjects mainly see this as a communication tool.</blockquote>In practice, the assessment should be driven by questions such as: what is the nature of the service being provided to the data subject? What are its distinguishing characteristics in the view of an average data subject? What is the exact rationale of the contract (i.e. its substance and fundamental object) and essential elements? What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?<ref>EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 10 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf here]).</ref><blockquote><u>Common Misunderstanding:</u> Just because processing is related to a contract, or merely useful for the performance of a contract, does not mean that it is strictly necessary for the performance of a contract.</blockquote>
Usually most contracts are imposed by the controller, not the data subject. If a controller could arbitrarily add elements to the scope of its contracts as to make any processing activity "necessary", then the reference to "necessity" itself would become useless (and contracts would become, indeed, a tool to bypass e.g the requirement to ask for valid consent under Article 6(1)(a) for any where there is no other legal basis. <blockquote>In it"s [[EDPB - Binding Decision 3/2022 - 'Meta (Facebook)'|Binding Decision 3/2021 on Meta (Facebook)]] the EDPB held that adding elements in terms and conditions that are aimed at making behavioural advertisement do not make the "necessary" under Article 6(1)(b) GDPR, as the core contract has to be determined not by artificially added elements, but by the expectations of data subject. In the case of Facebook, data subjects mainly see this as a communication tool.
{{Quote-EDPB|"[R]egard should be given to the particular aim, purpose, or objective of the service and, for applicability of Article 6(1)(b) GDPR, it is required that the processing is objectively necessary for a purpose and integral to the delivery of that contractual service to the data subject.
 
 
[…]
 
 
Moreover, the EDPB notes that the controller should be able to justify the necessity of its processing by reference to the fundamental and mutually understood contractual purpose. This depends not only on the controller’s perspective, but also on a reasonable data subject’s perspective when entering into the contract.
 
 
[…]
 
 
The fact that the [controller’s] Terms of Service do not provide for any contractual obligation binding [the controller] to offer personalised advertising to the [controller’s] users and any contractual penalty if [the controller] fails to do so shows that, at least from the perspective of the [controller’s] user, this processing is not necessary to perform the contract. Providing personalised advertising to its users may be an obligation between [the controller] and the specific advertisers that pay for [the controller’s] targeted display of their advertisements in the [controller’s] service to [the controller’s] users, but it is not presented as an obligation towards the [controller’s] users."|EDPB, 'Adopted Binding Decision 3/2022 on the dispute submitted by the
Irish SA on Meta Platforms Ireland Limited and its Facebook service (Art. 65 GDPR)', 5 December 2022, margin number 112, 113 and 118.|4=https://gdprhub.eu/index.php?title=EDPB_-_Binding_Decision_3/2022_-_%27Meta_(Facebook)%27}}</blockquote>In practice, the assessment should be driven by questions such as: what is the nature of the service being provided to the data subject? What are its distinguishing characteristics in the view of an average data subject? What is the exact rationale of the contract (i.e. its substance and fundamental object) and essential elements? What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?<ref>EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 10 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf here]).</ref><blockquote>{{Quote-common-mistake|Just because processing is related to a contract, or merely useful for the performance of a contract, does not mean that it is strictly necessary for the performance of a contract.}}</blockquote>


===== Existence of a valid contract =====
===== Existence of a valid contract =====
A contract under Article 6(1)(b) GDPR must be valid.<ref>''Heberlein'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 6 GDPR, margin number 13 (C.H.Beck 2018, 2nd Edition 2018).</ref> Void contracts cannot serve as a legal basis under Article 6(1)(b) GDPR.<ref>''Bucher, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 31 ( C.H. Beck 2020, 3<sup>rd</sup> Edition).</ref>  
A contract under Article 6(1)(b) GDPR must be valid.<ref>''Heberlein'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 6 GDPR, margin number 13 (C.H.Beck 2018, 2nd Edition 2018).</ref> Void contracts cannot serve as a legal basis under Article 6(1)(b) GDPR.<ref>''Bucher, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 31 ( C.H. Beck 2020, 3<sup>rd</sup> Edition).</ref>  


It is a matter of applicable contract law if a specific contract or clause is valid. While some contractual elements are regulated on a European level (for example the minimum requirements under the [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31993L0013 Unfair Terms Directive 93/13/EEC] for terms and conditions), civil law is generally a matter of each Member State. Especially in the consumer context, a contract may be subject to the laws of the Member State where each consumer resides (see e.g. Articles 17 to 19 of the [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:12012P/TXT&from=EN#d1e68-393-1 Brussles-Ia Regulation (EU) No 1215/2012]).<blockquote><u>Example:</u> A Spanish controller and a French consumer concluded a contract that would be valid in Spain, but is void under the applicable French law. The lack of any valid contract means there is also no legal basis under Article 6(1)(b) GDPR.</blockquote>However, certain contractual defects seem to be common to many European legal traditions: for example, intention, misrepresentation and duress. However, beyond such standard cases there are circumstances in which a breach does not necessarily lead to a contract being void, but only allows contract partners to successfully challenge the contract.   
It is a matter of applicable contract law if a specific contract or clause is valid. While some contractual elements are regulated on a European level (for example the minimum requirements under the [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31993L0013 Unfair Terms Directive 93/13/EEC] for terms and conditions), civil law is generally a matter of each Member State. Especially in the consumer context, a contract may be subject to the laws of the Member State where each consumer resides (see e.g. Articles 17 to 19 of the [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:12012P/TXT&from=EN#d1e68-393-1 Brussles-Ia Regulation (EU) No 1215/2012]).<blockquote>{{Quote-example|A Spanish controller and a French consumer concluded a contract that would be valid in Spain, but is void under the applicable French law. The lack of any valid contract means there is also no legal basis under Article 6(1)(b) GDPR.}}</blockquote>However, certain contractual defects seem to be common to many European legal traditions: for example, intention, misrepresentation and duress. However, beyond such standard cases there are circumstances in which a breach does not necessarily lead to a contract being void, but only allows contract partners to successfully challenge the contract.   


The EDPB [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en Guidelines 2/2019] have clarified that these rules must be taken into account in assessing the validity of a national contract: “''contracts and contractual terms must comply with'' […] ''consumer protection laws in order for processing based on those terms to be considered fair and lawful''”.<ref>EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 5 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf here]).</ref> In conclusion, in order to understand whether a contract is valid or not, a controller must first identify the applicable law and, second, verify whether the contract is valid under that law (including any applicable EU law).  
The EDPB [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en Guidelines 2/2019] have clarified that these rules must be taken into account in assessing the validity of a national contract: “''contracts and contractual terms must comply with'' […] ''consumer protection laws in order for processing based on those terms to be considered fair and lawful''”.<ref>EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 5 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf here]).</ref> In conclusion, in order to understand whether a contract is valid or not, a controller must first identify the applicable law and, second, verify whether the contract is valid under that law (including any applicable EU law).  


===== Prior to entering into a contract =====
===== Prior to entering into a contract =====
Under Article 6(1)(b) GDPR, data processing may also be lawful in pre-contractual situations at the request of the data subject.<blockquote><u>Example:</u> A data subject asks a sales representative for curtains to send information on their products and to schedule an appointment at the data subject"s house. The parties have not (yet) formed a contract, but the sales representative may use the data subject"s details to the extent that this is necessary for the pre-contractual steps.</blockquote>EDPB [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en Guidelines 2/2019] point out that “''this provision would not cover unsolicited marketing or other processing which is carried out solely on the initiative of the data controller, or at the request of a third party''”.<ref>EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 13 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf here]).</ref>
Under Article 6(1)(b) GDPR, data processing may also be lawful in pre-contractual situations at the request of the data subject.<blockquote>{{Quote-example|A data subject asks a sales representative for curtains to send information on their products and to schedule an appointment at the data subject"s house. The parties have not (yet) formed a contract, but the sales representative may use the data subject"s details to the extent that this is necessary for the pre-contractual steps.}}{{Quote-EDPB|"[W]here a data subject contacts the controller to enquire about the details of the controller’s service offerings, the processing of the data subject’s personal data for the purpose of responding to the enquiry can be based on Article 6(1)(b).
 
 
[...]
 


[T]his provision would not cover unsolicited marketing or other processing which is carried out solely on the initiative of the data controller, or at the request of a third party."|EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), margin number 46 et seq.|4=https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf}}</blockquote>
===== End of contract =====
===== End of contract =====
Where the processing is based on the performance of a contract, the end of such a contract (e.g. in the case of fulfillment or termination) makes this legal basis vanish, the processing of personal data under Article 6(1)(b) GDPR is no longer allowed. As the controller typically still needs to process personal data after a contract is fulfilled or terminated, the same data can be still be processed for other legal purposes.<blockquote><u>Example:</u> Already the privacy policy of the controller included that the relevant personal data is not only processed for the performance of the contract, but also compliance with a legal obligations under Article 6(1)(c) GDPR (e.g. tax records) and the establishment, exercise or defense of legal claims under Article 6(1)(f) GDPR (e.g. to manage guarantee claims and alike). </blockquote>You can find more information on such other legal basis in the commentary on Article 6(1)(c) to (f) below.<blockquote><u>EDPB Guidelines:</u> On this provision there are the [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-062020-interplay-second-payment-services_en EDPB Guidelines  06/2020 on the interplay of the Second Payment Services Directive and the GDPR]
Where the processing is based on the performance of a contract, the end of such a contract (e.g. in the case of fulfillment or termination) makes this legal basis vanish, the processing of personal data under Article 6(1)(b) GDPR is no longer allowed. As the controller typically still needs to process personal data after a contract is fulfilled or terminated, the same data can be still be processed for other legal purposes.<blockquote>{{Quote-example|Already the privacy policy of the controller included that the relevant personal data is not only processed for the performance of the contract, but also compliance with a legal obligations under Article 6(1)(c) GDPR (e.g. tax records) and the establishment, exercise or defence of legal claims under Article 6(1)(f) GDPR (e.g. to manage guarantee claims and alike).}}</blockquote>You can find more information on such other legal basis in the commentary on Article 6(1)(c) to (f) below.<blockquote><u>EDPB Guidelines:</u> On this provision there are the [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-062020-interplay-second-payment-services_en EDPB Guidelines  06/2020 on the interplay of the Second Payment Services Directive and the GDPR]; and [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects]</blockquote>
<u>EDPB Guidelines:</u> on this provision there are the [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects]</blockquote>


==== (c) Legal obligation ====
==== (c) Legal obligation ====
The GDPR recognises that under many European and Member State"s laws controllers may be obliged to collect, store, and otherwise process personal information. Under Article 6(1)(c), such processing operations are considered lawful if they are necessary to fulfil these obligations. <blockquote><u>Example:</u> An employer processes personal data for social insurance purposes or under a duty to document compliance with workers" rights. A bank keeps records and shares them with authorities under money laundering legislation. A company keeps all relevant financial information under a duty to keep documentation on paid taxes for a certain number of years.</blockquote>
 
The GDPR recognises that under many European and Member State"s laws controllers may be obliged to collect, store, and otherwise process personal information. Under Article 6(1)(c), such processing operations are considered lawful if they are necessary to fulfil these obligations. <blockquote>{{Quote-example|An employer processes personal data for social insurance purposes or under a duty to document compliance with workers' rights. A bank keeps records and shares them with authorities under money laundering legislation. A company keeps all relevant financial information under a duty to keep documentation on paid taxes for a certain number of years.}}</blockquote>


===== Necessary =====
===== Necessary =====
Line 352: Line 402:


===== Compliance with a legal obligation =====
===== Compliance with a legal obligation =====
The legal obligation must originate directly from the law. ‘Member State law’ refers to all material law of that Member State.<ref>''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 197 (C.H. Beck 2020, 3rd Edition).</ref> It may not result from a contractual arrangement,<ref>WP29, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, 844/14/EN, 9 April 2014, p. 19 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf here]).</ref> non-binding government requests or any form of "guidelines" or "best practice documents" and like that do not have the force of law. It is a matter of the national constitutional law to determine what constitutes obligations with the force of law. In some Member States this may include secondary legislation (e.g. "statutory instruments" or ministerial "directives"), local laws or ordinances, all the way to collective bargaining agreements that are given the force of law in some Member States.<ref>See for example § 11 Austrian '''Arbeitsverfassungsgesetz''<nowiki/>' (ArbVG)</ref><blockquote><u>Example:</u> A controller gets a request from the police to disclose certain information. The police says it has a right to get that information. Once the controller takes a closer look, it turns out that under applicable national law, the police may ask the controller for such information and hope for their voluntary support, but the controller has no obligation to comply with this request. The controller cannot share the information under Article 6(1)(c) GDPR, as there is no "legal obligation".</blockquote>Article 6(1)(c) GDPR only covers "obligations" under national law, meaning regulations that ''require'' a certain processing operation. Article 6(1)(c) does not cover situations where the law ''permits'' certain conduct or processing operations. In certain cases, there may however be options to use Article 6(1)(f) GDPR to process personal data.
The legal obligation must originate directly from the law. ‘Member State law’ refers to all material law of that Member State.<ref>''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 197 (C.H. Beck 2020, 3rd Edition).</ref> It may not result from a contractual arrangement,<ref>WP29, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, 844/14/EN, 9 April 2014, p. 19 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf here]).</ref> non-binding government requests or any form of "guidelines" or "best practice documents" and like that do not have the force of law. It is a matter of the national constitutional law to determine what constitutes obligations with the force of law. In some Member States this may include secondary legislation (e.g. "statutory instruments" or ministerial "directives"), local laws or ordinances, all the way to collective bargaining agreements that are given the force of law in some Member States.<ref>See for example § 11 Austrian '''Arbeitsverfassungsgesetz''<nowiki/>' (ArbVG)</ref><blockquote>{{Quote-example|A controller gets a request from the police to disclose certain information. The police says it has a right to get that information. Once the controller takes a closer look, it turns out that under applicable national law, the police may ask the controller for such information and hope for their voluntary support, but the controller has no obligation to comply with this request. The controller cannot share the information under Article 6(1)(c) GDPR, as there is no "legal obligation".}}</blockquote>Article 6(1)(c) GDPR only covers "obligations" under national law, meaning regulations that ''require'' a certain processing operation. Article 6(1)(c) does not cover situations where the law ''permits'' certain conduct or processing operations. In certain cases, there may however be options to use Article 6(1)(f) GDPR to process personal data.


The legal provision which defines the legal obligations for the controller does not need to be specific to each individual processing. It must, however, be sufficiently clear, precise and foreseeable and, in particular, define the purposes of the processing.<ref>''Heberlein'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 6 GDPR, margin number 15 (C.H. Beck 2018, 2nd Edition).</ref> Processing that goes beyond these legal obligations is not lawful under this provision. Any obligation to process data under another law must itself be proportionate (Article 7 and 8 EU Charter of Fundamental Rights) and in compliance with Article 6(2) and (3) GDPR.
The legal provision which defines the legal obligations for the controller does not need to be specific to each individual processing. It must, however, be sufficiently clear, precise and foreseeable and, in particular, define the purposes of the processing.<ref>''Heberlein'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 6 GDPR, margin number 15 (C.H. Beck 2018, 2nd Edition).</ref> Processing that goes beyond these legal obligations is not lawful under this provision. Any obligation to process data under another law must itself be proportionate (Article 7 and 8 EU Charter of Fundamental Rights) and in compliance with Article 6(2) and (3) GDPR.
Line 372: Line 422:


==== (d) Vital interest ====
==== (d) Vital interest ====
A data processing may also be lawful if it is necessary to protect the vital interests of the data subject or of another natural person. The underlying assumption here is that the right to life takes precedence over data protection and - in the case of the vital interests of the data subject - the data subject is assumed to consent to the processing. <blockquote><u>Example:</u> The data subject is rushed to the hospital and the doctors check their medial data systems to ensure that they are fully aware of any potential complications from preexisting conditions or allergically reactions.</blockquote>In practice many situations where data for the "vital interests" are processed my concern special categories of personal data (e.g. health data) and are therefor regulated by [[Article 9 GDPR]].
A data processing may also be lawful if it is necessary to protect the vital interests of the data subject or of another natural person. The underlying assumption here is that the right to life takes precedence over data protection and - in the case of the vital interests of the data subject - the data subject is assumed to consent to the processing. <blockquote>{{Quote-example|The data subject is rushed to the hospital and the doctors check their medial data systems to ensure that they are fully aware of any potential complications from preexisting conditions or allergically reactions.}}</blockquote>In practice many situations where data for the "vital interests" are processed my concern special categories of personal data (e.g. health data) and are therefore regulated by [[Article 9 GDPR]].


===== Necessary =====
===== Necessary =====
Line 399: Line 449:


===== Necessary =====
===== Necessary =====
Information on necessity can be found above under the overview on Article 6(1) under "necessity". The concept of necessity means that processing must be limited to what is strictly necessary. This does not mean that only indispensable processing is allowed. Unreasonable alternatives are not taken into account, but merely "useful" additional processing is not "necessary"
Information on necessity can be found above under the overview on Article 6(1) under "necessity". The concept of necessity means that processing must be limited to what is strictly necessary. This does not mean that only indispensable processing is allowed. Unreasonable alternatives are not taken into account, but merely "useful" additional processing is not "necessary".
 
Therefore, a processing must not only be carried out in the public interest to meet the requirement of this provision; the processing has to genuinely meet the objectives of the pursued public interest without going beyond what is necessary in order to achieve these objectives.<ref>CJEU, Case C-200/23, ''Agentsia po vpisvaniyata,'' 4 October 2024, margin number 110 (available [[CJEU - C-200/23 - Agentsia po vpisvaniyata|here]]).</ref> 


===== Performance of a task carried out in the public interest =====
===== Performance of a task carried out in the public interest =====
The first branch covers Union or Member State laws that require public or private entities to process personal data for a task carried out in the public interest. <blockquote><u>Example:</u>  In a Member State public but also private entities are operating the ambulance services. This includes a government department but also non-profits operating ambulances. Equally full-time emergency doctors, but also local doctors in the countryside are involved in the system. They are all coordinated by a single software system. The legal basis is a national law that uses the options under Article 6(1)(e) GDPR.</blockquote>
The first branch covers Union or Member State laws that require public or private entities to process personal data for a task carried out in the public interest. <blockquote>{{Quote-example|In a Member State public but also private entities are operating the ambulance services. This includes a government department but also non-profits operating ambulances. Equally full-time emergency doctors, but also local doctors in the countryside are involved in the system. They are all coordinated by a single software system. The legal basis is a national law that uses the options under Article 6(1)(e) GDPR.}}</blockquote>


===== The exercise of official authority vested in the controller   =====
===== The exercise of official authority vested in the controller   =====
The second branch covers Union or Member State laws that require public or private entities to process personal data when exercising official authority. <blockquote><u>Example:</u> A Member State has outsourced issuing and revocation of certain licenses to a private entity. The law transfers certain authority to that entity that requires the use of personal data. The entity can rely on Article 6(1)(e) GDPR.</blockquote>
The second branch covers Union or Member State laws that require public or private entities to process personal data when exercising official authority. <blockquote>{{Quote-example|A Member State has outsourced issuing and revocation of certain licenses to a private entity. The law transfers certain authority to that entity that requires the use of personal data. The entity can rely on Article 6(1)(e) GDPR.}}</blockquote>


===== Specifications in Union or Member State law =====
===== Specifications in Union or Member State law =====
Line 411: Line 463:


==== (f) legitimate interest ====
==== (f) legitimate interest ====
While Articles 6(1)(a) GDPR deals with situations where data subjects waived their rights and Articles 6(1)(b) to (e) deal with common purposes where processing is allowed, Article 6(1)(f) deals solely with situations where the controller or a third party has an interest that conflicts with the data subjects" fundamental right to data protection.  
Article 6(1)(f) GDPR establishes a legal basis for the processing of personal data when the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.  


===== Flexible but legally uncertain =====
While Articles 6(1)(a) GDPR deals with situations where data subjects waived their rights and Articles 6(1)(b) to (e) deal with common purposes where processing is allowed, Article 6(1)(f) deals solely with situations where the controller or a third party has an interest that conflicts with the data subjects' fundamental right to data protection.  
Article 6(1)(f) GDPR is the "catch all" balancing test for anything not foreseen by Articles 6(1)(b) to (e) GDPR, where the controller does not seek consent, but takes the view that the rights of the controller or a third party override  the rights of the data subject.  


The flexibility of this clause also leads to major legal uncertainty for controllers and data subjects.  
There are three cumulative conditions (explained in more detail further below) that must be met in order for a processing to fall under the legal basis of Article 6(1)(f) GDPR:
 
# the pursuit of a legitimate interest by the controller or by a third party (i.e. controllers ought to verify whether their interest is actually “legitimate”);
# the need to process personal data for the purposes of the legitimate interests pursued; and,
# the interests or fundamental freedoms and rights of the person concerned by the data protection do not take precedence over the legitimate interest of the controller or of a third party (i.e. balancing test).<ref>CJEU, Case C-621/22, ''Koninklijke Nederlandse Lawn Tennisbond,'' 4 October 2024, margin number 37 (available [[CJEU - C‑621/22 - Koninklijke Nederlandse Lawn Tennisbond|here]]); EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 6 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>
In general, the evaluation whether a processing activity can be based on the legal basis of legitimate interest is entirely in the hands of the data controller who, taking into account the conditions described above, has discretion in how to perform such evaluation. However, the EDPB provides some guidance on how to perform such assessment.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 1 et seqq. (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref> 
 
In accordance with the accountability principle under Article 5(2) GDPR, a controller invoking this legal basis is responsible for, and has to be able to demonstrate, compliance with each of those cumulative conditions. Therefore, the controller should document the performance of the legitimate interest assessment accordingly. Also, if a Data Protection Officer is appointed by the controller, they should be involved by the controller in this assessment.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 45 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>
 
If a controller wants to rely on legitimate interest under Article 6(1)(f) GDPR for the processing of personal data for various purposes, the controller has to assess the validity of this legal basis for each of those purposes.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 10 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>
=====Flexible but legally uncertain=====
Article 6(1)(f) GDPR is the "catch all" balancing test for anything not foreseen by Articles 6(1)(b) to (e) GDPR, where the controller does not seek consent, but takes the view that the rights of the controller or a third party override  the rights of the data subject. However, this legal basis should not be considered a last resort, if no other legal basis is applicable, neither should it be used to circumvent legal requirements of other legal bases.<ref>EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 9 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref> 
 
{{Quote-EDPB|"[...] Article 6(1)(f) should not be considered as an “open door” to legitimise all data processing activities which do not fall under any of the other legal bases in Article 6(1) GDPR. Rather, it should be recalled that Article 6(1)(f), like each of the legal bases set out in Article 6(1) GDPR, must be interpreted restrictively."|EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 9 (available here).|4=https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf}}
 
Even though the controller has to perform a careful assessment for each planned processing activity based on the legal basis of legitimate interest and follow a specific methodology, the flexibility and open-endedness of this clause also leads to major legal uncertainty for controllers and data subjects.


While Article 7(f) of the previous Data Protection Directive 95/46/EC also foresaw the option to process based on an overriding "legitimate interest" the previous Directive allowed Member States to implement more specific provisions for certain situations (e.g. video surveillance, credit ranking and alike). Given that the GDPR is now a directly applicable Regulation, there is no room for such national "interpretations". Nevertheless, many Member States have kept their national "legitimate interest" implementations, despite lacking the necessary jurisdiction. While this approach is meant to provide more legal certainty, it actually adds even more uncertainty.
While Article 7(f) of the previous Data Protection Directive 95/46/EC also foresaw the option to process based on an overriding "legitimate interest" the previous Directive allowed Member States to implement more specific provisions for certain situations (e.g. video surveillance, credit ranking and alike). Given that the GDPR is now a directly applicable Regulation, there is no room for such national "interpretations". Nevertheless, many Member States have kept their national "legitimate interest" implementations, despite lacking the necessary jurisdiction. While this approach is meant to provide more legal certainty, it actually adds even more uncertainty.
Line 424: Line 490:
One of the political solutions was to "park" some of these suggestions in Recitals 47 to 49 GDPR, as one side was able to argue that the matter is now "in the GDPR" and the other side was able to highlight that the Recitals are not legally binding. When it comes to the contentious issue of advertisement the legislator finally added the remarkable line that "''direct marketing''" (not all advertisement) "''may''" constitute a legitimate interest. There is no indication as to when this "''may''" or "''may not''" be a legitimate interest.
One of the political solutions was to "park" some of these suggestions in Recitals 47 to 49 GDPR, as one side was able to argue that the matter is now "in the GDPR" and the other side was able to highlight that the Recitals are not legally binding. When it comes to the contentious issue of advertisement the legislator finally added the remarkable line that "''direct marketing''" (not all advertisement) "''may''" constitute a legitimate interest. There is no indication as to when this "''may''" or "''may not''" be a legitimate interest.


Article 6(1)(f) GDPR consequently requires a delicate balancing of relevant interests. The balancing act in question is not a straightforward balancing test which would simply consist of weighing two easily quantifiable and easily comparable "weights" against each other. <blockquote><u>Guidelines:</u> In Opinion 06/2014 of the WP29 on "legitimate interests" under Directive 95/46/EC (in the only and now outdated guidance on the issue) suggests a multi-step procedure. First, controllers ought to verify whether their interest is actually “legitimate”. Second, they need to identify the data subject’s interests, rights and freedoms. Third, they have to establish (through an appropriate balancing operation) whether the controller’s (presumably, legitimate) interests are overridden by those of the data subject.<ref>WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf here]).</ref></blockquote>
Article 6(1)(f) GDPR consequently requires a delicate balancing of relevant interests. The balancing act in question is not a straightforward balancing test which would simply consist of weighing two easily quantifiable and easily comparable "weights" against each other.
 
===== Pursuit of a legitimate interest (1st step in the assessment)=====
 
======Whether the interest is legitimate======
As highlighted by the EDPB, the a distinction must be made between concept of interest and the concept of purpose (for more information on the concept of purpose see [[Article 5 GDPR|Article 5(1)(b) GDPR]]). ''Interest'' is the general objective that a controller intends to pursue (i.e. ensuring the occupational safety of its employees). The purpose, on the other hand, is the specific aim of a certain processing activity (for instance, implementation of specific access control procedures to only allow trained personnel in certain areas of the workplace) and can include a broad range of activities, whether trivial or very compelling, straightforward or more controversial.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 14 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).
</ref>
 
{{Quote-EDPB|"A 'purpose' is the specific reason why the data are processed: the aim or intention of the data processing. An 'interest', on the other hand, is the broader stake or benefit that a controller or third party may have in engaging in a specific processing activity. For example, a controller may have an interest in promoting its products, whereas this interest may be advanced by processing personal data for direct marketing purposes."|EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 14.|4=https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf}}
 
Only an ''legitimate'' interest can be invoked by a controller in order to base a processing activity on the legal basis of Article 6(1)(f) GDPR. There are three cumulative requirements for an interest to be considered legitimate:
 
<u>First</u>, the interest hast so be lawful, i.e. the controller can legitimately pursue it and it is not contrary to EU or national law. However, it is not necessary that the interest is determined or enshrined in law.<ref>EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 17 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]); CJEU, Case C-621/22, ''Koninklijke Nederlandse Lawn Tennisbond,'' 4 October 2024, margin number 40 (available [[CJEU - C‑621/22 - Koninklijke Nederlandse Lawn Tennisbond|here]]).</ref> For example, the CJEU did not rule out that, in principle, also a commercial interest of the controller could be regarded as a legitimate interest.<ref>CJEU, Case C-621/22, ''Koninklijke Nederlandse Lawn Tennisbond,'' 4 October 2024, margin number 48 (available [[CJEU - C‑621/22 - Koninklijke Nederlandse Lawn Tennisbond|here]]).</ref>
{{Quote-CJEU|"As regards, first, the condition relating to the pursuit of a ‘legitimate interest’, it should be emphasised that, in the absence of a definition of that concept in the GDPR, as the Court has previously held, a wide range of interests is, in principle, capable of being regarded as legitimate [...]".|CJEU - C‑621/22 - Koninklijke Nederlandse Lawn Tennisbond|38.}}
 
As to what “law” means in this case, in the absence of updated guidance, reference should be made to the instructions provided by the WP29 in Opinion 3/2013 on purpose limitation, according to which the notion of "law" must be interpreted in an extensive manner, including all forms of written or common law, as interpreted by the competent courts and supplemented by other official sources.<ref>WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf here]).</ref> The above seems to be confirmed by the recent guidelines on contract-based treatment. There, the EDPB clarified that the contract (and thus, by analogy, the legitimate interest) must be valid i.e. “''must comply with the requirements of contract laws and, as the case may be for consumer contracts, consumer protection laws in order for processing based on those terms to be considered fair and lawful''”.<ref>EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 5 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf here]).</ref> Also, reference can be made to the Cookie Banner Taskforce, deeming the usage of legitimate interest for activities such as “create a personalised content profile” unlawful. The taskforce agreed that such processing requires consent according to Article 5(4) ePrivacy Directive.<ref>EDPB, ‘Report of the work undertaken by the Cookie Banner Taskforce’ 844/14/EN WP 217, 17 January 2023, p. 7 (available [https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf here]).</ref>
 
<u>Second</u>, the pursued interest has to be clearly and precisely articulated in order to ensure that the assessment of necessity and the balancing of interests can be performed in a an accurate and proper manner.<ref>EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 17 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref> Therefore, a interest only expressed in vague or general terms is not sufficiently articulated to assess its legitimacy and therefore cannot be a legitimate interest.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 18 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref> 
 
<u>Third</u>, the persuaded interest must not be just speculative. To the contrary, the pursued interest must be real and present. This means that the legitimate interest must be present at the date of the processing of personal data; a mere hypothetical interest is not sufficient.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 17 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]); CJEU, Case C-708/18, ''Asociaţia de Proprietari bloc M5A-ScaraA'', 11 December 2019, margin number 44 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=221465&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=3837370 here]).</ref>
 
A wide variety of interests can potentially fulfil all three conditions and be therefore considered legitimate. Recital 47 GDPR additionally mentions a relevant and appropriate relationship between the data subject and the controller as potential indicator for the existence of a legitimate interest. However, such a relationship is neither necessary nor a guarantor for a interest to be legitimate.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), Example 2 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>
======Pursued by the controller or by a third party ======
The legitimate interest at stake must also be “''pursued by the controller or a third party''”. However, the interest pursued by a controller should be related to the actual activities of that controller.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 20 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref> 
 
{{Quote-example|A social media platform can not rely on a legitimate interest of preventing, detecting and prosecuting criminal offences, for the sharing of personal data with law-enforcement agencies, since this is unrelated to its economic and commercial activity and can therefore not constitute a legitimate interest pursued by the social media platform.<ref>CJEU, Case C-252/21, ''Meta v. Bundeskartellamt'' 4 July 2023, margin number 124 (available [[CJEU - C-252/21 - Meta Platforms and Others v Bundeskartellamt]]).</ref>}}
 
The pursue of interests of one or more third parties can also subject of this provision. Regularly, a processing activity will be in the interest of the controller as well as in the interest of third parties. The clarification of the specific beneficiaries of a processing activity prior to the actual processing is therefore crucial in order to assess the necessity of the processing and to perform a proper balancing test.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 20 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref> The EDPB provides some guidance on contexts in which personal data may be processed in the interest of a third party, mentioning cases like the defence of legal claims, the disclosure of data for transparency and accountability purposes, and scientific research.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 22-25 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref> 
 
Even if some interests pursued by a controller could also benefit the general public, it should be pointed out that the general public itself does not constitute a ''third party'' under Article&nbsp;6(1)(f) GDPR.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 25 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>
 
In situations where personal data is processed for a purpose other than that for which the data was initially collected (e.g. when data is initially collected for purposes of the controller and then further processed in the legitimate interest of a third party), the rules for further processing (also called "secondary use") under [[Article 5 GDPR|Articles 5(1)(b)]] and [[Article 6 GDPR|6(4) GDPR]] apply. In the absence of consent or a law explicitly allowing it such a further processing, “''is permitted only if it is compatible with the purpose of the initial processing''”).  
 
Additionally, it should be noted that according to Article 6(1) GDPR, public authorities cannot invoke the legal basis of Article 6(1)(f) GDPR in the performance of their tasks.<ref>For exceptions in which the processing by public authorities is not related to the performance of their specific task in connection to the public interest, see EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 99 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>
 
=====Necessary for the purposes (2nd step in the assessment) =====
Necessity is a condition for all legal bases but consent. Therefore, see the paragraph on ''necessity'' in general above.  
{{Quote-CJEU|"Second, with regard to the condition that the processing of personal data be necessary for the purposes of the legitimate interests pursued, that condition requires the referring court to ascertain that the legitimate data processing interests pursued cannot reasonably be achieved just as effectively by other means less restrictive of the fundamental rights and freedoms of data subjects, in particular the rights to respect for private life and to the protection of personal data guaranteed by Articles 7 and 8 of the Charter [...]"|CJEU - C‑621/22 - Koninklijke Nederlandse Lawn Tennisbond|42.}}
 
=====Balancing Test (4rd step in the assessment)=====
 
======Overridden by interests of the data subject======
The fact that the controller has a legitimate interest and the processing is necessary for the pursued legitimate interest is not enough for a controller to rely on Article 6(1)(f) as a legal basis for the processing. The third condition is that the legitimate interest pursued is not overridden by the interests and fundamental rights and freedoms of the data subjects. Therefore, the it is necessary to perform a balancing test between the legitimate interests of the controller or of a third party on the one hand and the interests or fundamental freedoms and rights of the data subjects on the other hand.
{{Quote-EDPB|"This “balancing exercise” between the fundamental rights, freedoms and interests at stake must be performed for each processing to be based on legitimate interest as a legal basis, and must be done before carrying out the relevant processing operation(s)."|EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 7 (available here).|4=https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf}}
To do so, the EDPB suggests a four-step test including:
 
# assessing the data subjects' interest, fundamental rights and freedoms;
# identifying the impact of the processing on data subjects (e.g. the nature of the processed data, the context of the processing, and any further consequences of the processing);
# the reasonable expectations of the data subject; and
# the balancing of the opposing rights and interests (taking into account any possible mitigation measures like additional safeguards).<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 32 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>
{{Quote-EDPB|"It should be recalled that the purpose of the balancing exercise is not to avoid any impact on the interests and rights of the data subjects altogether. Rather, its purpose is to avoid a disproportionate impact and to assess the weight of these aspects in relation to each other."|EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 33.|4=https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf}}
 
======Data subjects' interests or fundamental rights and freedoms ======
In general, the definition of “fundamental rights and freedom” includes all the traditional rights foreseen in the European constitutions, the Charter of Fundamental Rights of the EU as well as the European Convention on Human Rights. This obviously includes the right to the protection of personal data, personal and family life, freedom of expression and human dignity. In addition to the fundamental rights of the data subject, other “freedoms or interests” must also be taken into account. This includes the interest not to suffer any economic disadvantages, regardless of whether the damage occurs following the publication of personal data or in another way, such as via a discriminatory personalised pricing policy.<ref>''Bucher, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin numbers 148-148a (C.H. Beck 2024, 4th Edition).</ref> The EDPB also lists various other freedoms and interests like the ''prohibition of discrimination'' and ''personal interests''.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 37 and 38 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>
 
Finally, it should be noted that - unlike in the case of the controller’s interests - the data subject's interest apparently does not have to be legitimate. A wider scope to the protection of individuals’ interests and rights is therefore implied. This means that even individuals engaged in unlawful activities should not be subject to disproportionate interference regarding their rights and interests. For example, “''an individual who may have perpetrated theft in a supermarket could still see his interests prevailing against the publication of his picture and private address on the walls of the supermarket and/or on the Internet by the owner of the shop''.”<ref>WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 30 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf here]).</ref>
====== Identifying the impact on the data subject======
Once the data subjects' interests and fundamental rights have been identified, an assessment of the impact (negative as well as positive) on data subjects should be performed by the controller. In order to perform a comprehensive assessment, the EDPB recommends to consider among others: (i) the nature of the processed data, (ii) the context of the processing, and (iii) any further consequences of the processing.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 39 et seqq. (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>
 
Several elements can be useful at this stage, including the likelihood that a risk can materialise and the severity of its consequences. Also, the scale of the processing (i.e. the number of individuals potentially impacted as well as the volume of data) and other circumstances of the processing should be considered. Also of relevance is the way the information is being processed, whether it is shared with a large number of actors or persons or combined with other data sets. For example, in a case involving the lawfulness of a CCTV surveillance system, the CJEU considered different factors including whether the data to be processed were retrieved from publicly accessible sources or were rather related to the data subject’s private life; the nature of the data, particularly their sensitiveness; and the modalities of processing, including the number of persons having access to the data.<ref>CJEU, Case C-708/18, ''Asociaţia de Proprietari bloc M5A-ScaraA'', 11 December 2019, margin number 55 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=221465&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=1448401 here]).
 
</ref>
 
In general, it appears that the more sensitive the information involved is, the more consequences for the data subject there may be. It should be noted that the processing of special categories of data is only allowed in the cases listed in [[Article 9 GDPR|Article 9(2) GDPR]].<ref>EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 40 et seqq. (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>  Reference can also be made to the factors a controller has to consider also during the assessment of risks connected to a processing activity (among others, see commentary on [[Article 24 GDPR|Article 24]], [[Article 25 GDPR|25]] and [[Article 32 GDPR|32]]). <blockquote>Article 6(1)(f) GDPR explicitly mentions situations "''in particular where the data subject is a child''". This indicates that a balancing test needs to take the specific interests and expectations of a child into account.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 44 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>  </blockquote>In the context of the balancing test and the potential impact on the data subject importance should be attached to the relationship between the data subjects and the controller. E.g. the CJEU held that the transfer of personal data by a sports association to a provider of casino games for marketing activities did not appear to be characterised by a relevant and appropriate relationship between the association and its members whose personal data were transmitted.<ref>CJEU, Case C-621/22, ''Koninklijke Nederlandse Lawn Tennisbond,'' 4 October 2024, margin number 56 (available [[CJEU - C‑621/22 - Koninklijke Nederlandse Lawn Tennisbond|here]]).</ref>
 
Also, any potential harmful effects and other consequences on the data subjects must be considered in course of the balancing test.<ref>CJEU, Case C-621/22, ''Koninklijke Nederlandse Lawn Tennisbond,'' 4 October 2024, margin number 56 (available [[CJEU - C‑621/22 - Koninklijke Nederlandse Lawn Tennisbond|here]]); EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 45-49 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>
{{Quote-EDPB|"The controller may need to take into account also possible broader emotional impacts resulting from a data subject losing control over personal information, or realising that it has been misused or compromised. The chilling effect on protected behaviour, such as freedom of research or freedom of expression, that may result from continuous monitoring/tracking or from the risk of being identified, should also be given due consideration. For example, continuous online monitoring of online activities by a platform may give rise to the feeling that a data subject’s private life is being continuously observed."|EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 46.|4=https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf}}
The assessment of the (potential) impact on data subjects should not be made under the assumption that all data subjects have the same interests - especially, when it is likely that the some of the affected data subjects have diverging interests.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 47 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>
 
====== Reasonable expectations of the data subject ======
 
Recital 47 GDPR stipulates that the reasonable expectations of the data subjects should be considered. In particular, it is important to evaluate whether the status of the data controller, the nature of the relationship or the service provided, or the applicable legal or contractual obligations (or other promises made at the time of collection) could give rise to reasonable expectations of stricter confidentiality and stricter limitations on further use.<ref>WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 40 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf here]).</ref>{{Quote-CJEU|"[...] as regards the balancing of interests which it is for the referring court to carry out in the light of the specific circumstances of the dispute in the main proceedings, that court must take account, in particular, of the reasonable expectations of the data subject as well as the scale of the processing at issue and its impact on that person [...]"|CJEU - C‑621/22 - Koninklijke Nederlandse Lawn Tennisbond|54.}}It is important to note that the reasonable expectations of a data subject could very well deviate from whatever is considered ''common practice'' or ''business standard'' in a certain sector. Also the fact that a processing activity is very established or has been taken place for a long time is not decisive for the question whether a processing is in the data subjects' reasonable expectations. Neither do the reasonable expectation of the data subject depend on the information provided by the data subject (e.g. in a privacy policy).<ref>compare EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 52 et seq. (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref> 
 
{{Quote-EDPB|"While a failure to provide information can contribute to the data subjects being surprised, the mere fulfilment of information duties according to Articles 12, 13 and 14 GDPR is not sufficient in itself to consider that the data subjects can reasonably expect a given processing."|EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 68.|4=https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf}}
 
The EDPB suggests that the assessment of the reasonable expectations should consider an "average" data subject (unless it is likely that different groups of data subjects with different characteristics are affected) and lists a number of elements, that could be considered for the assessment of what could be considered reasonable expectations.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 54 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref> 
 
====== Balancing of the opposing rights and interests ======
At the end of the balancing test is the assessment whether the identified pursued legitimate interests of the controller or third parties are overridden by the data subjects' interests or rights and freedoms. Only if that is not the case, the controller can base its processing of personal data on the legal basis of legitimate interest under Article 6(1)(f) GDPR. It is worth repeating that such assessment has to take place prior to the commencement of the processing activity. 
 
<u>In particular where the data subject is a child</u> 
 
In all the steps of the balancing test, special attention should be paid to the question whether also children could be affected by the processing activity. This is also directly stated in Article 6(1)(f) GDPR. In such a case the balancing test should be recalibrated and consider the fact that children (depending of the specific age group) might be less aware of any risks and consequences connected with the processing activity.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 91 et seqq. (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>   
 
{{Quote-EDPB|"While this does not mean that there will never be a situation in which the interests of the child can be overridden, it does mean that the interests of children as data subjects should have high priority and will very often outweigh the interests of the controller or third parties.
 
 
[…]
 
 
[…] Article 6(1)(f) GDPR may be invoked as a legal basis by a controller where the legitimate interests pursued coincide with the interests of the child. However, when there is a conflict between a controller’s legitimate interests (including regarding processing of personal data for commercial purposes) and the interests or fundamental rights and freedoms of a child, the interests or fundamental rights and freedoms of the child should in general prevail. […] [T]here are certain types of data processing operations, such as those consisting of extensive profiling and targeted advertising activities, which - subject to certain limited exceptions - will generally not align with the obligation to ensure specific protection of children."|EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 94 et seq.|4=https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf}}
 
Whenever personal data of children are processed based on Article 6(1)(f) GDPR, the controller has to be able to demonstrate that the children's best interest were a primary consideration in the balancing test.<ref>EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 96 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>
 
<u>Additional safeguards</u>
 
In case the legitimate interest test shows that the data subjects' interests or rights and freedoms overweight the legitimate interest of the controller or third parties, the controller could introduce additional safeguards (mitigation measures) in order to archive a balance a balance between the opposing interests. However, such measures can only be implemented ''in addition'' to all other requirements that the controller is obliged to anyway. Therefore, fulfilling an information obligation in accordance with Article 13 et seq. GDRP or granting data subjects the right to object in accordance with Article 21 GDPR to a data processing can not be considered additional safeguards or mitigation measures; providing additional information or waiving any requirements under Article 21 GDPR could however be considered as a mitigating measure.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 57 and 62 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>   
 
{{Quote-EDPB|"If the data subject’s interests, rights and freedoms seem to override the legitimate interest(s) being pursued, the controller may consider introducing mitigating measures to limit the impact of the processing on data subjects, in view of achieving a fair balance between the rights, freedoms and interests involved."|EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 56.|4=https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf}}
 
Other examples of mitigation measures include the “''strict limitation on how much data is collected, or immediate deletion of data after use. While some of these measures may already be compulsory under the Directive, they are often scalable and leave room for controllers to ensure better protection of data subjects''” as well as “''providing an easily workable and accessible mechanism to ensure an unconditional possibility for data subjects to opt-out of the processing''”.<ref>WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, pp. 40-41 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf here]).</ref>  
 
These additional measures may in some cases help tip the balance and help ensure that the processing can be based on Article 6(1)(f), whilst simultaneously protecting the rights and interests of the data subjects. In any case, the controller has to perform the balancing test anew after the implementation of such additional safeguards and mitigation measures. Often, even the implementation of such measures will not change the outcome of a balancing test in favour of the interests or rights and freedoms of data subjects. In such cases Article 6(1)(f) GDPR can not be invoked as a legal basis for a processing activity.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 60 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref> 
=====Examples of overriding legitimate interest =====
The assessment if a legitimate interest overrides the interest of a data subject are always a case-by-case assessment. And it should be kept in mind that the assessment if a processing activity can be based on this legal basis could result in different outcomes in different contexts or situations. For example could the reasonable expectations of data subjects diverge immensely in different processing situations and controllers could implement different additional safeguards or could have different alternative methods to their disposal.
 
Controllers should therefore be careful when orientating on existing case law or examples found elsewhere. However, such examples can provide some useful guidance for controllers.
 
Some examples of situations in which legitimate interest under Article 6(1)(f) GDPR overrides the data subjects' freedoms and interests can be found in Recitals 47 to 49. As always, it must be stressed that Recitals are not legally binding, but nevertheless give a very good understanding of the views of the legislator. Generally the examples in Recitals 47 to 49 can be described as largely "defensive", in the sense that the data subject interfered with the rights of the controller or a third party and the controller is using personal data to defend against such situations. Only very limited examples seem to be "offensive", in the sense that the controller proactively interferes with the rights of the data subject.
 
To give some additional orientation, it can be referred to some typical examples of cases in which a legitimate interests might override the data subject's freedoms and interests:
 
* Processing for network and information security (see Recital 49), which may even be a legal duty under Articles 6(1)(c) and [[Article 32 GDPR|32 GDPR]].<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 126 et seqq. (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>
*Protection of life, property and alike (like CCTV of areas with repeated offences or highly likely targets, such as a bank, if there are no feasible alternatives and safeguards like deletion periods and strictly limited access to recordings are ensured).
* Processing for the prevention of fraud (see Recital 47), such as "black lists" of known fraudsters.<ref>See EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 100 set seqq. (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]) for a detailed analysis; see also ''Buchner/Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 173 et seq. (C.H. Beck 2024, 4th Edition).</ref>
 
The EDPB lists additional examples of legitimate interests in their Guidelines on legitimate interest.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 16 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>
 
However, it should be noted that the above mentioned interests should be articulated clearer and more precise when actually invoked by a controller for a specific processing activity.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 17 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>
 
On the other hand, the following situations are generally not seen as cases where a legitimate interest overrides the data subjects' freedoms and interests:
 
*Advertisement (other than "''direct marketing''" as under Article 13(2) of ePrivacy Directive 2002/58/EC, see below).
*Usually the use of personal data for mere profits is also a case where the data subjects' freedoms and interests generally override the pursued legitimate interests.
It should be noted however, that the CJEU confirmed that also a commercial interest of the controller could constitute a ''legitimate'' interest, provided that it is lawful.<ref>CJEU, Case C-621/22, ''Koninklijke Nederlandse Lawn Tennisbond,'' 4 October 2024, margin number 49 (available [[CJEU - C‑621/22 - Koninklijke Nederlandse Lawn Tennisbond|here]]).</ref>  
 
The following processing could be considered edge cases in which controllers should be especially careful when considering each step of the assessment whether legitimate interest could be a legal basis for a processing activity:


===== Whether the interest is legitimate =====
* Direct marketing (the Recital says this "''may"'' be a legitimate interest) other than so-called "soft spam" in existing customer relationships under Article 13(2) of the ePrivacy Directive 2002/58/EC.<ref>For a detailed analysis see EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 109 et seqq. (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>
In the view of the WP29, the notion of interest a distinction must first be made between interest and purpose. Interest is the general objective that a controller intends to pursue (i.e. ensuring the occupational safety of its employees). The purpose, on the other hand, is the specific aim of a certain processing activity (for instance, implementation of specific access control procedures to only allow trained personnel in certain areas of the workplace] can include a broad range of activities, whether trivial or very compelling, straightforward or more controversial.<ref>WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf here]).</ref> In general terms, an interest is “legitimate” if the controller can legitimately pursue it and thus in accordance with the GDPR and any applicable law. As to what “law” means in this case, in the absence of updated guidance, reference should be made to the instructions provided by the WP29 in Opinion 3/2013 on purpose limitation, according to which the notion of "law" must be interpreted in an extensive manner, including all forms of written or common law, as interpreted by the competent courts and supplemented by other official sources.<ref>WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf here]).</ref> The above seems to be confirmed by the recent guidelines on contract-based treatment. There, the EDPB clarified that the contract (and thus, by analogy, the legitimate interest) must be valid i.e. “''must comply with the requirements of contract laws and, as the case may be for consumer contracts, consumer protection laws in order for processing based on those terms to be considered fair and lawful''.<ref>EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 5 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf here]).</ref><blockquote><u>Guidelines:</u> In Report 01/2023 of the Cookie Banner Taskforce, paragraphs 20-24 deem the usage of legitimate interest for activities such as “create a personalised content profile” unlawful. The taskforce agreed that such processing requires consent according to Article 5(4) ePrivacy Directive.<ref>EDPB, ‘Report of the work undertaken by the Cookie Banner Taskforce’ 844/14/EN WP 217, 17 January 2023, p. 7 (available [https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf here]).</ref></blockquote>
*The sharing of information within a group of undertakings for internal administrative purposes "''may''" be a legitimate interest according to Recital 48.<ref>For a detailed analysis see EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 123 et seqq. (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>
*Use or personal data in search engines, based on the public interest in information under Article 11 of the Charter  - but not the commercial interest of a search engine. However, this interest may be overridden in individual cases (see [[CJEU - C‑131/12 - Google Spain|C‑131/12 - Google Spain]] and the "''right to be forgotten''").
*Transmission of personal data to competent authorities in connection with possible criminal acts or threats to public security.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 129 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>
Another area with a lot of legal uncertainty is the performance of profiling in connection or in advance of different processing purposes. The EDPB highlights elements that are particularly relevant for any cases such a profiling takes place, like the level of detail and comprehensiveness of the profile and the potential impact of the profile on the data subject.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 82 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>


===== Pursued by the controller or by a third party =====
===(2) Member State law under Article 6(1)(c) and (e)===
The interest at stake must also be “''pursued by the controller''”. This requires a real and present interest, instrumental to the controller’s current activities or benefits expected in the very near future. In other words, interests that are too vague or speculative will not be sufficient. <ref>WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 24 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf here]).</ref> According to Article 6(1)(f) the processing can also lawfully take place for the legitimate interests pursued by a third party. This is “secondary use” of data (or “further processing”) per Article 5(1)(b) GDPR and, under Article 6(4) GDPR, in the absence of consent or a law explicitly allowing it, “''is permitted only if it is compatible with the purpose of the initial processing''”. It follows that the third party’s interest must fulfil two conditions: it shall be “legitimate” and “compatible” with the purpose of the initial processing.<ref>''Kotschy,'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, [Update of Selected Articles - May 2021] Article 6 GDPR, p. 74 (Oxford University Press 2020).</ref>
Paragraph 2 gives Member States competence in the public sector,<ref>''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 326 (Oxford University Press 2020).</ref> since it allows them to adopt, or keep,<ref>This is clear from the wording ‘maintain’. See ''Plath'', in Plath, DSGVO BDSG , Art. 6 DSGVO, margin number 126 , (Otto Schmidt 2018).</ref> their own (material) rules that regulate in which instances a controller can rely on the legal bases provided for in Article 6(1)(c) and Article 6(1)(e) GDPR. Member States can also "''determine more precisely specific requirements''" for the processing to, ultimately, ensure that this processing is lawful and fair.<ref>''Frenzel'', in Paal/Pauly, DS-GVO BDSG, Article 6, margin number 32 (C.H. Beck 2021, 3rd Edition).</ref> While Member States may "''specify''" the often abstract GDPR requirements, but they may not alter them or go beyond them. Through this wording it is apparent that these national provisions must stay within, and cannot go beyond the framework of the GDPR.<ref>''Plath'', in Plath, DSGVO BDSG, Article 6 DSGVO, margin number 125, (Otto Schmidt 2018).</ref> They also concern specific processing situations under [[Article 85 GDPR|Articles 85]] to [[Article 91 GDPR|91 GDPR]] (freedom of expression, freedom of information, access to official documents, processing in the employment context and alike). <blockquote>{{Quote-example|A national law may require an employer to collect personal data on employees and provide them to social security providers or the tax authority under Article 6(1)(c) GDPR. Such laws may be kept, introduced or changed by the Member States and also add elements in the national law, like specific deletion period (e.g. "keep records for 5 years"), setting clearer purposes that limit the use of certain data (e.g. "only for taxation purposes") or add specific notice requirements.}}</blockquote>Since this provision allows Member States to enact denser regulation, as well as more concrete requirements for controllers, some authors noted that this can lead to conflicts, not only between a Member State and the Commision (since the latter monitors the application of Union law), but also in case of different processing situations by the same controller or vis-à-vis the same data subject.<ref>''Frenzel'', in Paal, Pauly, DS-GVO BDSG, Article 6, margin number 32 (C.H. Beck 2021, 3rd Edition).</ref>


===== Interests or fundamental rights and freedoms of the data subject =====
===(3) Union and Member State law under Article 6(1)(c) and (e) ===
In general, the definition of “fundamental rights and freedom” includes all the traditional rights foreseen in the European constitutions, the Charter of Fundamental Rights of the EU as well as the European Convention on Human Rights. This obviously includes the right to the protection of personal data, personal and family life, freedom of expression and human dignity. In addition to the fundamental rights of the data subject, other “freedoms or interests” must also be taken into account. This includes the interest not to suffer any economic disadvantages, regardless of whether the damage occurs following the publication of personal data or in another way, such as via a discriminatory personalised pricing policy.<ref>''Bucher, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin numbers 148-148a (C.H. Beck 2020, 3rd Edition).</ref>


Finally, it is important to note that unlike the case of the controller’s interests, the adjective “legitimate” is not used here to precede the ‘interests’ of the data subjects. This implies a wider scope to the protection of individuals’ interests and rights. It follows that even individuals engaged in illegal activities should not be subject to disproportionate interference with their rights and interests. For example, “''an individual who may have perpetrated theft in a supermarket could still see his interests prevailing against the publication of his picture and private address on the walls of the supermarket and/or on the Internet by the owner of the shop''”. [WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 30 (available here).]
====Union or Member State law====
According to Article 6(3), the legal basis for processing under Article 6(1)(c) (legal obligation) and Article 6(1)(e) (public interest) must be laid down by (a) Union, or (b) Member State law. Contrary to Article 6(1)(c), however, the public interest processing does not have to be expressly laid down in a legal basis. It suffices if the processing is necessary to fulfil a task which serves the public interest, or in the exercise of official authority, and the task is described in a specific and clear manner.<ref>''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 121 (C.H. Beck 2020, 3rd Edition).</ref>


===== Balancing test (“overridden by”) =====
It should be noted that the Member State law to which the controller is subject does not necessarily mean a legislative act adopted by a parliament. For example, the CJEU held that also national case-law could constitute such a legal basis.<ref>CJEU, Joint Cases C‑17/22 and C‑18/22, 12 September 2024, margin number 71 (available [[CJEU - Joined Cases C‑17/22 and C‑18/22 - HTB Neunte Immobilien Portfolio|here]]).</ref>
The fact that the controller has such a legitimate interest in the processing of certain data does not mean that it can necessarily rely on Article 6(1)(f) as a legal ground for the processing. The legitimacy of the data controller’s interest is just a starting point, while the overall lawfulness of the entire processing operation based on legitimate interests will depend on the outcome of the balancing test between the two opposed positions. To do so, the WP29 suggests a four-step test which includes (a) assessing the controller’s legitimate interest, (b) evaluating the impacts of such interest on the data subjects, (c) striking a provisional balance and, should the situation still be uncertain, (d) applying additional safeguards to reduce any negative impact on the data subjects.


====== ''Assessing the controller’s legitimate interest'' ======
{{Quote-CJEU|"[…] as recital 41 of that regulation states, where it refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to obligations provided for under the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court and the European Court of Human Rights.
The WP29 points out that a controller’s legitimate interest may be justified by their freedom of expression and information, academic and scientific research, right of access to documents, as well as the right to liberty and security, freedom of thought, conscience and religion, the freedom to conduct a business, the right to property and to an effective judicial remedy or the presumption of innocence. In other cases, the controller may even invoke the public interest, for instance when it enforces policies that ensure the safety of an online community.  


====== ''Evaluating the Impact on the Data Subject'' ======
[…]
Once the controller´s interest has been assessed, the impact of the processing on the data subject´s interests or fundamental rights should be evaluated. Several elements can be useful at this stage, including the likelihood that a risk can materialise, the severity of its consequences, the number of individuals potentially impacted as well as the nature of the data. In general, it appears that the more sensitive the information involved is, the more consequences for the data subject there may be.


Also of relevance is the way the information is being processed, whether it is shared with a large number of actors or persons or combined with other data sets. Finally, the reasonable expectations of the data subjects and the status of the controller should be considered (Recital 47). In particular, it is important to evaluate whether the status of the data controller, the nature of the relationship or the service provided, or the applicable legal or contractual obligations (or other promises made at the time of collection) could give rise to reasonable expectations of stricter confidentiality and stricter limitations on further use.<ref>WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 40 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf here]).</ref><blockquote><u>Case Law:</u> In C-708/18 - TK, para. 53-59, the CJEU elaborated on the criteria for the balancing of interests. In a case involving the lawfulness of a CCTV surveillance system, the Court considered different factors including whether the data to be processed were retrieved from publicly accessible sources or were rather related to the data subject’s private life; the nature of the data, particularly their sensitiveness; and the modalities of processing, including the number of persons having access to the data. </blockquote>The Court also “''took implicitly into account recital 47,17 which stresses the importance of the reasonable expectations of the data subjects based on the time and context of the processing, and indicates that conflict with these expectations could, in certain cases, ‘override’ a controller’s interest in ‘further processing’''”.<ref>See, ''Kotschy,'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary [Update of Selected Articles - May 2021] Article 6 GDPR, p. 74 (Oxford University Press 2020). In CJEU, Case C-468/10 and C-469/10, ''ASNEFF and FECEMD'', 24 November 2011, margin number 38 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=115205&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=135346 here]) , the CJEU named two elements for a test under Article 7(f) of Directive 95/46/EC. Firstly, the processing of the personal data must be necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed. Secondly, such interests must not be overridden by the fundamental rights and freedoms of the data subject. The wording of Article 6(1)(f) GDPR and Article 7(f) of Directive 95/46 are sufficiently overlapping to be able to apply this test after the introduction of GDPR.</ref>
In that regard, it should be noted that […] it cannot be ruled out that ‘Member State law to which the controller is subject’ within the meaning of point (b) of Article 6(3) of the GDPR also covers national case-law."|CJEU - Joined Cases C‑17/22 and C‑18/22 - HTB Neunte Immobilien Portfolio|68 and 71.}}


====== ''Provisional balance'' ======
Requirements under non-EU/EEA laws, such as a US, Chinese or Swiss law requiring the processing of personal data, cannot be the basis for processing under Article 6(1)(c) or (e) GDPR. However, a duty under the law of another country may be a "''legitimate interest''" under Article 6(1)(f) GDPR, which can be the starting point of a balancing test.
The essence of the balancing act is not clarified by the WP29´s opinion (nor does the GDPR provide any general instruction on the matter). It follows that, in accordance with the principle of accountability, the balancing act is entirely in the hands of the data controller who, taking into account the elements described above, must proceed in one direction or another, assuming full responsibility for the choice. It goes without saying that the controller should document and be able to demonstrate the reasoning used to reach their conclusions. These assessments must therefore be made on a case-by-case basis.<ref>The following situations are generally assumed to form a legitimate interest: Defense of legal claims It is generally accepted that the defense of legal claims is a legitimate interest. This includes civil law claims (whether contractual or not), administrative or criminal cases. Any such use of personal data must still comply with other provisions like the general principles in Article 5 GDPR. Fraud prevention Recital 47 explicitly names the prevention of fraud as a legitimate interest. In practice, an assessment and balancing of the likeliness of any fraudulent activity and the interference with the rights of the data subject needs to be made. Previous fraudulent activity may be an indicator. Any such use of personal data must still comply with other provisions like the general principles in Article 5 GDPR. Network security Recital 49 explicitly deals with data processing for network security. Processing of personal data for these purposes can also be derived as a legal duty under Article 32 GDPR. Any such use of personal data must still comply with other provisions like the general principles in Article 5 GDPR. Search engines Insofar as search engines process personal data, the right to freedom of information by the user as well as the rights of the search engine operators generally leads to an overriding legitimate interest. This may, however, be overridden by the interests of specific data subjects. Video surveillance: In many national laws under Directive 95/46/EC, video surveillance ("CCTV") was accepted under the legitimate interest. Many limitations on the specific situations when a controller has an overriding interest in surveillance over the interest of others were defined in national laws. When there is a genuine security challenge or threat, the use of structural surveillance may override the interests of data subjects. This includes the security of third parties, like the safety of passengers on a train. Such examples may include a high risk institution (e.g. banks) or previous criminal activity (e.g. thefts, violent crime or vandalism). Any video surveillance system must still comply with other provisions like the general principles in Article 5 GDPR. This means that the records must be destroyed as soon as the purpose is fulfilled (usually the time that realization of a crime takes, which may be 72 hours over a weekend). Data minimization also requires that only the strictly necessary area is filmed. Other obliogations like information to the public through signs under Article 13 GDPR also need to be observed. Direct marketing: During the negotiations on the GDPR there were multiple attempts to include "direct marketing" into the list of legitimate interests. In the end, the negotiating parties agreed to not reach a clear agreement: "Direct marketing" was moved to the last sentence of the non-binding recitals and the word "may" was added. Recital 47 now says that direct marketing "may be regarded" as carried out for a legitimate interest. At the same time, [https://gdprhub.eu/index.php%3Ftitle=Article_21_GDPR Article 21(2) GDPR] includes an absolute right to object to direct marketing. Generally, the GDPR therefore seems to accept that direct marketing can be a legitimate interest ("may") while recognizing that it will not always be a legitimate interest across all situations. After all, a controller must engage in a balancing test in each individual case. The only legal description of "direct marketing" can be found in Article 13(3) of the ePrivacy Directive 2002/58/EC, which requires (1) obtaining the personal data in the context of the sale of a product or service (existing relationship), (2) the use by the same controller, for (3) its own similar products or services and (4) a clear and distinctive opportunity to object when the data is collected and with any further communication. It can be assumed that these situations also form a legitimate interest within the meaning of the GDPR</ref> However, this does not mean that, where possible, certain official guidelines may not be used to draw useful indications with respect to processing operations having common characteristics.<ref>''Heberlein'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 6 GDPR, margin number 32 (C.H. Beck, 2nd edition 2018)</ref>


====== ''Additional safeguards'' ======
====Specific provisions====
In cases where it is not clear which way the balance should be struck, the controller may consider whether it is possible to introduce additional safeguards.  For example, these may include the “''strict limitation on how much data is collected, or immediate deletion of data after use. While some of these measures may already be compulsory under the Directive, they are often scalable and leave room for controllers to ensure better protection of data subjects''” as well as “''providing an easily workable and accessible mechanism to ensure an unconditional possibility for data subjects to opt-out of the processing''”. These additional measures may in some cases help tip the balance and help ensure that the processing can be based on Article 6(1)(f), whilst simultaneously protecting the rights and interests of the data subjects.<ref>WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, pp. 40-41 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf here]).</ref>
Moreover, the provision allows Member States to implement specific provisions contained in this legal basis, and suggests, ''inter alia'', the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures. These concretisations are non-exhaustive and non-binding, but are certainly permissible specific provisions.<ref>''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 94 (C.H. Beck 2020, 3rd Edition).</ref> Lastly, the constituent element ‘Member State law’ refers to all material law of that Member State.<ref>''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 197 (C.H. Beck 2020, 3rd Edition).</ref>


====== ''Children'' ======
==== Tensions between national laws and EU law====
Article 6(1)(f) GDPR explicitly mentions situations "''in particular where the data subject is a child''". This seems to indicate that a balancing test needs to take the specific interests and expectations of a child into account.
If Member States would pass such legislation without complying with the general principles of "''proportionality''" under Article 8 and 52 of the Charter, as well as Article 6(1)(2) and (3) GDPR, [[Article 23 GDPR|Articles 23]] and [[Article 85 GDPR|85]] to [[Article 91 GDPR|91]] GDPR such national laws would be inapplicable, given the supremacy of EU law. <blockquote><u>Case Law:</u> In [[CJEU - C-465/00 - Österreichischer Rundfunk|Joined Cases C-465/00, C-138/01 and C-139/01 - ''Österreichischer Rundfunk'']] a national law foresaw to publish the income of employees of the public bodies, such as the public broadcaster for transparency reasons. The CJEU held that the disclosure of not only the amounts, but also the names of the recipients is only possible if it is truly necessary for and appropriate to the objective of proper management of public funds. While the CJEU seemed rather critical, the court left it to the Member State courts to make the ultimate determination.</blockquote>After the passing of the GDPR in 2016, many Member States were lobbied by local interest groups to use any possible exception. Member States have in turn extensively passed laws that go beyond the opening clauses in the GDPR. This creates massive legal uncertainty, as such laws are on the books, but may not be applied in practice. It often takes years until local courts and the CJEU annuls these laws.<blockquote><u>Case Law:</u> The legislator in Austria has passed a total exception from all GDPR obligations for journalism. As this blanket exception went far beyond anything that is "proportionate" the Austrian Constitutional Court annulled the law.<ref>See [[VfGH - G 287/2022-16, G 288/2022-14]]</ref> For example in Sweden a similar provision does still exist.<ref>See Chapter 1, § 7 of the Swedish GDPR Implementation Act (2018:218)</ref></blockquote>For the average controller, it is therefore important to ensure that national laws comply with EU law requirements and are not at risk of being annulled or declared inapplicable.
====Relationship between Articles 6(2) and 6(3) GDPR====
It is important to set out that it remains unclear how Articles 6(2) and 6(3) relate to one another, legally and systematically.<ref>''Jahnel'', in Jahnel, DSGVO, Article 6, margin number 85 (Jan Sramek Verlag 2021).</ref> The exact relationship between the two clauses remains disputed. Some authors ascribe a more declaratory nature to Article 6(2),<ref>''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 195 (C.H. Beck 2020, 3rd Edition).</ref> and see Article 6(3) as the clause that offers the actual competence to enact material-specific data protection regulation.<ref>''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, para 195 (C.H. Beck 2020, 3rd Edition);  ''Jahnel'', in Jahnel, DSGVO, Article 6, margin number 85, (Jan Sramek Verlag 2021).</ref> Other authors state that Article 6(2) does permit Member States to adopt material-specific regulation, and see Article 6(3) as a clause that sets out concrete requirements for this regulation.<ref>For example ''Plath'', in Plath, DSGVO BDSG, Article 6 DSGVO, margin number 3, (Otto Schmidt 2018).</ref> Finally, another group of authors that does not see these requirements as additional, but cumulative.<ref>''Roßnagel'' et al., in Zeitschrift für Datenschutz (2015) pp. 455-456.</ref> 


===== Examples =====
===(4) Further processing===
The assessment if a legitimate interest overrides the interest of a data subject are always a case-by-case assessment. Generally the examples in Recitals  However, to give some additional orientation, it can be noted that typical examples of legitimate interest are:
Article 8(2) of the Charter and [[Article 5 GDPR|Article 5(1)(b) GDPR]] require that personal data is only processed for original "''specified, explicit and legitimate purposes''" and that personal data is not "''processed in a manner that is incompatible with those purposes''". Especially the idea of re-use of personal data for "big data" projects and alike was at the heart of a lobby effort to limit purpose limitation in [[Article 5 GDPR|Article 5(1)(b) GDPR]] and allow the re-use and further use of personal data - which is in fact the antithesis of purpose limitation.


* Network security
====Consent====
* Physical security (CCTV in a bank)
Article 6(4) GDPR foresees that a data subject can waive the protections under [[Article 5 GDPR|Article 5(1)(b) GDPR]] by giving consent, as defined in [[Article 4 GDPR|Articles 4(11)]], 6(1)(a), [[Article 7 GDPR|7]] and [[Article 8 GDPR|8 GDPR]]. This option is consistent with the right to informational self-determination, where data subjects can give up their rights under the law. <blockquote>{{Quote-example|A data subject has provided her personal data at an online shop to process her order. The controller may ask the data subject to allow the re-use of this personal data to send a birthday gift via postal mail and thereby change the purpose to advertisement.}}</blockquote>It is unclear if consent for the further use of special categories of personal data must be explicit, as required under [[Article 9 GDPR|Article 9(1)(a) GDPR]]. While the wording does not require explicit consent, a systematic interpretation would suggest that the change of purpose should meet the same requirements as consent to the processing of the original purpose when it comes to special categories of personal data.
* xxx
* Use of personal data for defensive actions


====Union or Member State Law====
It is rather common that laws require the sharing of various information, such as evidence in procedures. Member States can maintain or pass such legislation and controllers may not cite purpose limitation to withhold information, as long as such laws "''constitute a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in [[Article 23 GDPR|Article 23(1) GDPR]]''". Other objectives are not available to Member State law. <blockquote>{{Quote-example|An event has a participant list. The controller said the purpose of this list is merely the management of entry to the event. When a crime happened and the criminal procedure of a Member State allows to obtain any personal data for the purposes of criminal investigations, the purpose limitation by the original controller can be overridden in the public interest to allow the investigators to use this information for their criminal investigation.}}</blockquote>When it comes to the reference to EU law, there would actually be no hierarchy between Article 6(4) GDPR and any other provision that goes beyond Article 6(4) GDPR. Consequently any later legislation would simply overturn or amend the provision and Article 6(4) GDPR would loose its meaning.<ref>Lex posterior derogat legi priori.</ref>


However the following situations are generally not to be seen as an overriding legitimate interest:
However, because such EU or Member State law interferes with purpose limitation in Article 8(2) of the Charter, any such EU or Member State law would have to comply with all requirements of Article 52 of the Charter, including the requirement to be "''proportionate''". It may be that legal requirements are not compatible with these requirements. EU law could therefore be subject to annulment, while Member State law would be inapplicable.


* Advertisement (other than "direct marketing", see below)
==== Compatible purposes====
* xxx
In addition to the option to process personal data for a (wholly) different purpose, Article 6(4) GDPR also foresees the option to have so-called "''compatible''" purposes. The idea of compatible purposes was derived from the definition of purpose limitation already known from Article 6(1)(b) of Directive 95/46/EC ("''personal data must be ... collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes''"). In simple terms, the fact that the Directive only prohibited processing that is "''incompatible''" with the original purpose, led to a line of argument that there must be "''compatible''" purposes too. Obviously this ''argumentum e contrario'' is rather simplistic and questionable as it can erode a core principle of EU data protection. Just because the legislator highlighted that "''incompatible''" use is prohibited does not automatically lead to the assumption that there are additional "''compatible''" purposes that are never mentioned in the law nor in Article 8(2) of the Charter. The idea of changing purposes also created a systematic conflicts with requirements to have an utmost "''specific''" purpose in a first step under [[Article 5 GDPR|Article 5(1)(b) GDPR]] or "''specific''" consent for a specific purpose, if the purpose can be changed anyways.<ref>''Buchner/Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 180 (C.H. Beck 2018, 2nd Edition).</ref> Nevertheless, in a battle between the European Parliament and the Council, the idea of "''compatible purposes''" was codified in Article 6(4) GDPR after all.
* Use of personal data for mere profits


Article 6(4) GDPR prescribes certain factors to be taken into account where a controller wishes to further process personal data for a "compatible" purpose, that it was not collected for initially. The factors set out in Article 6(4)(a) to (c) GDPR are not exhaustive. Notably, the new purpose does not need to be a "sub purpose" of the initial one.<ref>''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 341 (Oxford University Press 2020).</ref> Rather, compatibility can exist where the initial and further purpose are “''pursued ‘together’ in close vicinity''” or where the further purpose is “''a logical consequence of the initial purpose''”.<ref>''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 341 (Oxford University Press 2020).</ref>


Typical processing that is not clearly an overriding legitimate interest:
=====Factors for the compatibility test=====
Generally the factors in Article 6(4)(a) to (e) GDPR are only examples ("''inter alia''") and are very vague. The true meaning of elements like the "''context [of the] collection''" allows almost any factor or argument to be taken into account. Given that such an assessment is usually done by a controller that seeks to expand the use of personal data beyond the limits of [[Article 5 GDPR|Article 5(1)(b) GDPR]], a certain dynamic towards a rather permissible application of this paragraph is likely to occur in practice. To rely on further processing compatibility, controllers must be able to demonstrate that an assessment of all relevant risks was done.<ref>''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 343 (Oxford University Press 2020).</ref>


* Direct marketing ("''may be a legitimate interest''") other than so-called "soft spam" under Article 13(2) of the ePrivacy Directive 2002/58/EC
======(a) Link between purposes======
* xxx
Obviously for a new purpose to be "''compatible''", the original purpose and the new purpose must be related. To appreciate the compatibility of various purposes, the controller should take into account, among others, the existence of a link between the original and additional purpose, the general context in which the data are processed.


=== (2) In case of processing under Article 6(1)(c) and (e) specific national rules are possible ===
Already [[Article 5 GDPR|Article 5(1)(b) GDPR]] clarifies that, further processing for scientific or historical research purposes, or further processing for statistical purposes should be considered to be compatible lawful processing operations.<ref>Article 5(1)(b) GDPR.</ref>  
This provision gives Member States more competence in the public sector,<ref>''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 326 (Oxford University Press 2020).</ref> since it allows them to adopt, or keep,<ref>This is clear from the wording ‘maintain’. See ''Plath'', in Plath, DSGVO BDSG , Art. 6 DSGVO, margin number 126 , (Otto Schmidt 2018).</ref> their own (material) rules that regulate in which instances a controller can rely on the legal bases provided for in Article 6(1)(c) and Article 6(1)(e). Member States can do so by providing specific requirements for the processing (including provisions relating to specific processing situations), to, ultimately, ensure that this processing is more lawful and fair.<ref>''Frenzel'', in Paal/Pauly, DS-GVO BDSG, Article 6, margin number 32 (C.H. Beck 2021, 3rd Edition).</ref> Through this wording it is apparent that these national provisions must stay within, and cannot go beyond the framework of the GDPR.<ref>''Plath'', in Plath, DSGVO BDSG, Article 6 DSGVO, margin number 125, (Otto Schmidt 2018).</ref> Since this provision allows Member States to enact denser regulation, as well as more concrete requirements for controllers. ''Frenzel'' notes this can lead to conflicts, not only between a Member State and the Commision (since the latter monitors the application of Union law), but also in case of different processing situations by the same controller or vis-à-vis the same data subject.<ref>''Frenzel'', in Paal, Pauly, DS-GVO BDSG, Article 6, margin number 32 (C.H. Beck 2021, 3rd Edition).</ref>


=== (3) In case of processing under Article 6(1)(c) and (e) specific national rules must follow the GDPR ===
======(b) Context of collection and relationship with data subject======
Articles 6(2) and (3) GDPR allows Member States to implement specific provisions contained in this legal basis, for example:
The "''context of the collection''" and the "''relationship with the data subject''" seem to be very generic factors that can only be assessed on a case-by-case basis. A bank that focuses on confidentially in an upscale market and explicitly states "''we will ever only use your personal information for purposes A, B and C''" may raise certain expectations that would not suggest that personal data is further used questionable purposes.


* the general conditions governing the lawfulness of processing by the controller;
Recital 50 GDPR adds that "''the reasonable expectations of data subjects based on their relationship with the controller''" should be considered. The context of the collection may give reasons why a data subject would or would not expect the further use for other purposes. The mere fact that many controllers take a certain action may not be obvious to the data subject and the widespread violation of the law does not make an act more legal. Consequently, the mere fact that many controllers use personal data in a "customer relationship system" cannot be seen as a reason why such use is ''per se'' "''compatible''" with the original purpose.<ref>Not convincing: ''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 342 (Oxford University Press 2020).</ref>
* the types of data which are subject to the processing;
* the data subjects concerned;
* the entities to, and the purposes for which, the personal data may be disclosed;
* the purpose limitation;
* storage periods;
* and processing operations and processing procedures.  


This is a non-exhaustive and non-binding, but are certainly permissible specific provisions.<ref>''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 94 (C.H. Beck 2020, 3rd Edition).</ref> However, this opening clause allows Member States to further define elements that would otherwise only be governed by Article 5(1) GDPR or solely determined by the controller.  
The relationship with the data subject may also point in either direction. Mutual trust may be a factor to suggest that certain steps will or will not be taken. The provision does not suggest that close relationship with the data subject may be a factor to use personal data further. For example, if a close relationship exists, it may be more practical and therefore more reasonable to ask for consent for the further use of personal data, while this may simply not be possible for data subjects that are hard to reach. At the same time a distant data subject may have less of an expectation that his or her personal data may be used for other purposes.


If Member States would pass such legislation without complying with the general principles of "proportionality" under Article 8 and 52 of the Charter of Fundamental Rights, Article 6(1)(2) and (3) GDPR, [[Article 23 GDPR|Articles 23]] and [[Article 85 GDPR|85]] to [[Article 91 GDPR|91]] GDPR such national laws would be inapplicable, given the supremacy of EU law. <blockquote><u>Case Law:</u> In Joined Cases C-465/00, C-138/01 and C-139/01 - ''Österreichischer Rundfunk'' a national law foresaw to publish the income of employees of the public bodies, such as the public broadcaster for transparency reasons. The CJEU held that the disclosure of not only the amounts, but also the names of the recipients is only possible if it is truly necessary for and appropriate to the objective of proper management of public funds. While the CJEU seemed rather critical, the court left it to the Member State courts to make the ultimate determination.</blockquote>In practice, many Member States have extensively passed laws that go beyond the opening clauses in the GDPR. This creates massive legal uncertainty, as such laws are on the books, but may not be applied in practice.<blockquote><u>Case Law:</u> The legislator in Austria has passed a total exception from all GDPR obligations for journalism. As this blanket exception went far beyond anything that is "proportionate" the Austrian Constitutional Court annulled the law.<ref>See [[VfGH - G 287/2022-16, G 288/2022-14]]</ref> In Sweden a similar provision does still exist.<ref>See Chapter 1, § 7 of the Swedish GDPR Implementation Act (2018:218)</ref></blockquote>
======(c) Nature of personal data======
While the provision highlights special categories of personal data under [[Article 9 GDPR]] and personal data related to criminal convictions and offences under [[Article 10 GDPR]], it is not limited to such personal data ("''in particular''"). Other categories of usually more sensitive information may include financial details, log-in data and alike and should also be considered in any balancing test.


======(d) Possible consequences======
Obviously the possible consequences for any further use for the rights of the data subject must be considered when using personal data beyond the limits of [[Article 5 GDPR|Article 5(1)(b) GDPR]]. This is not limited to financial losses or other material damages, but also includes non-material damages (see [[Article 82 GDPR|Article 82(1) GDPR]]) and other non-material, emotional consequences or inconveniences, such as foreseeable problems to enforce the data subjects' rights under the GDPR.


======(e) Safeguards======
The controller may introduced (additional) appropriate safeguards to ensure that the processing of personal data for a compatible purpose is mitigated. The law names, as examples, encryption and pseudonymisation. While proper encryption is a baseline requirement under [[Article 32 GDPR]] and will in most cases not lead to any additional safeguard, pseudonymisation can limit the potential impact in cases of abuse. Some other safeguards are already foreseen by law, such as the need to inform about the change of purposes in [[Article 13 GDPR|Article 13(3)]] or [[Article 14 GDPR|14(4) GDPR]]. Additional safeguard may include the use of anonymised data, an option to opt-out from processing for the compatible purpose, beyond the rights under [[Article 7 GDPR|Article 7(4) GDPR]] to withdraw consent and the right to object in [[Article 21 GDPR]]. Safeguards should be "''appropriate''", meaning neither going beyond what can reasonably be implemented and achieved, nor mere window dressing.


According to Article 6(3), the legal basis for processing under Article 6(1)(c) (legal obligation) and Article 6(1)(e) (public interest) ''shall'' be laid down by (a) Union, or (b) Member State law. Contrary to Article 6(1)(c), however, the public interest processing does not have to be ''expressly'' laid down in a legal basis. It suffices if the processing is necessary to fulfil a task which serves the public interest, or in the exercise of official authority, and the task is described in a specific and clear manner.<ref>''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 121 (C.H. Beck 2020, 3rd Edition).</ref>
=====Tension between "compatible" purposes and Article 8(2) of the Charter=====
During the GDPR negotiations little attention was paid to the fact that the principle of purpose limitation has become an element of the fundamental right to data protection in Article 8(2) of the Charter. Especially the notion of "''compatible purposes''" seems to stretch the possibilities of the legislator. Given that Article 8(2) of the Charter does not foresee "''compatible''" purposes any such "''compatible''" purpose must be seen as a limitation of Article 8(2) of the Chater, which must comply with Article 52 of the Charter. The very vague nature of the open-ended compatibility test in Article 6(4) GDPR itself may already be conflicting with the requirement that any limitation of Charter rights must be foreseen by precise enough law. The CJEU has so far not been asked to assess the compatibility of Article 6(4) GDPR with Articles 8(2) and 52 of the Charter. As a minimum, Article 6(4) GDPR must be interpreted "''in the light of the Charter''", which may limit the application in many cases.


Moreover, the provision allows Member States to implement specific provisions contained in this legal basis, and suggests, ''inter alia'', the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures. These concretisations are non-exhaustive and non-binding, but are certainly permissible specific provisions.<ref>''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 94 (C.H. Beck 2020, 3rd Edition).</ref> Lastly, the constituent element ‘Member State law’ refers to all material law of that Member State.<ref>''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 197 (C.H. Beck 2020, 3rd Edition).</ref>
====Tension with Article 5 and 12 GDPR in case of routine reliance on Article 6(4) GDPR====
While Article 6(4) GDPR may be used for unforeseen needs to change the purpose, a structural re-use of personal data for initially undisclosed purposes may conflict with the duties under [[Article 5 GDPR|Article 5(1)(a) GDPR]] "''fairness''" and "''transparency''", the general requirement to define the purposes in [[Article 5 GDPR|Article 5(1)(b) GDPR]] during collection and the requirement to provide (initial) information in a "''transparent, intelligible and easily accessible form, using clear and plain language''" under [[Article 12 GDPR|Article 12(1) GDPR]].


==== Relationship between Articles 6(2) and 6(3) GDPR ====
====Duty to inform about a change in purposes====
It is important to set out that it remains unclear how Articles 6(2) and 6(3) relate to one another, legally and systematically.<ref>''Jahnel'', in Jahnel, DSGVO, Article 6, margin number 85 (Jan Sramek Verlag 2021).</ref> The exact relationship between the two clauses remains disputed. Some authors ascribe a more ‘declaratory nature’ to Article 6(2),<ref>''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 195 (C.H. Beck 2020, 3rd Edition).</ref> and see Article 6(3) as the clause that offers the ''actual'' competence to enact material-specific data protection regulation.<ref>''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, para 195 (C.H. Beck 2020, 3rd Edition);  ''Jahnel'', in Jahnel, DSGVO, Article 6, margin number 85, (Jan Sramek Verlag 2021).</ref> Other authors state that Article 6(2) ''does'' permit Member States to adopt material-specific regulation, and see Article 6(3) as a clause that sets out concrete requirements for this regulation.<ref>For example ''Plath'', in Plath, DSGVO BDSG, Article 6 DSGVO, margin number 3, (Otto Schmidt 2018).</ref> And then there is even another group of authors that does not see these requirements as ‘additional’, but cumulative.<ref>''Roßnagel'' et al., in Zeitschrift für Datenschutz (2015) pp. 455-456.</ref> Hence, the only thing that ''is'' clear, is that the exact relationship between the two clauses remains disputed.  
Under [[Article 13 GDPR|Article 13(3)]] or [[Article 14 GDPR|14(4) GDPR]] the controller must inform the data subject prior to making any changes to the purpose. This includes any change based on Union or Member State law and the use of personal data for any "''compatible''" purpose.


=== (4) Further processing ===
====Need to comply with all other provisions of the GDPR====
Article 6(4) GDPR prescribes certain factors to be taken into account where a controller wishes to further process personal data for a purpose other than that for which it was collected, where no other legal basis applies. This is only possible where the original and further purposes are "compatible". The factors set out in Article 6(4)(a)-(c) GDPR are not exhaustive.
The finding that a purpose is "''compatible''" or that there is a legal basis to process personal data for another purpose in Union or Member State law, does not mean that other provisions of the GDPR must not be complied with for such further processing.  


Kotschy notes two key issues emerging from the factors in Article 6(4)(a)-(c) GDPR.<ref>''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 341 (Oxford University Press 2020).</ref> The first regards the relationship between the initial and further purpose. Notably, the new purpose does not need to be a "sub purpose" of the initial one. Rather, compatibility can exist where the initial and further purpose are “''pursued ‘together’ in close vicinity''” or where the further purpose is “''a logical consequence of the initial purpose''”.<ref>''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 341 (Oxford University Press 2020).</ref> Recital 50 GDPR adds that "''the reasonable expectations of data subjects based on their relationship with the controller''" should be considered. As Kotschy argues, "compatibility" therefore largely rests on “''what is usual and what is to be expected in certain circumstances''”. For example, where a customer receives further marketing information from an organisation they recently purchased from, this would classify as compatible further use, as customer relationship management “''is a usual activity resulting from the customer relationship.''"<ref>''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 342 (Oxford University Press 2020).</ref>
Some authors rely on the (non-binding) Recital 50 GDPR to argue that processing for another purpose does not require a legal basis under Article 6(1) GDPR.<ref>See for example ''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 326 (Oxford University Press 2020) or </ref> However, the authors of the GDPR have highlighted that this was an error in the drafting.<ref>''Buchner/Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 12, margin number 182 (C.H. Beck 2018, 2nd Edition), with further references.</ref> This view is also supported by a systematic reading of the law. The requirement to have a legal basis for any processing operation is enshrined in Article 8(2) of the Charter, Article 5(1)(a) GDPR and Article 6(1) GDPR. At the same time Article 6(4) GDPR clearly only further defines Article 5(1)(b) GDPR. Against the clear wording of the law and the obvious systematic relationship between Article 5(1)(b) and 6(4) GDPR, a non-binding Recital cannot override the law.


The second issue regards the assessment of risk that may stem from processing, prescribed in Article 6(4)(c)-(e) GDPR. Importantly, further processing “''must not result in a substantially higher risk than the initial lawful processing''.” The presence of sensitive personal data is specifically mentioned as a risk factor. Risks may be mitigated by various safeguards, such as encryption or pseudonymisation. To rely on further processing compatibility, controllers must be able to demonstrate that an assessment of all relevant risks was done.<ref>''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 343 (Oxford University Press 2020).</ref> The potential to lawfully process information for a purpose that does not directly correlate with the original, but where there is a very high level of safeguards in place, is not yet clear from the law or relevant jurisprudence. It will have to be decided by future jurisprudence whether Article 6(4) “''might justify an assumption of ‘compatibility’ also in cases where the new purpose does not specifically ‘correlate’ to the initial purpose, but where a very high standard of risk containment is implemented''”.<ref>''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 343 (Oxford University Press 2020).</ref>
Consequently, further processing must still have a legal basis under Article 6(1) GDPR, be "fair" under Article 5(1)(a) GDPR and alike.


In such a case, no legal basis separate from that which allowed the collection of the personal data is required. To appreciate the compatibility of various purposes, the controller should take into account, among others, the existence of a link between the original and additional purpose, the general context in which the data are processed, and also the reasonable expectations of the data subjects.<ref>Recital 50 GDPR.</ref> As a general rule, further processing for scientific or historical research purposes, or further processing for statistical purposes should be considered to be compatible lawful processing operations.<ref>Article 5(1)(b) GDPR.</ref>
==Decisions==
==Decisions==
→ You can find all related decisions in [[:Category:Article 6 GDPR]]
→ You can find all related decisions in [[:Category:Article 6 GDPR]]

Latest revision as of 15:17, 13 November 2024

Article 6: Lawfulness of processing
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text

Article 6 - Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.


2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.


3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

(a) Union law; or
(b) Member State law to which the controller is subject.

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.


4. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
(d) the possible consequences of the intended further processing for data subjects;
(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

Relevant Recitals

Recital 39: Principles of Data Processing
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

Recital 40: Lawfulness of Data Processing
In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Recital 41: Legal Basis or a Legislative Measure
Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.

Recital 42: Proof and Requirements for Consent
Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

Recital 43: Freely Given Consent
In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

Recital 44: Processing in the Context of a Contract
Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.

Recital 45: Legal Basis in Union or Member State Law
Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing. It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association.

Recital 46: Vital Interest of a Natural Person
The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.

Recital 47: Overriding Legitimate Interests
The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

Recital 48: Data Transfers Within a Group of Undertakings
Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.

Recital 49: Network and Information Security as a Legitimate Interest
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

Recital 50: Compatible Purpose for Further Processing
The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations. Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes. In any case, the application of the principles set out in this Regulation and in particular the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured. Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller. However, such transmission in the legitimate interest of the controller or further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or other binding obligation of secrecy.

Recital 171: Repeal of Directive 95/46/EC and Transition Phase
Directive 95/46/EC should be repealed by this Regulation. Processing already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force. Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation. Commission decisions adopted and authorisations by supervisory authorities based on Directive 95/46/EC remain in force until amended, replaced or repealed.

Commentary

Paragraph 1 of Article 6 GDPR is based on Article 7 of the previous Data Protection Directive 95/46/EC. As a general rule, personal data may not be processed without complying with on of six exceptions ("legal basis").

Paragraphs 2 and 3 deal with the options for Member States to implement laws that make processing under 6(1)(c) and (e) necessary.

Paragraph 4 is actually linked to the "purpose limitation" principle in Article 5(1)(b) GDPR and further expands on what a "compatible purpose" is.

EDPB Guidelines: On this Article, please see EDPB 'Guidelines 05/2020 on consent under Regulation 2016/679', 4 May 2020 (Version 1.1) (available here); EDPB, 'Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms', 17 April 2024 (available here); EDPB, 'Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects', 8 October 2019 (Version 2.0) (available here); EDPB, 'Guidelines 8/2020 on the targeting of social media users', 13 April 2021 (Version 2.0) (available here); EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1.0) (available here).

(1) Legal basis for processing

Overview

Prohibition - with six exceptions

Article 6(1) GDPR generally prohibits the processing of personal data unless at least one of the six legal bases listed under points (a) to (f) is fulfilled. This provision states that “[p]rocessing shall be lawful only if” one of these conditions applies, effectively setting a default position against unauthorized data processing.

This general prohibition flows from the fact that under Article 8(2) CFR, the right to data protection is recognized as a fundamental right ("data must be processed ... on the basis of the consent of the person concerned or some other legitimate basis laid down by law"). Therefore, the requirement to have a legal basis for processing personal data must be interpreted in light of the Charter and the principle of proportionality outlined in Article 52(1) CFR.

The system established by Article 6(1) GDPR—as a general prohibition unless there is a justification—has been criticized in some Member States for being overly restrictive. However, this approach is not unusual when dealing with fundamental rights. Just like other fundamental rights—such as the right to property, freedom of expression, or the right to physical integrity—the default position is that others may not interfere with a data subject’s right to data protection unless there is a justified legal basis.

It is therefore important that the requirement to have a legal basis is interpreted in the light of the Charter and the principle of proportionality in Article 52(1) CFR. The system of Article 6(1) as a general prohibition, unless there is a justification is criticized in some Member States,[1] but not unusual for a fundamental right. Just like other fundamental rights (e.g. the right to property, freedom of expression or the right to physical integrity), the default position is, that others may not interfere with a data subject's right to data protection, unless there is a justification.

CJEU-icon.png

"[...] the first subparagraph of Article 6(1) of the GDPR sets out an exhaustive and restrictive list of the cases in which processing of personal data can be regarded as lawful. Thus, in order to be capable of being regarded as such, processing must fall within one of the cases provided for in that provision [...]".

CJEU - C‑621/22 - Koninklijke Nederlandse Lawn Tennisbond, margin number 29.

See also: CJEU - C-252/21 - Meta Platforms and Others (General terms of use of a social network), margin number 90; CJEU - C-439/19 - Latvijas Republikas Saeima (Penalty points), margin number 99; CJEU - C‑708/18 - Asociaţia de Proprietari bloc M5A-ScaraA, margin number 37 and 38; [CJEU - C-582/14 - Breyer]] margin number 57; [CJEU - C-468/10 and C-469/10 - ASNEF and FECEMD (Joined Cases), margin numbers 36.


No hierarchy

Given that this is the type of legal basis that the average data subject is confronted with the most consent is usually seen as more prominent than the other five legal basis. In fact, there is no hierarchy between the various legal basis. It is a matter controllers to choose the legal basis they wish to rely on. Each legal basis has specific features, upsides and downsides from the perspective of controllers and data subjects.

Multiple legal bases

While at least one legal basis has to be fulfilled, it is possible that there are multiple legal basis that a controller can rely at the same time ("at least one"). However, as long as one of the legal bases in Article 6(1) GDPR applies, it is not necessary to determine whether that processing also falls within the scope of another legal basis.[2]

Using multiple legal basis may however raise transparency issues under Article 5(1)(a), if a data subject for example thinks that personal data is processed solely based on consent (which can be withdrawn at any time), while in fact the controller also relies on another legal basis like a legal obligation (which does not allow for a withdrawal by the data subject). The data subjects would the be tricked into thinking that they have more agency than they really have.[3]

Necessity

The concept of "necessity" is used five of the six legal basis (Article 6(1)(b) to (f) GDPR). Only consent does not contain the requirement, as consent must be "specific" anyways. The concept of "necessity" must be interpreted as in the light of applicable European law and is also known under Article 52(1) of the Charter of Fundamental Rights. Therefore, its interpretation must fully reflect the objectives of data protection law.[4]

EDPB-icon.png

"Assessing what is ‘necessary’ involves ascertaining whether in practice the legitimate data processing interests pursued cannot reasonably be achieved just as effectively by other means less restrictive of the fundamental rights and freedoms of data subjects. If there are reasonable, just as effective, but less intrusive alternatives, the processing may not be considered to be ‘necessary’. In this context, the CJEU expressly recalled that the condition relating to the need for processing must be examined in conjunction with the ‘data minimisation’ principle enshrined in Article 5(1)(c) GDPR, in accordance with which personal data must be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’. The Court also emphasised that a processing should be carried out ‘only in so far as is strictly necessary’ for the purposes of the legitimate interest identified. This requirement of strict necessity is also emphasised, for instance, in Recital 47 GDPR, which states that ‘[t]he processing of personal data strictly necessary for the purposes of preventing fraud […] constitutes a legitimate interest of the data controller concerned.’"

EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 29 Footnotes (including references to the CJEU case law) were omitted in this quote.


The CJEU generally follows a concept of strict necessity and a narrow interpretation. In C‑524/06 - Huber on a German central register to manage matters in relation to foreign nationals the CJEU held that the “concept [of necessity] ...has its own independent meaning in Community law and ... must be interpreted in a manner which fully reflects the objective of [Directive 95/46/EC]”.[5] The CJEU held that such a register must not contain any information other than what is necessary for the purpose of implementing specific laws on foreign nationals.

From a systematic point of view any legal basis under Article 6(1) GDPR constitutes an exemption to the general prohibition of data processing. As such, the exemption itself and all the wording it carries, including the "necessity" requirement, must be interpreted narrowly.

Regarding the use of personal data after a traffic accident the CJEU held:

CJEU-icon.png

"As regards the condition relating to the necessity of processing personal data, it should be borne in mind that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary [...]"

CJEU - C-13/16 - Rīgas satiksme, margin number 30..


Regarding an European law requiring the publication of recipients of agricultural subsidies the CJEU held that:

CJEU-icon.png

"[...] limitations in relation to the protection of personal data must apply only in so far as is strictly necessary [...]"

CJEU - Joined Cases C-92/09 and C-93/09 - Volker and Markus, margin number 86..


Regarding the handling of personal data in documents published in commercial registers, the CJEU elaborated:

CJEU-icon.png

"That requirement of necessity is not met where the objective of general interest pursued can reasonably be achieved just as effectively by other means less restrictive of the fundamental rights of data subjects, in particular the rights to respect for private life and to the protection of personal data guaranteed in Articles 7 and 8 of the Charter, since derogations and limitations in relation to the principle of protection of such data must apply only in so far as is strictly necessary [...]"

CJEU - C-200/23 - Agentsia po vpisvaniyata, margin number 111..

Regarding a sports federation's disclosure of its members personal data to third parties, namely, in this case, a company that sells sports products and a provider of casino games, for advertising or marketing purposes, in particular so that that company and provider may send advertising messages and special offers to those members, the CJEU held:

CJEU-icon.png

"[...] as regards the condition that such processing be necessary for the purposes of that interest and, in particular, the existence of means that are less restrictive of the fundamental rights and freedoms of data subjects and equally appropriate, it must be stated that it would, in particular, be possible for a sports federation [...], wishing to disclose its members’ personal data to third parties for consideration, to inform its members beforehand and to ask them whether they want their data to be transmitted to those third parties for advertising or marketing purposes.

[...]

That solution would make it possible for the members concerned, in accordance with the data minimisation principle referred to in paragraph 43 of the present judgment, to retain control over the disclosure of their personal data and thus to limit the disclosure of those data to what is in fact necessary and relevant in relation to the purposes for which those data are transmitted and processed [...]".

CJEU - C‑621/22 - Koninklijke Nederlandse Lawn Tennisbond, margin number 51 et seq..


Despite the narrow interpretation of strict necessity, a controller is not prohibited from using personal data, just because there is a theoretical alternative that does not include the use of personal data, only realistic alternative must be considered. Processing that is "useful" but not objectively "necessary" is not covered and hence not allowed.[6]

For example EDPB Guidelines 2/2019 on Article 6(1)(b) have clarified that assessing what is "necessary" involves a factual analysis of the processing operations and their purpose(s) and whether less intrusive alternatives that achieve the same goal exist. If there are realistic, less intrusive processing operations, then the other more intrusive ones must be excluded – i.e. they are not "necessary" under EU law.[7]

EDPB-icon.png

"Article 6(1)(b) will not cover processing which is useful but not objectively necessary for performing the contractual service or for taking relevant pre-contractual steps at the request of the data subject, even if it is necessary for the controller’s other business purposes."

Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects', 8 October 2019 (Version 2.0), margin number 25.


(a) Consent

The option to give consent is explicitly named as a fundamental right in Article 8(2) CFR. It is therefore important that it is interpreted in the light of the Charter and the principle of proportionality in Article 52(1) CFR.

Like other rights, the right to data protection can be waived by the data subject, by providing consent to the processing of their personal data. Given that data subjects are usually the weaker party in any transaction,[8] the GDPR foresees a number of conditions that controllers have to comply with to obtain valid consent. This approach is very similar to other protections when fundamental rights are waived (e.g. gifting real estate may need the involvement of a notary, surgeries require detailed information and consent under Article 3(2) of the Charter). Compared to the waiver of other fundamental rights, consenting to data procession is has however become rather ubiquitous.

Consent is the most prominent legal basis, as it is the only one that data subjects are regularly confronted with. However, it is not the prime or even the most desirable legal basis. Typically consent is the "last option", as Article 6(1)(b) to (e) GDPR provide for a legal basis for most daily processing operations, without the need to seek consent.

Example-icon.png

For example: Josephine is the new data protection officer for an online shop. She realizes that the check-out page requires consent under Article 6(1)(a) to the processing of personal data for processing the payment and for delivering the products. As this is already covered by "necessary for the performance of a contract" under Article 6(1)(b), she removes this consent clause. This is not just more transparent for data subjects, as they are not tricked to believe that they can withdraw the consent, but it also makes the online form quicker to click through.

Consent is regularly criticized in the legal literature and by the public. Criticism seems to be largely fed by bad consent practices, but not necessarily by shortcomings of the letter of the law. If the conditions for consent are properly applied, it allows data subjects to exercise their right to informational self-determination. While it is correct that data subjects can be overwhelmed with these decisions, a liberal legal order requires that data subjects have agency over their rights, which includes waiving them. Given that Article 8(2) of the Charta explicitly foresees consent as one of the legal bases for data processing, consent is here to stay.

The EDPB provides highly relevant information in connection with the consent: Guidelines 5/2020 on consent under the GDPR. But also other, less specific guidelines and opinions by the EDPB touch the topic of consent and are therefore also quite relevant: see, inter alia, Guidelines 03/2022 on deceptive design patterns in social media platform interfaces: how to recognise and avoid them and Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms.

Joint reading of provisions

To ensure that consent is not only a legal fiction ("click fatigue"), the GDPR introduces a number of conditions that are meant to ensure that data subjects have a genuine choice when it comes to the processing of their data. Unfortunately the relevant elements are spread over different Articles of the GDPR:

  • According to the available definition provided in Article 4(11) GDPR, consent must be freely given, specific, informed, and unambiguous.
  • Furthermore, under Article 7 GDPR, a controller must be able to demonstrate that consent was given, consent must be distinguishable from other matters in any written declaration, can be withdrawn at any time and the provision of a contract may not be made conditional on consent.
  • Finally, Article 8 GDPR stipulates that specific requirements must be respected when consent is given by children.

Consequently, the conditions for valid consent are split between Articles 4(11), 6(1)(a), 7 and 8 GDPR and require a joint reading of the different articles. See the commentary on Articles 7 and 8 GDPR for further details.

There is a slightly different concept of "explicit consent" in Articles 9(1)(a), 22(2)(c) and 49(1)(a) GDPR. See the commentary on Article 9(1)(a) GDPR for explicit consent.

Capacity

Generally, consent must be given directly by the data subject or a nominated representative.[9] National law determines if a data subject lacks the legal capacity to make legally binding declarations, including declarations under the GDPR.

In the case of minors acting in the context of an "information society service", Article 8(1) GDPR provides a minimum age of 16 year. Member States may reduce that age limit - but not below 13 year. There is currently no rule in the GDPR about the age for consent outside of "information society services". This means there is also no rules in the GDPR for the age of consent in any offline context.

Freely given

Consent has to be freely given, which means that the data subjects must have the option to freely and genuinely choose to say "yes" to the processing of their personal data. Just like other legally relevant declaration, consent is void if the data subject was for example physically forced to consent. However, the notion of "freely given" is much broader under Article 6(1)(4) GDPR, as illustrated by the rules in Articles 4(11), 7 or 8 GDPR, as well as Recital 43. If consent is "freely given" under the GDPR requires a holistic and also economic analysis of the options for a data subject. The wholistic approach should lead to better results than previous approaches, but also uses vaguer concepts.

Power imbalance

Whether the option to refuse is genuinely given depends on the processing operation and service as well as the respective roles of the controller and the data subject in a given transaction. Not every abstract power imbalance makes consent invalid, however typical examples can be derived:

  • Relationships with public authorities[10]
  • Employer-employee-relationships[11]
  • Use of major digital services with limited alternatives[12], for example because of a "network effect".[13]

In other words, employers, governments or companies (especially those with a dominant market position) will typically be able to force data subjects to consent against their true wishes. In this perspective, Recital 43 GDPR highlights that if there is a "clear imbalance between the data subject and the controller" consent should not be considered a valid legal basis for the processing.[14]

Example-icon.png

For example: A sales representative has to "consent" that his mobile phone is tracked to ensure that he does not cheat on his time sheet and does not use the company car for private trips. Obviously the employee will be able to challenge the consent, if he only agreed to keep his job.

Conditional consent

Recital 43 and Article 7(4) GDPR further deal with the situation of "bundled consent", i.e. when the performance of a contract is made conditional on consent. While such bundled consent is not automatically void, the law requires that "utmost account shall be taken" if the provision of a contract is made conditional on consent.

Example-icon.png

For example: An app that costs € 1,99 per month requires that any new users agree to the terms and conditions when singing up. On the next screen the users must also consent to the sharing of their personal data with third parties for advertisement reasons. The use of personal data is not necessary for using the app. Necessary processing to use the core functions of the app can however be based on Article 6(1)(b) GDPR.

For further indications on the issue of bundled consent and the criteria to assess the freely given requirement, see Article 7(4) GDPR.

Informed

Consent must be informed. This is especially challenging in highly complex technological environments. As controller may have the technical, practical and legal knowledge to understand the relevant processing information and take months or years to develop this understanding, while an average data subject may not have any relevant education or knowledge but most make a choice within seconds or at best minutes. Under the GDPR, the controller must overcome this information asymmetry to get valid consent.

Content of information

Beyond the specific purpose, Articles 4(11) and 6(1)(a) GDPR do not specify which exact information must be provided to the data subject when asking for consent. Article 7(3) GDPR requires to inform the data subject about their right to withdraw consent prior to giving consent. Recital 42 adds the identity of the controller, but also clarifies that this is a minimum standard: "For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended."

Further information may depend on the specific purpose and processing operations that consent is sought for. Articles 13 and 14 GDPR can be seen as instructive, insofar as relevant for the processing operation. When personal data is shared, it may be necessary to inform about the individual recipients.[15] Overall data subjects must be able to understand the circumstances of the processing of their personal data to estimate the consequences and implications of giving their consent.[16]

Form of information

Consent should be sought using clear and plain language and be provided in an intelligible and easily accessible form.[17] Especially euphemisms and wording that is more inspired by marketing than the facts is not clear. Equally, overly legal and technical descriptions are not clear and plain either.

Under Article 7(2) GDPR information to the data subject in the moment of consent under Article 6(1)(a) must be distinguished from any other matter. Just adding a link to the very broad information that needs to be provided under Articles 13 and 14 GDPR is therefore not leading to valid consent. Simply linking to a lengthy privacy policy is also not making information "easily accessible", as data subjects will hardly find the relevant information needed to make a decision on the specific processing that is based on consent.

Common mistakes-icon.png

Common mistake: A mere confirmation that users "agree to the privacy policy" is in most cases not easily accessible, if the privacy policy usually concerns a lot of additional information and is not limited to only processing under Article 6(1)(a) GDPR. If the privacy policy also concerns multiple processing operations such cases consent is also not "specific" (see below).

Overall the controller has the (sometimes difficult) task to explain the use of personal data in a short, clear and plain way, without using overly technical or legal jargon, so that an average data subjects have a clear understanding of what they should consent to.

Specific

In accordance with the principle of transparency from Article 5(1)(b) GDPR consent must be provided for specific and legitimate purposes. When the processing has multiple purposes, consent should be given for all of them separately.[18] A blanket consent to all kinds of purposes is therefore not valid. For example, "I agree to the processing of my data for advertisement, product improvement and the sharing with business partners" is not specific and therefore invalid.

Example-icon.png

For example: An online shop has a checkout page, where users must "consent to the use of your data for marketing, the transfer to non-EU providers and the sharing of data with partners". Any consent to these three purposes, would usually fail the "specific" element required for consent. Equally, just naming "partners" is likely not specific enough if there are specific known recipients.

The principle of specificity of consent in Article 4(11) GDPR is confirmed by Article 6(1)(a) which requires consent to be given for “for one or more specific purposes”. This seems in line with the case law of the Court of Justice of the EU, according to which consent must refer to specific processing activities, clearly identified, [19] also in order to allow the user to effectively understand the operations being carried out.[20]

Unambiguous

Consent must be given unambiguously in the form of clear and affirmative action, however no specific form is required. Consent must be an unambiguous act, including any oral, written or other form of signifying the agreement to have personal data processed.[21] In a digital environment consent is typically given by checking a box ("opt-in"), choosing technical settings that indicate the data subject’s acceptance of the proposed processing or clicking a button.[22]

Example-icon.png

For example: At a wedding, the photographer asks a group to stand underneath the tree if they want to be on the picture, which will go to the couple"s wedding website. Marcel and Alex make their way underneath the tree and waive at the camera. They have given unambiguous consent.

Conversely, silence, pre-ticked boxes or inactivity should not constitute consent.[23] This has been stressed through recent case law by the CJEU where a pre-checked checkbox which the user had to deselect in order to refuse their consent cannot show any active behaviour.[24] Similarly, actions which are not clearly affirmative include the simple use of a webpage. A user may simply ignore that a webpage uses data in a certain way. This ambiguity extends to assigning certain actions a legal meaning through a disclaimer (e.g. "by using our webpage you agree to X"). Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.[25]

CJEU-icon.png

"[T]he data subject’s consent may make such processing lawful provided that the data subject has given his or her consent ‘unambiguously’. Only active behaviour on the part of the data subject with a view to giving his or her consent may fulfil that requirement.


[…]


In that regard, it would appear impossible in practice to ascertain objectively whether a website user had actually given his or her consent to the processing of his or her personal data by not deselecting a pre-ticked checkbox nor, in any event, whether that consent had been informed. It is not inconceivable that a user would not have read the information accompanying the preselected checkbox, or even would not have noticed that checkbox, before continuing with his or her activity on the website visited."

CJEU - C-673/17 - Planet49, margin number 54 et seq.


Withdrawal

Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on Article 7(3) GDPR.

Example-icon.png

For example: An fitness app allows customers to opt-in to share their sports data online with a simple button. To stop the online sharing, the app requires sending an email to the app provider, including the app ID and a verification that the sender is actually the data subject.

Duty to demonstrate consent

Article 7(1) GDPR further requires that a controller can demonstrate that the data subject has given consent. This goes beyond the mere burden of proof under Article 6(1)(a) GDPR and Article 5(2) GDPR and requires appropriate documentation or other options to demonstrate consent, like documentation that technical measures were in place, requiring clicking a check-box before proceeding.

EDPB-icon.png

"For instance, the controller may keep a record of consent statements received, so he can show how consent was obtained, when consent was obtained and the information provided to the data subject at the time shall be demonstrable. The controller shall also be able to show that the data subject was informed and the controller´s workflow met all relevant criteria for a valid consent. The rationale behind this obligation in the GDPR is that controllers must be accountable with regard to obtaining valid consent from data subjects and the consent mechanisms they have put in place. For example, in an online context, a controller could retain information on the session in which consent was expressed, together with documentation of the consent workflow at the time of the session, and a copy of the information that was presented to the data subject at that time. It would not be sufficient to merely refer to a correct configuration of the respective website."

EDPB, 'Guidelines 05/2020 on consent under Regulation 2016/679', 4 May 2020 (Version 1.1), margin number 108.


(b) Contract

Most daily business requires rather simple and foreseeable processing of personal data. To ensure that these standard processing operations are not limited and do not need the data subject"s consent, Article 6(1)(b) GDPR legalizes these processing operations by law.

Example-icon.png

For example: A data subject buys a product in an online shop. To perform this contract the controller may need to process the data subject"s credit card details. The details may be transferred to financial institutions for payment purposes. The buyer’s name and physical address can be shared with the shipment service for product delivery.

While contract and consent must be clearly separated, Article 6(1)(b) GDPR is usually also based on a (civil law) agreement of the data subject and therefore related to the notion of informational self-determination.[26]

The EDPB has issued Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR with a detailed analysis of Article 6(1)(b) GDPR.

Necessary

General information on necessity can be found above under the overview on Article 6(1) under "necessity". The concept of necessity means that processing must be limited to what is strictly necessary. This does not mean that only indispensable processing is allowed. Unreasonable alternatives are not taken into account, but merely "useful" additional processing is not "necessary"

Example-icon.png

For example: A gym that is requesting core information from customers (e.g. name, address) can use the "necessary" for the performance of a contract clause. However, the use of entry and exit data to measure the use of the gym is only "necessary" under the contract if the gym is paid per entry, not per month. There may be other legal basis to process such data, but it is not "necessary" under the contract.

Usually most contracts are imposed by the controller, not the data subject. If a controller could arbitrarily add elements to the scope of its contracts as to make any processing activity "necessary", then the reference to "necessity" itself would become useless (and contracts would become, indeed, a tool to bypass e.g the requirement to ask for valid consent under Article 6(1)(a) for any where there is no other legal basis.

In it"s Binding Decision 3/2021 on Meta (Facebook) the EDPB held that adding elements in terms and conditions that are aimed at making behavioural advertisement do not make the "necessary" under Article 6(1)(b) GDPR, as the core contract has to be determined not by artificially added elements, but by the expectations of data subject. In the case of Facebook, data subjects mainly see this as a communication tool.

EDPB-icon.png

"[R]egard should be given to the particular aim, purpose, or objective of the service and, for applicability of Article 6(1)(b) GDPR, it is required that the processing is objectively necessary for a purpose and integral to the delivery of that contractual service to the data subject.


[…]


Moreover, the EDPB notes that the controller should be able to justify the necessity of its processing by reference to the fundamental and mutually understood contractual purpose. This depends not only on the controller’s perspective, but also on a reasonable data subject’s perspective when entering into the contract.


[…]


The fact that the [controller’s] Terms of Service do not provide for any contractual obligation binding [the controller] to offer personalised advertising to the [controller’s] users and any contractual penalty if [the controller] fails to do so shows that, at least from the perspective of the [controller’s] user, this processing is not necessary to perform the contract. Providing personalised advertising to its users may be an obligation between [the controller] and the specific advertisers that pay for [the controller’s] targeted display of their advertisements in the [controller’s] service to [the controller’s] users, but it is not presented as an obligation towards the [controller’s] users."

[https://gdprhub.eu/index.php?title=EDPB_-_Binding_Decision_3/2022_-_%27Meta_(Facebook)%27 EDPB, 'Adopted Binding Decision 3/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited and its Facebook service (Art. 65 GDPR)', 5 December 2022, margin number 112, 113 and 118.]

In practice, the assessment should be driven by questions such as: what is the nature of the service being provided to the data subject? What are its distinguishing characteristics in the view of an average data subject? What is the exact rationale of the contract (i.e. its substance and fundamental object) and essential elements? What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?[27]

Common mistakes-icon.png

Common mistake: Just because processing is related to a contract, or merely useful for the performance of a contract, does not mean that it is strictly necessary for the performance of a contract.

Existence of a valid contract

A contract under Article 6(1)(b) GDPR must be valid.[28] Void contracts cannot serve as a legal basis under Article 6(1)(b) GDPR.[29]

It is a matter of applicable contract law if a specific contract or clause is valid. While some contractual elements are regulated on a European level (for example the minimum requirements under the Unfair Terms Directive 93/13/EEC for terms and conditions), civil law is generally a matter of each Member State. Especially in the consumer context, a contract may be subject to the laws of the Member State where each consumer resides (see e.g. Articles 17 to 19 of the Brussles-Ia Regulation (EU) No 1215/2012).

Example-icon.png

For example: A Spanish controller and a French consumer concluded a contract that would be valid in Spain, but is void under the applicable French law. The lack of any valid contract means there is also no legal basis under Article 6(1)(b) GDPR.

However, certain contractual defects seem to be common to many European legal traditions: for example, intention, misrepresentation and duress. However, beyond such standard cases there are circumstances in which a breach does not necessarily lead to a contract being void, but only allows contract partners to successfully challenge the contract.

The EDPB Guidelines 2/2019 have clarified that these rules must be taken into account in assessing the validity of a national contract: “contracts and contractual terms must comply with […] consumer protection laws in order for processing based on those terms to be considered fair and lawful”.[30] In conclusion, in order to understand whether a contract is valid or not, a controller must first identify the applicable law and, second, verify whether the contract is valid under that law (including any applicable EU law).

Prior to entering into a contract

Under Article 6(1)(b) GDPR, data processing may also be lawful in pre-contractual situations at the request of the data subject.

Example-icon.png

For example: A data subject asks a sales representative for curtains to send information on their products and to schedule an appointment at the data subject"s house. The parties have not (yet) formed a contract, but the sales representative may use the data subject"s details to the extent that this is necessary for the pre-contractual steps.

EDPB-icon.png

"[W]here a data subject contacts the controller to enquire about the details of the controller’s service offerings, the processing of the data subject’s personal data for the purpose of responding to the enquiry can be based on Article 6(1)(b).


[...]


[T]his provision would not cover unsolicited marketing or other processing which is carried out solely on the initiative of the data controller, or at the request of a third party."

EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), margin number 46 et seq.

End of contract

Where the processing is based on the performance of a contract, the end of such a contract (e.g. in the case of fulfillment or termination) makes this legal basis vanish, the processing of personal data under Article 6(1)(b) GDPR is no longer allowed. As the controller typically still needs to process personal data after a contract is fulfilled or terminated, the same data can be still be processed for other legal purposes.

Example-icon.png

For example: Already the privacy policy of the controller included that the relevant personal data is not only processed for the performance of the contract, but also compliance with a legal obligations under Article 6(1)(c) GDPR (e.g. tax records) and the establishment, exercise or defence of legal claims under Article 6(1)(f) GDPR (e.g. to manage guarantee claims and alike).

You can find more information on such other legal basis in the commentary on Article 6(1)(c) to (f) below.

EDPB Guidelines: On this provision there are the EDPB Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR; and EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects

(c) Legal obligation

The GDPR recognises that under many European and Member State"s laws controllers may be obliged to collect, store, and otherwise process personal information. Under Article 6(1)(c), such processing operations are considered lawful if they are necessary to fulfil these obligations.

Example-icon.png

For example: An employer processes personal data for social insurance purposes or under a duty to document compliance with workers' rights. A bank keeps records and shares them with authorities under money laundering legislation. A company keeps all relevant financial information under a duty to keep documentation on paid taxes for a certain number of years.

Necessary

Information on necessity can be found above under the overview on Article 6(1) under "necessity". The concept of necessity means that processing must be limited to what is strictly necessary. This does not mean that only indispensable processing is allowed. Unreasonable alternatives are not taken into account, but merely "useful" additional processing is not "necessary"

Compliance with a legal obligation

The legal obligation must originate directly from the law. ‘Member State law’ refers to all material law of that Member State.[31] It may not result from a contractual arrangement,[32] non-binding government requests or any form of "guidelines" or "best practice documents" and like that do not have the force of law. It is a matter of the national constitutional law to determine what constitutes obligations with the force of law. In some Member States this may include secondary legislation (e.g. "statutory instruments" or ministerial "directives"), local laws or ordinances, all the way to collective bargaining agreements that are given the force of law in some Member States.[33]

Example-icon.png

For example: A controller gets a request from the police to disclose certain information. The police says it has a right to get that information. Once the controller takes a closer look, it turns out that under applicable national law, the police may ask the controller for such information and hope for their voluntary support, but the controller has no obligation to comply with this request. The controller cannot share the information under Article 6(1)(c) GDPR, as there is no "legal obligation".

Article 6(1)(c) GDPR only covers "obligations" under national law, meaning regulations that require a certain processing operation. Article 6(1)(c) does not cover situations where the law permits certain conduct or processing operations. In certain cases, there may however be options to use Article 6(1)(f) GDPR to process personal data.

The legal provision which defines the legal obligations for the controller does not need to be specific to each individual processing. It must, however, be sufficiently clear, precise and foreseeable and, in particular, define the purposes of the processing.[34] Processing that goes beyond these legal obligations is not lawful under this provision. Any obligation to process data under another law must itself be proportionate (Article 7 and 8 EU Charter of Fundamental Rights) and in compliance with Article 6(2) and (3) GDPR.

Union or Member State law

According to Article 6(3) GDPR, the legal obligations may only be based in Union law or Member State law to which the controller is subject. This means that:

  • Union or Member State law trigger Article 6(1)(c) GDPR, this includes laws that make foreign obligation enforceable in the Union or Member State.
  • Any third country law (even if it applies to the controller under the laws of that third country) do not fall under Article 6(1)(c) GDPR.
  • Any Members State law that the controller is not subject to (e.g. the laws of another Member State than his establishment) do not apply.

Obligations under third country law may, according to some views, be a factor to assess a possible "legitimate interest" under Article 6(1)(f) GDPR.

Specifications in Member State law

Equally to Article 6(1)(c) GDPR, Article 6(2) and (3) GDPR require that Union or Member State law fulfill certain criteria. See commentary on Article 6(2) and (3) below for the commentary on this element.

To which the controller is subject

Article 6(1)(c) GDPR only covers situations where the controller is subject to a direct legal obligation. Obligations on the data subject or a third party do not trigger Article 6(1)(c) GDPR.

(d) Vital interest

A data processing may also be lawful if it is necessary to protect the vital interests of the data subject or of another natural person. The underlying assumption here is that the right to life takes precedence over data protection and - in the case of the vital interests of the data subject - the data subject is assumed to consent to the processing.

Example-icon.png

For example: The data subject is rushed to the hospital and the doctors check their medial data systems to ensure that they are fully aware of any potential complications from preexisting conditions or allergically reactions.

In practice many situations where data for the "vital interests" are processed my concern special categories of personal data (e.g. health data) and are therefore regulated by Article 9 GDPR.

Necessary

Information on necessity can be found above under the overview on Article 6(1) under "necessity". The concept of necessity means that processing must be limited to what is strictly necessary. This does not mean that only indispensable processing is allowed. Unreasonable alternatives are not taken into account, but merely "useful" additional processing is not "necessary"

Protection

Article 6(1)(d) GDPR only requires the aim to protect vital interests. The mere effort seems to be sufficient.

Vital interests

Recital 46 clarifies that vital interests are "essential for the life" of the data subject. It follows that data processing on this ground “requires that a situation of concrete and imminent danger exists for the data subject or a third (natural) person”.[35]

The provision does not require that the natural person subjectively wants to have his or her vital interests protected. The provision could consequently also apply in situations of self-harm or natural persons that do not care about the protection of their vital interests. Such an interpretation would potentially go against the concept of informational self-determination.

Natural person

According to the provision the "vital interests of the data subject or another natural person" must be protected. As data subjects are defined as natural persons under Article 4(1) GDPR, the provision could equally read "any natural person".

(e) Public interest

Article 6(1)(e) GDPR allows processing for tasks carried out in the public interest or in the exercise of official authority vested in the controller, if the processing is based on EU or Member State law. The Member States have vastly different traditions in allocating tasks in the public interest. In recent decades, many tasks that were typically allocated to the government were outsources to private or quasi-private entities. Article 6(1)(e) GDPR consequently follows a "functional" approach.[36] It does not matter if the controller is a public authority, a private entity or a publicly owned entity.[37] Examples of entities that carry out tasks in the public interest or exercise official authority:

  • Certain tasks of notary publics, lawyers, probation services or tax accountants;
  • A private limited company, fully owned by the Member State, that is tasked with air-traffic control and licensing pilots;[38]
  • Private entities tasked with technical inspections on behalf of the government (e.g. chimney sweepers);
  • Political parties in the administration of elections;
  • Private or non-profit health care providers or ambulance services operating on behalf of the government;
  • Utility providers that are e.g. tasked with operating "smart meters";[39]
Necessary

Information on necessity can be found above under the overview on Article 6(1) under "necessity". The concept of necessity means that processing must be limited to what is strictly necessary. This does not mean that only indispensable processing is allowed. Unreasonable alternatives are not taken into account, but merely "useful" additional processing is not "necessary".

Therefore, a processing must not only be carried out in the public interest to meet the requirement of this provision; the processing has to genuinely meet the objectives of the pursued public interest without going beyond what is necessary in order to achieve these objectives.[40]

Performance of a task carried out in the public interest

The first branch covers Union or Member State laws that require public or private entities to process personal data for a task carried out in the public interest.

Example-icon.png

For example: In a Member State public but also private entities are operating the ambulance services. This includes a government department but also non-profits operating ambulances. Equally full-time emergency doctors, but also local doctors in the countryside are involved in the system. They are all coordinated by a single software system. The legal basis is a national law that uses the options under Article 6(1)(e) GDPR.

The exercise of official authority vested in the controller  

The second branch covers Union or Member State laws that require public or private entities to process personal data when exercising official authority.

Example-icon.png

For example: A Member State has outsourced issuing and revocation of certain licenses to a private entity. The law transfers certain authority to that entity that requires the use of personal data. The entity can rely on Article 6(1)(e) GDPR.

Specifications in Union or Member State law

Equally to Article 6(1)(c) GDPR, Article 6(2) and (3) GDPR require that Union or Member State law fulfill certain criteria. See commentary on Article 6(2) and (3) below for the commentary on this element.

(f) legitimate interest

Article 6(1)(f) GDPR establishes a legal basis for the processing of personal data when the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.

While Articles 6(1)(a) GDPR deals with situations where data subjects waived their rights and Articles 6(1)(b) to (e) deal with common purposes where processing is allowed, Article 6(1)(f) deals solely with situations where the controller or a third party has an interest that conflicts with the data subjects' fundamental right to data protection.

There are three cumulative conditions (explained in more detail further below) that must be met in order for a processing to fall under the legal basis of Article 6(1)(f) GDPR:

  1. the pursuit of a legitimate interest by the controller or by a third party (i.e. controllers ought to verify whether their interest is actually “legitimate”);
  2. the need to process personal data for the purposes of the legitimate interests pursued; and,
  3. the interests or fundamental freedoms and rights of the person concerned by the data protection do not take precedence over the legitimate interest of the controller or of a third party (i.e. balancing test).[41]

In general, the evaluation whether a processing activity can be based on the legal basis of legitimate interest is entirely in the hands of the data controller who, taking into account the conditions described above, has discretion in how to perform such evaluation. However, the EDPB provides some guidance on how to perform such assessment.[42]

In accordance with the accountability principle under Article 5(2) GDPR, a controller invoking this legal basis is responsible for, and has to be able to demonstrate, compliance with each of those cumulative conditions. Therefore, the controller should document the performance of the legitimate interest assessment accordingly. Also, if a Data Protection Officer is appointed by the controller, they should be involved by the controller in this assessment.[43]

If a controller wants to rely on legitimate interest under Article 6(1)(f) GDPR for the processing of personal data for various purposes, the controller has to assess the validity of this legal basis for each of those purposes.[44]

Flexible but legally uncertain

Article 6(1)(f) GDPR is the "catch all" balancing test for anything not foreseen by Articles 6(1)(b) to (e) GDPR, where the controller does not seek consent, but takes the view that the rights of the controller or a third party override the rights of the data subject. However, this legal basis should not be considered a last resort, if no other legal basis is applicable, neither should it be used to circumvent legal requirements of other legal bases.[45]

EDPB-icon.png

"[...] Article 6(1)(f) should not be considered as an “open door” to legitimise all data processing activities which do not fall under any of the other legal bases in Article 6(1) GDPR. Rather, it should be recalled that Article 6(1)(f), like each of the legal bases set out in Article 6(1) GDPR, must be interpreted restrictively."

EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 9 (available here).


Even though the controller has to perform a careful assessment for each planned processing activity based on the legal basis of legitimate interest and follow a specific methodology, the flexibility and open-endedness of this clause also leads to major legal uncertainty for controllers and data subjects.

While Article 7(f) of the previous Data Protection Directive 95/46/EC also foresaw the option to process based on an overriding "legitimate interest" the previous Directive allowed Member States to implement more specific provisions for certain situations (e.g. video surveillance, credit ranking and alike). Given that the GDPR is now a directly applicable Regulation, there is no room for such national "interpretations". Nevertheless, many Member States have kept their national "legitimate interest" implementations, despite lacking the necessary jurisdiction. While this approach is meant to provide more legal certainty, it actually adds even more uncertainty.

During the GDPR negotiations, Article 6(1)(f) was one of the major battle grounds between the legislator and industry lobbyists. The European Commission foresaw a right of the Commission itself to pass delegated acts that would further define Article 6(1)(f) GDPR - this was rejected by the European Parliament. Various proposals to add explanatory lists of what does and what does not constitute a legitimate interest were not getting a majority, as each side was unwilling to agree that certain elements are included or excluded.

One of the political solutions was to "park" some of these suggestions in Recitals 47 to 49 GDPR, as one side was able to argue that the matter is now "in the GDPR" and the other side was able to highlight that the Recitals are not legally binding. When it comes to the contentious issue of advertisement the legislator finally added the remarkable line that "direct marketing" (not all advertisement) "may" constitute a legitimate interest. There is no indication as to when this "may" or "may not" be a legitimate interest.

Article 6(1)(f) GDPR consequently requires a delicate balancing of relevant interests. The balancing act in question is not a straightforward balancing test which would simply consist of weighing two easily quantifiable and easily comparable "weights" against each other.

Pursuit of a legitimate interest (1st step in the assessment)
Whether the interest is legitimate

As highlighted by the EDPB, the a distinction must be made between concept of interest and the concept of purpose (for more information on the concept of purpose see Article 5(1)(b) GDPR). Interest is the general objective that a controller intends to pursue (i.e. ensuring the occupational safety of its employees). The purpose, on the other hand, is the specific aim of a certain processing activity (for instance, implementation of specific access control procedures to only allow trained personnel in certain areas of the workplace) and can include a broad range of activities, whether trivial or very compelling, straightforward or more controversial.[46]

EDPB-icon.png

"A 'purpose' is the specific reason why the data are processed: the aim or intention of the data processing. An 'interest', on the other hand, is the broader stake or benefit that a controller or third party may have in engaging in a specific processing activity. For example, a controller may have an interest in promoting its products, whereas this interest may be advanced by processing personal data for direct marketing purposes."

EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 14.


Only an legitimate interest can be invoked by a controller in order to base a processing activity on the legal basis of Article 6(1)(f) GDPR. There are three cumulative requirements for an interest to be considered legitimate:

First, the interest hast so be lawful, i.e. the controller can legitimately pursue it and it is not contrary to EU or national law. However, it is not necessary that the interest is determined or enshrined in law.[47] For example, the CJEU did not rule out that, in principle, also a commercial interest of the controller could be regarded as a legitimate interest.[48]

CJEU-icon.png

"As regards, first, the condition relating to the pursuit of a ‘legitimate interest’, it should be emphasised that, in the absence of a definition of that concept in the GDPR, as the Court has previously held, a wide range of interests is, in principle, capable of being regarded as legitimate [...]".

CJEU - C‑621/22 - Koninklijke Nederlandse Lawn Tennisbond, margin number 38..


As to what “law” means in this case, in the absence of updated guidance, reference should be made to the instructions provided by the WP29 in Opinion 3/2013 on purpose limitation, according to which the notion of "law" must be interpreted in an extensive manner, including all forms of written or common law, as interpreted by the competent courts and supplemented by other official sources.[49] The above seems to be confirmed by the recent guidelines on contract-based treatment. There, the EDPB clarified that the contract (and thus, by analogy, the legitimate interest) must be valid i.e. “must comply with the requirements of contract laws and, as the case may be for consumer contracts, consumer protection laws in order for processing based on those terms to be considered fair and lawful”.[50] Also, reference can be made to the Cookie Banner Taskforce, deeming the usage of legitimate interest for activities such as “create a personalised content profile” unlawful. The taskforce agreed that such processing requires consent according to Article 5(4) ePrivacy Directive.[51]

Second, the pursued interest has to be clearly and precisely articulated in order to ensure that the assessment of necessity and the balancing of interests can be performed in a an accurate and proper manner.[52] Therefore, a interest only expressed in vague or general terms is not sufficiently articulated to assess its legitimacy and therefore cannot be a legitimate interest.[53]

Third, the persuaded interest must not be just speculative. To the contrary, the pursued interest must be real and present. This means that the legitimate interest must be present at the date of the processing of personal data; a mere hypothetical interest is not sufficient.[54]

A wide variety of interests can potentially fulfil all three conditions and be therefore considered legitimate. Recital 47 GDPR additionally mentions a relevant and appropriate relationship between the data subject and the controller as potential indicator for the existence of a legitimate interest. However, such a relationship is neither necessary nor a guarantor for a interest to be legitimate.[55]

Pursued by the controller or by a third party

The legitimate interest at stake must also be “pursued by the controller or a third party”. However, the interest pursued by a controller should be related to the actual activities of that controller.[56]

Example-icon.png

For example: A social media platform can not rely on a legitimate interest of preventing, detecting and prosecuting criminal offences, for the sharing of personal data with law-enforcement agencies, since this is unrelated to its economic and commercial activity and can therefore not constitute a legitimate interest pursued by the social media platform.[57]


The pursue of interests of one or more third parties can also subject of this provision. Regularly, a processing activity will be in the interest of the controller as well as in the interest of third parties. The clarification of the specific beneficiaries of a processing activity prior to the actual processing is therefore crucial in order to assess the necessity of the processing and to perform a proper balancing test.[58] The EDPB provides some guidance on contexts in which personal data may be processed in the interest of a third party, mentioning cases like the defence of legal claims, the disclosure of data for transparency and accountability purposes, and scientific research.[59]

Even if some interests pursued by a controller could also benefit the general public, it should be pointed out that the general public itself does not constitute a third party under Article 6(1)(f) GDPR.[60]

In situations where personal data is processed for a purpose other than that for which the data was initially collected (e.g. when data is initially collected for purposes of the controller and then further processed in the legitimate interest of a third party), the rules for further processing (also called "secondary use") under Articles 5(1)(b) and 6(4) GDPR apply. In the absence of consent or a law explicitly allowing it such a further processing, “is permitted only if it is compatible with the purpose of the initial processing”).

Additionally, it should be noted that according to Article 6(1) GDPR, public authorities cannot invoke the legal basis of Article 6(1)(f) GDPR in the performance of their tasks.[61]

Necessary for the purposes (2nd step in the assessment)

Necessity is a condition for all legal bases but consent. Therefore, see the paragraph on necessity in general above.

CJEU-icon.png

"Second, with regard to the condition that the processing of personal data be necessary for the purposes of the legitimate interests pursued, that condition requires the referring court to ascertain that the legitimate data processing interests pursued cannot reasonably be achieved just as effectively by other means less restrictive of the fundamental rights and freedoms of data subjects, in particular the rights to respect for private life and to the protection of personal data guaranteed by Articles 7 and 8 of the Charter [...]"

CJEU - C‑621/22 - Koninklijke Nederlandse Lawn Tennisbond, margin number 42..


Balancing Test (4rd step in the assessment)
Overridden by interests of the data subject

The fact that the controller has a legitimate interest and the processing is necessary for the pursued legitimate interest is not enough for a controller to rely on Article 6(1)(f) as a legal basis for the processing. The third condition is that the legitimate interest pursued is not overridden by the interests and fundamental rights and freedoms of the data subjects. Therefore, the it is necessary to perform a balancing test between the legitimate interests of the controller or of a third party on the one hand and the interests or fundamental freedoms and rights of the data subjects on the other hand.

EDPB-icon.png

"This “balancing exercise” between the fundamental rights, freedoms and interests at stake must be performed for each processing to be based on legitimate interest as a legal basis, and must be done before carrying out the relevant processing operation(s)."

EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 7 (available here).

To do so, the EDPB suggests a four-step test including:

  1. assessing the data subjects' interest, fundamental rights and freedoms;
  2. identifying the impact of the processing on data subjects (e.g. the nature of the processed data, the context of the processing, and any further consequences of the processing);
  3. the reasonable expectations of the data subject; and
  4. the balancing of the opposing rights and interests (taking into account any possible mitigation measures like additional safeguards).[62]
EDPB-icon.png

"It should be recalled that the purpose of the balancing exercise is not to avoid any impact on the interests and rights of the data subjects altogether. Rather, its purpose is to avoid a disproportionate impact and to assess the weight of these aspects in relation to each other."

EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 33.


Data subjects' interests or fundamental rights and freedoms

In general, the definition of “fundamental rights and freedom” includes all the traditional rights foreseen in the European constitutions, the Charter of Fundamental Rights of the EU as well as the European Convention on Human Rights. This obviously includes the right to the protection of personal data, personal and family life, freedom of expression and human dignity. In addition to the fundamental rights of the data subject, other “freedoms or interests” must also be taken into account. This includes the interest not to suffer any economic disadvantages, regardless of whether the damage occurs following the publication of personal data or in another way, such as via a discriminatory personalised pricing policy.[63] The EDPB also lists various other freedoms and interests like the prohibition of discrimination and personal interests.[64]

Finally, it should be noted that - unlike in the case of the controller’s interests - the data subject's interest apparently does not have to be legitimate. A wider scope to the protection of individuals’ interests and rights is therefore implied. This means that even individuals engaged in unlawful activities should not be subject to disproportionate interference regarding their rights and interests. For example, “an individual who may have perpetrated theft in a supermarket could still see his interests prevailing against the publication of his picture and private address on the walls of the supermarket and/or on the Internet by the owner of the shop.”[65]

Identifying the impact on the data subject

Once the data subjects' interests and fundamental rights have been identified, an assessment of the impact (negative as well as positive) on data subjects should be performed by the controller. In order to perform a comprehensive assessment, the EDPB recommends to consider among others: (i) the nature of the processed data, (ii) the context of the processing, and (iii) any further consequences of the processing.[66]

Several elements can be useful at this stage, including the likelihood that a risk can materialise and the severity of its consequences. Also, the scale of the processing (i.e. the number of individuals potentially impacted as well as the volume of data) and other circumstances of the processing should be considered. Also of relevance is the way the information is being processed, whether it is shared with a large number of actors or persons or combined with other data sets. For example, in a case involving the lawfulness of a CCTV surveillance system, the CJEU considered different factors including whether the data to be processed were retrieved from publicly accessible sources or were rather related to the data subject’s private life; the nature of the data, particularly their sensitiveness; and the modalities of processing, including the number of persons having access to the data.[67]

In general, it appears that the more sensitive the information involved is, the more consequences for the data subject there may be. It should be noted that the processing of special categories of data is only allowed in the cases listed in Article 9(2) GDPR.[68] Reference can also be made to the factors a controller has to consider also during the assessment of risks connected to a processing activity (among others, see commentary on Article 24, 25 and 32).

Article 6(1)(f) GDPR explicitly mentions situations "in particular where the data subject is a child". This indicates that a balancing test needs to take the specific interests and expectations of a child into account.[69]

In the context of the balancing test and the potential impact on the data subject importance should be attached to the relationship between the data subjects and the controller. E.g. the CJEU held that the transfer of personal data by a sports association to a provider of casino games for marketing activities did not appear to be characterised by a relevant and appropriate relationship between the association and its members whose personal data were transmitted.[70]

Also, any potential harmful effects and other consequences on the data subjects must be considered in course of the balancing test.[71]

EDPB-icon.png

"The controller may need to take into account also possible broader emotional impacts resulting from a data subject losing control over personal information, or realising that it has been misused or compromised. The chilling effect on protected behaviour, such as freedom of research or freedom of expression, that may result from continuous monitoring/tracking or from the risk of being identified, should also be given due consideration. For example, continuous online monitoring of online activities by a platform may give rise to the feeling that a data subject’s private life is being continuously observed."

EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 46.

The assessment of the (potential) impact on data subjects should not be made under the assumption that all data subjects have the same interests - especially, when it is likely that the some of the affected data subjects have diverging interests.[72]

Reasonable expectations of the data subject

Recital 47 GDPR stipulates that the reasonable expectations of the data subjects should be considered. In particular, it is important to evaluate whether the status of the data controller, the nature of the relationship or the service provided, or the applicable legal or contractual obligations (or other promises made at the time of collection) could give rise to reasonable expectations of stricter confidentiality and stricter limitations on further use.[73]

CJEU-icon.png

"[...] as regards the balancing of interests which it is for the referring court to carry out in the light of the specific circumstances of the dispute in the main proceedings, that court must take account, in particular, of the reasonable expectations of the data subject as well as the scale of the processing at issue and its impact on that person [...]"

CJEU - C‑621/22 - Koninklijke Nederlandse Lawn Tennisbond, margin number 54..

It is important to note that the reasonable expectations of a data subject could very well deviate from whatever is considered common practice or business standard in a certain sector. Also the fact that a processing activity is very established or has been taken place for a long time is not decisive for the question whether a processing is in the data subjects' reasonable expectations. Neither do the reasonable expectation of the data subject depend on the information provided by the data subject (e.g. in a privacy policy).[74]

EDPB-icon.png

"While a failure to provide information can contribute to the data subjects being surprised, the mere fulfilment of information duties according to Articles 12, 13 and 14 GDPR is not sufficient in itself to consider that the data subjects can reasonably expect a given processing."

EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 68.


The EDPB suggests that the assessment of the reasonable expectations should consider an "average" data subject (unless it is likely that different groups of data subjects with different characteristics are affected) and lists a number of elements, that could be considered for the assessment of what could be considered reasonable expectations.[75]

Balancing of the opposing rights and interests

At the end of the balancing test is the assessment whether the identified pursued legitimate interests of the controller or third parties are overridden by the data subjects' interests or rights and freedoms. Only if that is not the case, the controller can base its processing of personal data on the legal basis of legitimate interest under Article 6(1)(f) GDPR. It is worth repeating that such assessment has to take place prior to the commencement of the processing activity.

In particular where the data subject is a child

In all the steps of the balancing test, special attention should be paid to the question whether also children could be affected by the processing activity. This is also directly stated in Article 6(1)(f) GDPR. In such a case the balancing test should be recalibrated and consider the fact that children (depending of the specific age group) might be less aware of any risks and consequences connected with the processing activity.[76]

EDPB-icon.png

"While this does not mean that there will never be a situation in which the interests of the child can be overridden, it does mean that the interests of children as data subjects should have high priority and will very often outweigh the interests of the controller or third parties.


[…]


[…] Article 6(1)(f) GDPR may be invoked as a legal basis by a controller where the legitimate interests pursued coincide with the interests of the child. However, when there is a conflict between a controller’s legitimate interests (including regarding processing of personal data for commercial purposes) and the interests or fundamental rights and freedoms of a child, the interests or fundamental rights and freedoms of the child should in general prevail. […] [T]here are certain types of data processing operations, such as those consisting of extensive profiling and targeted advertising activities, which - subject to certain limited exceptions - will generally not align with the obligation to ensure specific protection of children."

EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 94 et seq.


Whenever personal data of children are processed based on Article 6(1)(f) GDPR, the controller has to be able to demonstrate that the children's best interest were a primary consideration in the balancing test.[77]

Additional safeguards

In case the legitimate interest test shows that the data subjects' interests or rights and freedoms overweight the legitimate interest of the controller or third parties, the controller could introduce additional safeguards (mitigation measures) in order to archive a balance a balance between the opposing interests. However, such measures can only be implemented in addition to all other requirements that the controller is obliged to anyway. Therefore, fulfilling an information obligation in accordance with Article 13 et seq. GDRP or granting data subjects the right to object in accordance with Article 21 GDPR to a data processing can not be considered additional safeguards or mitigation measures; providing additional information or waiving any requirements under Article 21 GDPR could however be considered as a mitigating measure.[78]

EDPB-icon.png

"If the data subject’s interests, rights and freedoms seem to override the legitimate interest(s) being pursued, the controller may consider introducing mitigating measures to limit the impact of the processing on data subjects, in view of achieving a fair balance between the rights, freedoms and interests involved."

EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 56.


Other examples of mitigation measures include the “strict limitation on how much data is collected, or immediate deletion of data after use. While some of these measures may already be compulsory under the Directive, they are often scalable and leave room for controllers to ensure better protection of data subjects” as well as “providing an easily workable and accessible mechanism to ensure an unconditional possibility for data subjects to opt-out of the processing”.[79]

These additional measures may in some cases help tip the balance and help ensure that the processing can be based on Article 6(1)(f), whilst simultaneously protecting the rights and interests of the data subjects. In any case, the controller has to perform the balancing test anew after the implementation of such additional safeguards and mitigation measures. Often, even the implementation of such measures will not change the outcome of a balancing test in favour of the interests or rights and freedoms of data subjects. In such cases Article 6(1)(f) GDPR can not be invoked as a legal basis for a processing activity.[80]

Examples of overriding legitimate interest

The assessment if a legitimate interest overrides the interest of a data subject are always a case-by-case assessment. And it should be kept in mind that the assessment if a processing activity can be based on this legal basis could result in different outcomes in different contexts or situations. For example could the reasonable expectations of data subjects diverge immensely in different processing situations and controllers could implement different additional safeguards or could have different alternative methods to their disposal.

Controllers should therefore be careful when orientating on existing case law or examples found elsewhere. However, such examples can provide some useful guidance for controllers.

Some examples of situations in which legitimate interest under Article 6(1)(f) GDPR overrides the data subjects' freedoms and interests can be found in Recitals 47 to 49. As always, it must be stressed that Recitals are not legally binding, but nevertheless give a very good understanding of the views of the legislator. Generally the examples in Recitals 47 to 49 can be described as largely "defensive", in the sense that the data subject interfered with the rights of the controller or a third party and the controller is using personal data to defend against such situations. Only very limited examples seem to be "offensive", in the sense that the controller proactively interferes with the rights of the data subject.

To give some additional orientation, it can be referred to some typical examples of cases in which a legitimate interests might override the data subject's freedoms and interests:

  • Processing for network and information security (see Recital 49), which may even be a legal duty under Articles 6(1)(c) and 32 GDPR.[81]
  • Protection of life, property and alike (like CCTV of areas with repeated offences or highly likely targets, such as a bank, if there are no feasible alternatives and safeguards like deletion periods and strictly limited access to recordings are ensured).
  • Processing for the prevention of fraud (see Recital 47), such as "black lists" of known fraudsters.[82]

The EDPB lists additional examples of legitimate interests in their Guidelines on legitimate interest.[83]

However, it should be noted that the above mentioned interests should be articulated clearer and more precise when actually invoked by a controller for a specific processing activity.[84]

On the other hand, the following situations are generally not seen as cases where a legitimate interest overrides the data subjects' freedoms and interests:

  • Advertisement (other than "direct marketing" as under Article 13(2) of ePrivacy Directive 2002/58/EC, see below).
  • Usually the use of personal data for mere profits is also a case where the data subjects' freedoms and interests generally override the pursued legitimate interests.

It should be noted however, that the CJEU confirmed that also a commercial interest of the controller could constitute a legitimate interest, provided that it is lawful.[85]

The following processing could be considered edge cases in which controllers should be especially careful when considering each step of the assessment whether legitimate interest could be a legal basis for a processing activity:

  • Direct marketing (the Recital says this "may" be a legitimate interest) other than so-called "soft spam" in existing customer relationships under Article 13(2) of the ePrivacy Directive 2002/58/EC.[86]
  • The sharing of information within a group of undertakings for internal administrative purposes "may" be a legitimate interest according to Recital 48.[87]
  • Use or personal data in search engines, based on the public interest in information under Article 11 of the Charter - but not the commercial interest of a search engine. However, this interest may be overridden in individual cases (see C‑131/12 - Google Spain and the "right to be forgotten").
  • Transmission of personal data to competent authorities in connection with possible criminal acts or threats to public security.[88]

Another area with a lot of legal uncertainty is the performance of profiling in connection or in advance of different processing purposes. The EDPB highlights elements that are particularly relevant for any cases such a profiling takes place, like the level of detail and comprehensiveness of the profile and the potential impact of the profile on the data subject.[89]

(2) Member State law under Article 6(1)(c) and (e)

Paragraph 2 gives Member States competence in the public sector,[90] since it allows them to adopt, or keep,[91] their own (material) rules that regulate in which instances a controller can rely on the legal bases provided for in Article 6(1)(c) and Article 6(1)(e) GDPR. Member States can also "determine more precisely specific requirements" for the processing to, ultimately, ensure that this processing is lawful and fair.[92] While Member States may "specify" the often abstract GDPR requirements, but they may not alter them or go beyond them. Through this wording it is apparent that these national provisions must stay within, and cannot go beyond the framework of the GDPR.[93] They also concern specific processing situations under Articles 85 to 91 GDPR (freedom of expression, freedom of information, access to official documents, processing in the employment context and alike).

Example-icon.png

For example: A national law may require an employer to collect personal data on employees and provide them to social security providers or the tax authority under Article 6(1)(c) GDPR. Such laws may be kept, introduced or changed by the Member States and also add elements in the national law, like specific deletion period (e.g. "keep records for 5 years"), setting clearer purposes that limit the use of certain data (e.g. "only for taxation purposes") or add specific notice requirements.

Since this provision allows Member States to enact denser regulation, as well as more concrete requirements for controllers, some authors noted that this can lead to conflicts, not only between a Member State and the Commision (since the latter monitors the application of Union law), but also in case of different processing situations by the same controller or vis-à-vis the same data subject.[94]

(3) Union and Member State law under Article 6(1)(c) and (e)

Union or Member State law

According to Article 6(3), the legal basis for processing under Article 6(1)(c) (legal obligation) and Article 6(1)(e) (public interest) must be laid down by (a) Union, or (b) Member State law. Contrary to Article 6(1)(c), however, the public interest processing does not have to be expressly laid down in a legal basis. It suffices if the processing is necessary to fulfil a task which serves the public interest, or in the exercise of official authority, and the task is described in a specific and clear manner.[95]

It should be noted that the Member State law to which the controller is subject does not necessarily mean a legislative act adopted by a parliament. For example, the CJEU held that also national case-law could constitute such a legal basis.[96]

CJEU-icon.png

"[…] as recital 41 of that regulation states, where it refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to obligations provided for under the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court and the European Court of Human Rights.

[…]

In that regard, it should be noted that […] it cannot be ruled out that ‘Member State law to which the controller is subject’ within the meaning of point (b) of Article 6(3) of the GDPR also covers national case-law."

CJEU - Joined Cases C‑17/22 and C‑18/22 - HTB Neunte Immobilien Portfolio, margin number 68 and 71..


Requirements under non-EU/EEA laws, such as a US, Chinese or Swiss law requiring the processing of personal data, cannot be the basis for processing under Article 6(1)(c) or (e) GDPR. However, a duty under the law of another country may be a "legitimate interest" under Article 6(1)(f) GDPR, which can be the starting point of a balancing test.

Specific provisions

Moreover, the provision allows Member States to implement specific provisions contained in this legal basis, and suggests, inter alia, the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures. These concretisations are non-exhaustive and non-binding, but are certainly permissible specific provisions.[97] Lastly, the constituent element ‘Member State law’ refers to all material law of that Member State.[98]

Tensions between national laws and EU law

If Member States would pass such legislation without complying with the general principles of "proportionality" under Article 8 and 52 of the Charter, as well as Article 6(1)(2) and (3) GDPR, Articles 23 and 85 to 91 GDPR such national laws would be inapplicable, given the supremacy of EU law.

Case Law: In Joined Cases C-465/00, C-138/01 and C-139/01 - Österreichischer Rundfunk a national law foresaw to publish the income of employees of the public bodies, such as the public broadcaster for transparency reasons. The CJEU held that the disclosure of not only the amounts, but also the names of the recipients is only possible if it is truly necessary for and appropriate to the objective of proper management of public funds. While the CJEU seemed rather critical, the court left it to the Member State courts to make the ultimate determination.

After the passing of the GDPR in 2016, many Member States were lobbied by local interest groups to use any possible exception. Member States have in turn extensively passed laws that go beyond the opening clauses in the GDPR. This creates massive legal uncertainty, as such laws are on the books, but may not be applied in practice. It often takes years until local courts and the CJEU annuls these laws.

Case Law: The legislator in Austria has passed a total exception from all GDPR obligations for journalism. As this blanket exception went far beyond anything that is "proportionate" the Austrian Constitutional Court annulled the law.[99] For example in Sweden a similar provision does still exist.[100]

For the average controller, it is therefore important to ensure that national laws comply with EU law requirements and are not at risk of being annulled or declared inapplicable.

Relationship between Articles 6(2) and 6(3) GDPR

It is important to set out that it remains unclear how Articles 6(2) and 6(3) relate to one another, legally and systematically.[101] The exact relationship between the two clauses remains disputed. Some authors ascribe a more declaratory nature to Article 6(2),[102] and see Article 6(3) as the clause that offers the actual competence to enact material-specific data protection regulation.[103] Other authors state that Article 6(2) does permit Member States to adopt material-specific regulation, and see Article 6(3) as a clause that sets out concrete requirements for this regulation.[104] Finally, another group of authors that does not see these requirements as additional, but cumulative.[105]

(4) Further processing

Article 8(2) of the Charter and Article 5(1)(b) GDPR require that personal data is only processed for original "specified, explicit and legitimate purposes" and that personal data is not "processed in a manner that is incompatible with those purposes". Especially the idea of re-use of personal data for "big data" projects and alike was at the heart of a lobby effort to limit purpose limitation in Article 5(1)(b) GDPR and allow the re-use and further use of personal data - which is in fact the antithesis of purpose limitation.

Consent

Article 6(4) GDPR foresees that a data subject can waive the protections under Article 5(1)(b) GDPR by giving consent, as defined in Articles 4(11), 6(1)(a), 7 and 8 GDPR. This option is consistent with the right to informational self-determination, where data subjects can give up their rights under the law.

Example-icon.png

For example: A data subject has provided her personal data at an online shop to process her order. The controller may ask the data subject to allow the re-use of this personal data to send a birthday gift via postal mail and thereby change the purpose to advertisement.

It is unclear if consent for the further use of special categories of personal data must be explicit, as required under Article 9(1)(a) GDPR. While the wording does not require explicit consent, a systematic interpretation would suggest that the change of purpose should meet the same requirements as consent to the processing of the original purpose when it comes to special categories of personal data.

Union or Member State Law

It is rather common that laws require the sharing of various information, such as evidence in procedures. Member States can maintain or pass such legislation and controllers may not cite purpose limitation to withhold information, as long as such laws "constitute a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1) GDPR". Other objectives are not available to Member State law.

Example-icon.png

For example: An event has a participant list. The controller said the purpose of this list is merely the management of entry to the event. When a crime happened and the criminal procedure of a Member State allows to obtain any personal data for the purposes of criminal investigations, the purpose limitation by the original controller can be overridden in the public interest to allow the investigators to use this information for their criminal investigation.

When it comes to the reference to EU law, there would actually be no hierarchy between Article 6(4) GDPR and any other provision that goes beyond Article 6(4) GDPR. Consequently any later legislation would simply overturn or amend the provision and Article 6(4) GDPR would loose its meaning.[106]

However, because such EU or Member State law interferes with purpose limitation in Article 8(2) of the Charter, any such EU or Member State law would have to comply with all requirements of Article 52 of the Charter, including the requirement to be "proportionate". It may be that legal requirements are not compatible with these requirements. EU law could therefore be subject to annulment, while Member State law would be inapplicable.

Compatible purposes

In addition to the option to process personal data for a (wholly) different purpose, Article 6(4) GDPR also foresees the option to have so-called "compatible" purposes. The idea of compatible purposes was derived from the definition of purpose limitation already known from Article 6(1)(b) of Directive 95/46/EC ("personal data must be ... collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes"). In simple terms, the fact that the Directive only prohibited processing that is "incompatible" with the original purpose, led to a line of argument that there must be "compatible" purposes too. Obviously this argumentum e contrario is rather simplistic and questionable as it can erode a core principle of EU data protection. Just because the legislator highlighted that "incompatible" use is prohibited does not automatically lead to the assumption that there are additional "compatible" purposes that are never mentioned in the law nor in Article 8(2) of the Charter. The idea of changing purposes also created a systematic conflicts with requirements to have an utmost "specific" purpose in a first step under Article 5(1)(b) GDPR or "specific" consent for a specific purpose, if the purpose can be changed anyways.[107] Nevertheless, in a battle between the European Parliament and the Council, the idea of "compatible purposes" was codified in Article 6(4) GDPR after all.

Article 6(4) GDPR prescribes certain factors to be taken into account where a controller wishes to further process personal data for a "compatible" purpose, that it was not collected for initially. The factors set out in Article 6(4)(a) to (c) GDPR are not exhaustive. Notably, the new purpose does not need to be a "sub purpose" of the initial one.[108] Rather, compatibility can exist where the initial and further purpose are “pursued ‘together’ in close vicinity” or where the further purpose is “a logical consequence of the initial purpose”.[109]

Factors for the compatibility test

Generally the factors in Article 6(4)(a) to (e) GDPR are only examples ("inter alia") and are very vague. The true meaning of elements like the "context [of the] collection" allows almost any factor or argument to be taken into account. Given that such an assessment is usually done by a controller that seeks to expand the use of personal data beyond the limits of Article 5(1)(b) GDPR, a certain dynamic towards a rather permissible application of this paragraph is likely to occur in practice. To rely on further processing compatibility, controllers must be able to demonstrate that an assessment of all relevant risks was done.[110]

(a) Link between purposes

Obviously for a new purpose to be "compatible", the original purpose and the new purpose must be related. To appreciate the compatibility of various purposes, the controller should take into account, among others, the existence of a link between the original and additional purpose, the general context in which the data are processed.

Already Article 5(1)(b) GDPR clarifies that, further processing for scientific or historical research purposes, or further processing for statistical purposes should be considered to be compatible lawful processing operations.[111]

(b) Context of collection and relationship with data subject

The "context of the collection" and the "relationship with the data subject" seem to be very generic factors that can only be assessed on a case-by-case basis. A bank that focuses on confidentially in an upscale market and explicitly states "we will ever only use your personal information for purposes A, B and C" may raise certain expectations that would not suggest that personal data is further used questionable purposes.

Recital 50 GDPR adds that "the reasonable expectations of data subjects based on their relationship with the controller" should be considered. The context of the collection may give reasons why a data subject would or would not expect the further use for other purposes. The mere fact that many controllers take a certain action may not be obvious to the data subject and the widespread violation of the law does not make an act more legal. Consequently, the mere fact that many controllers use personal data in a "customer relationship system" cannot be seen as a reason why such use is per se "compatible" with the original purpose.[112]

The relationship with the data subject may also point in either direction. Mutual trust may be a factor to suggest that certain steps will or will not be taken. The provision does not suggest that close relationship with the data subject may be a factor to use personal data further. For example, if a close relationship exists, it may be more practical and therefore more reasonable to ask for consent for the further use of personal data, while this may simply not be possible for data subjects that are hard to reach. At the same time a distant data subject may have less of an expectation that his or her personal data may be used for other purposes.

(c) Nature of personal data

While the provision highlights special categories of personal data under Article 9 GDPR and personal data related to criminal convictions and offences under Article 10 GDPR, it is not limited to such personal data ("in particular"). Other categories of usually more sensitive information may include financial details, log-in data and alike and should also be considered in any balancing test.

(d) Possible consequences

Obviously the possible consequences for any further use for the rights of the data subject must be considered when using personal data beyond the limits of Article 5(1)(b) GDPR. This is not limited to financial losses or other material damages, but also includes non-material damages (see Article 82(1) GDPR) and other non-material, emotional consequences or inconveniences, such as foreseeable problems to enforce the data subjects' rights under the GDPR.

(e) Safeguards

The controller may introduced (additional) appropriate safeguards to ensure that the processing of personal data for a compatible purpose is mitigated. The law names, as examples, encryption and pseudonymisation. While proper encryption is a baseline requirement under Article 32 GDPR and will in most cases not lead to any additional safeguard, pseudonymisation can limit the potential impact in cases of abuse. Some other safeguards are already foreseen by law, such as the need to inform about the change of purposes in Article 13(3) or 14(4) GDPR. Additional safeguard may include the use of anonymised data, an option to opt-out from processing for the compatible purpose, beyond the rights under Article 7(4) GDPR to withdraw consent and the right to object in Article 21 GDPR. Safeguards should be "appropriate", meaning neither going beyond what can reasonably be implemented and achieved, nor mere window dressing.

Tension between "compatible" purposes and Article 8(2) of the Charter

During the GDPR negotiations little attention was paid to the fact that the principle of purpose limitation has become an element of the fundamental right to data protection in Article 8(2) of the Charter. Especially the notion of "compatible purposes" seems to stretch the possibilities of the legislator. Given that Article 8(2) of the Charter does not foresee "compatible" purposes any such "compatible" purpose must be seen as a limitation of Article 8(2) of the Chater, which must comply with Article 52 of the Charter. The very vague nature of the open-ended compatibility test in Article 6(4) GDPR itself may already be conflicting with the requirement that any limitation of Charter rights must be foreseen by precise enough law. The CJEU has so far not been asked to assess the compatibility of Article 6(4) GDPR with Articles 8(2) and 52 of the Charter. As a minimum, Article 6(4) GDPR must be interpreted "in the light of the Charter", which may limit the application in many cases.

Tension with Article 5 and 12 GDPR in case of routine reliance on Article 6(4) GDPR

While Article 6(4) GDPR may be used for unforeseen needs to change the purpose, a structural re-use of personal data for initially undisclosed purposes may conflict with the duties under Article 5(1)(a) GDPR "fairness" and "transparency", the general requirement to define the purposes in Article 5(1)(b) GDPR during collection and the requirement to provide (initial) information in a "transparent, intelligible and easily accessible form, using clear and plain language" under Article 12(1) GDPR.

Duty to inform about a change in purposes

Under Article 13(3) or 14(4) GDPR the controller must inform the data subject prior to making any changes to the purpose. This includes any change based on Union or Member State law and the use of personal data for any "compatible" purpose.

Need to comply with all other provisions of the GDPR

The finding that a purpose is "compatible" or that there is a legal basis to process personal data for another purpose in Union or Member State law, does not mean that other provisions of the GDPR must not be complied with for such further processing.

Some authors rely on the (non-binding) Recital 50 GDPR to argue that processing for another purpose does not require a legal basis under Article 6(1) GDPR.[113] However, the authors of the GDPR have highlighted that this was an error in the drafting.[114] This view is also supported by a systematic reading of the law. The requirement to have a legal basis for any processing operation is enshrined in Article 8(2) of the Charter, Article 5(1)(a) GDPR and Article 6(1) GDPR. At the same time Article 6(4) GDPR clearly only further defines Article 5(1)(b) GDPR. Against the clear wording of the law and the obvious systematic relationship between Article 5(1)(b) and 6(4) GDPR, a non-binding Recital cannot override the law.

Consequently, further processing must still have a legal basis under Article 6(1) GDPR, be "fair" under Article 5(1)(a) GDPR and alike.

Decisions

→ You can find all related decisions in Category:Article 6 GDPR

References

  1. See an overview on German criticism in Buchner/Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 14 (C.H. Beck 2020, 3rd Edition).
  2. CJEU, Case C-621/22, Koninklijke Nederlandse Lawn Tennisbond, 4 October 2024, margin number 32 (available here).
  3. Buchner/Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 23 (C.H. Beck 2020, 3rd Edition).
  4. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 28 (available here).
  5. CJEU, Case C‑524/06, Huber, 18 December 2008, margin number 52 (available here).
  6. Bucher, Petri, DS-GVO BDSG, Article 6 GDPR, margin numbers 15 (C.H. Beck 2024, 4th Edition); Kastelitz; Hötzendorfer; Tschohl, in Knyrim, DatKomm, Article 6 GDPR, margin numbers 19 (Manz 2020).
  7. EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, 8 October 2019’ (Version 2.0), p. 8 (available here).
  8. This includes limited economic powers, the lack of legal or technical training or the lack of alternative providers without similar data practices.
  9. Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).
  10. Recital 43 sentence 1 GDPR, and Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).
  11. Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).
  12. Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).
  13. Communication networks often require all parties to use the same system - making a switch very difficult for single users. See Bucher/Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 7 GDPR, margin number 53a (C.H. Beck 2020).
  14. Recital 43 sentence 1 GDPR.
  15. Bucher/Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 7 GDPR, margin number 59 (C.H. Beck 2020).
  16. Bucher, Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).
  17. See Articles 5(1)(a) and 7(2) GDPR and Recital 42.
  18. Recital 32 sentences 5, 6 GDPR.
  19. CJEU, C‑673/17, Planet49, 1 October 2019, margin number 58-60 (available here).
  20. CJEU, C‑61/19, Orange România, 11 November 2020, margin number 46 (available here). This reading seems to be confirmed by Bucher, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 20 (C.H. Beck 2020).
  21. Recital 32 sentence 1 GDPR.
  22. Recital 32 sentence 2 GDPR.
  23. Recital 32 sentence 3 GDPR.
  24. CJEU, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available here).
  25. EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available here).
  26. Scholars suggest that, together with consent (Article 6(1)(a) GDPR), contract is the only legal basis covered by Article 6 in which processing is based on the data subject's will. A direct will in the case of consent, and indirect in the case of contract (by agreeing to the Terms). See Resta, in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 6 GDPR p. 69 (Wolters Kluwer 2018), which, in turn, refers to Pelino, Bistolfi, Bolognini, Il regolamento privacy europeo (Giuffrè 2018).
  27. EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 10 (available here).
  28. Heberlein, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 6 GDPR, margin number 13 (C.H.Beck 2018, 2nd Edition 2018).
  29. Bucher, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 31 ( C.H. Beck 2020, 3rd Edition).
  30. EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 5 (available here).
  31. Buchner, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 197 (C.H. Beck 2020, 3rd Edition).
  32. WP29, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, 844/14/EN, 9 April 2014, p. 19 (available here).
  33. See for example § 11 Austrian 'Arbeitsverfassungsgesetz' (ArbVG)
  34. Heberlein, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 6 GDPR, margin number 15 (C.H. Beck 2018, 2nd Edition).
  35. Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 333 (Oxford University Press 2020).
  36. Buchner, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 111 (C.H. Beck 2020, 3rd Edition), citing Dammann & Simitis, DSRL Art. 7,  (Nomos 1997) p. 10.
  37. Buchner, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 111 (C.H. Beck 2020, 3rd Edition).
  38. See e.g. Austro Control GmbH
  39. Buchner, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 131 (C.H. Beck 2020, 3rd Edition).
  40. CJEU, Case C-200/23, Agentsia po vpisvaniyata, 4 October 2024, margin number 110 (available here).
  41. CJEU, Case C-621/22, Koninklijke Nederlandse Lawn Tennisbond, 4 October 2024, margin number 37 (available here); EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 6 (available here).
  42. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 1 et seqq. (available here).
  43. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 45 (available here).
  44. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 10 (available here).
  45. EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 9 (available here).
  46. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 14 (available here).
  47. EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 17 (available here); CJEU, Case C-621/22, Koninklijke Nederlandse Lawn Tennisbond, 4 October 2024, margin number 40 (available here).
  48. CJEU, Case C-621/22, Koninklijke Nederlandse Lawn Tennisbond, 4 October 2024, margin number 48 (available here).
  49. WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 25 (available here).
  50. EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 5 (available here).
  51. EDPB, ‘Report of the work undertaken by the Cookie Banner Taskforce’ 844/14/EN WP 217, 17 January 2023, p. 7 (available here).
  52. EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 17 (available here).
  53. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 18 (available here).
  54. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 17 (available here); CJEU, Case C-708/18, Asociaţia de Proprietari bloc M5A-ScaraA, 11 December 2019, margin number 44 (available here).
  55. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), Example 2 (available here).
  56. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 20 (available here).
  57. CJEU, Case C-252/21, Meta v. Bundeskartellamt 4 July 2023, margin number 124 (available CJEU - C-252/21 - Meta Platforms and Others v Bundeskartellamt).
  58. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 20 (available here).
  59. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 22-25 (available here).
  60. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 25 (available here).
  61. For exceptions in which the processing by public authorities is not related to the performance of their specific task in connection to the public interest, see EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 99 (available here).
  62. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 32 (available here).
  63. Bucher, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin numbers 148-148a (C.H. Beck 2024, 4th Edition).
  64. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 37 and 38 (available here).
  65. WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 30 (available here).
  66. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 39 et seqq. (available here).
  67. CJEU, Case C-708/18, Asociaţia de Proprietari bloc M5A-ScaraA, 11 December 2019, margin number 55 (available here).
  68. EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 40 et seqq. (available here).
  69. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 44 (available here).
  70. CJEU, Case C-621/22, Koninklijke Nederlandse Lawn Tennisbond, 4 October 2024, margin number 56 (available here).
  71. CJEU, Case C-621/22, Koninklijke Nederlandse Lawn Tennisbond, 4 October 2024, margin number 56 (available here); EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 45-49 (available here).
  72. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 47 (available here).
  73. WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 40 (available here).
  74. compare EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 52 et seq. (available here).
  75. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 54 (available here).
  76. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 91 et seqq. (available here).
  77. EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 96 (available here).
  78. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 57 and 62 (available here).
  79. WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, pp. 40-41 (available here).
  80. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 60 (available here).
  81. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 126 et seqq. (available here).
  82. See EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 100 set seqq. (available here) for a detailed analysis; see also Buchner/Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 173 et seq. (C.H. Beck 2024, 4th Edition).
  83. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 16 (available here).
  84. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 17 (available here).
  85. CJEU, Case C-621/22, Koninklijke Nederlandse Lawn Tennisbond, 4 October 2024, margin number 49 (available here).
  86. For a detailed analysis see EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 109 et seqq. (available here).
  87. For a detailed analysis see EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 123 et seqq. (available here).
  88. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 129 (available here).
  89. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 82 (available here).
  90. Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 326 (Oxford University Press 2020).
  91. This is clear from the wording ‘maintain’. See Plath, in Plath, DSGVO BDSG , Art. 6 DSGVO, margin number 126 , (Otto Schmidt 2018).
  92. Frenzel, in Paal/Pauly, DS-GVO BDSG, Article 6, margin number 32 (C.H. Beck 2021, 3rd Edition).
  93. Plath, in Plath, DSGVO BDSG, Article 6 DSGVO, margin number 125, (Otto Schmidt 2018).
  94. Frenzel, in Paal, Pauly, DS-GVO BDSG, Article 6, margin number 32 (C.H. Beck 2021, 3rd Edition).
  95. Buchner, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 121 (C.H. Beck 2020, 3rd Edition).
  96. CJEU, Joint Cases C‑17/22 and C‑18/22, 12 September 2024, margin number 71 (available here).
  97. Buchner, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 94 (C.H. Beck 2020, 3rd Edition).
  98. Buchner, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 197 (C.H. Beck 2020, 3rd Edition).
  99. See VfGH - G 287/2022-16, G 288/2022-14
  100. See Chapter 1, § 7 of the Swedish GDPR Implementation Act (2018:218)
  101. Jahnel, in Jahnel, DSGVO, Article 6, margin number 85 (Jan Sramek Verlag 2021).
  102. Buchner, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 195 (C.H. Beck 2020, 3rd Edition).
  103. Buchner, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6, para 195 (C.H. Beck 2020, 3rd Edition);  Jahnel, in Jahnel, DSGVO, Article 6, margin number 85, (Jan Sramek Verlag 2021).
  104. For example Plath, in Plath, DSGVO BDSG, Article 6 DSGVO, margin number 3, (Otto Schmidt 2018).
  105. Roßnagel et al., in Zeitschrift für Datenschutz (2015) pp. 455-456.
  106. Lex posterior derogat legi priori.
  107. Buchner/Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 180 (C.H. Beck 2018, 2nd Edition).
  108. Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 341 (Oxford University Press 2020).
  109. Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 341 (Oxford University Press 2020).
  110. Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 343 (Oxford University Press 2020).
  111. Article 5(1)(b) GDPR.
  112. Not convincing: Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 342 (Oxford University Press 2020).
  113. See for example Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 326 (Oxford University Press 2020) or
  114. Buchner/Petri, in Kühling, Buchner, DS-GVO BDSG, Article 12, margin number 182 (C.H. Beck 2018, 2nd Edition), with further references.