Article 6 GDPR: Difference between revisions

From GDPRhub
Line 233: Line 233:
==Commentary==
==Commentary==


===(1) Legal Basis===
The GDPR prohibits all processing of personal data unless it is based on one or more of the six legal bases under Article 6(1).  There is no hierarchy between these legal bases. A controller may use any of them or use different ones for different processing operations. The legal basis has to be disclosed to the data subject under [Article 13 GDPR#1c|Article 13(1)(c)]] or [[Article 14 GDPR#1c|Article 14(1)(c)]. The need for a legal basis under Article 6(1) GDPR is therefore viewed (together with the need to comply with the principles of <nowiki>[[Article 5 GDPR]]</nowiki>) as the "backbone" for the legality of any processing operation.
The GDPR prohibits all processing of personal data unless it is based on one or more of the six alternative legal bases under Article 6(1) GDPR. This means that by default processing of other persons' personal data is prohibited - unless one of the exceptions in Article 6(1) GDPR are met. There is no hierarchy between these legal bases. A controller may use any of them or use different ones for different processing operations. The legal basis has to be disclosed to the data subject under [[Article 13 GDPR|Article 13(1)(c) GDPR]] or [[Article 14 GDPR|Article 14(1)(c) GDPR]].  


====(a) Consent====
'''(1) Lawful basis for processing'''
Data subjects can be asked to "consent" to the processing for a specific purpose (see [[Article 5 GDPR|Article 5(1)(b) GDPR]]). The GDPR wanted to end the various forms of hidden consent in terms and conditions, forced consent (take it or leave it), and the need for click-marathons through per-ticked consent boxes ("opt-out"). To achieve this aim, consent must meet a very high standard to be legally binding. Under the definition of consent in [[Article 4 GDPR|Article 4(11) GDPR]], consent must be freely given, specific,<ref>The principle of specificity of consent (Article 4(11) GDPR) is confirmed by Article 6(1)(a) which requires consent to be given for “for one or more specific purposes”. This seems in line with the case law of the Court of Justice of the EU, according to which consent must refer to specific processing activities, clearly identified, also in order to allow the user to effectively understand the operations being carried out. See this Commentary under Article 4(11) GDPR.</ref> informed, and unambiguous. Further conditions are also contained in [[Article 7 GDPR]] and [[Article 8 GDPR]] on children's consent. Consequently, the conditions for consent are split between [[Article 4 GDPR|Articles 4(11)]], 6(1)(a), [[Article 7 GDPR|7]] and [[Article 8 GDPR|8 GDPR]]. 


====(b) Contract====
'''''(a) Consent'''''


If a data processing is necessary for the fulfillment of a contract, the controller has a legal basis to carry out such operations in pursuance of its freedom to conduct a business.<ref>This supports the freedom to "''conduct a business, which is guaranteed by Article 16 of the Charter, and reflects the fact that sometimes the contractual obligations towards the data subject cannot be performed without the data subject providing certain personal data. If the specific processing is part and parcel of delivery of the requested service, it is in the interests of both parties to process that data, as otherwise the service could not be provided and the contract could not be performed''". In this sense, EDPB, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, 8 October 2019, p. 4 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf here])</ref> For instance, if a data subject orders a product in an online store with a credit card and has it shipped home, some of these processing operations (payment and shipment) are obviously necessary for the performance of the contract. The data subject's data will then be transferred to financial institutions or the postal service to process the payment and deliver the product.  
Consent reflects the idea that data subjects must expressly authorise otherwise prohibited processing operations (Article 6(1) GDPR: “''Processing shall be lawful only if and to the extent that at least one of the''” legal basis applies. See also Article 5(1)(b) GDPR). It has been the traditionally considered the main legal basis for processing operations.


Article 6(1)(b) GDPR makes these types of processing operations lawful without any further action required from the data subject (for example, a consent to share the data with financial institutions). <ref>Some authors have that the contractual legal basis laid down explicitly in Article 6(1)(b) GDPR can also be derived more generally "''from the fact that the controller, as a contractual partner, has a legal obligation to fulfill their contractual obligations according to general legal principles''". Furthermore, legitimacy for fulfilling a contractual obligation may also be interpreted as a "''special case of 'legal obligations' and even 'legitimate interests of the controller''". See, ''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 330 (Oxford University Press 2020).</ref> According to relevant legal literature, the contract is, together with consent under Article 6(1)(a) GDPR the only legal basis in which processing is based (indirectly in the case of a contract, directly in the case of consent) on the data subject's will.<ref>''Resta'', in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 6 GDPR (Wolters Kluwer 2018), p. 69 which, in turn, refers to Pelino, Bistolfi, Bolognini, Il regolamento privacy europeo (Milano 2018).</ref>


=====Existence of a Valid Contract=====
Under the GDPR, consent must satisfy different requirements to be legally binding. According to the available definition provided in Article 4(11) GDPR, consent must be freely given, specific, informed, and unambiguous. [See this Commentary under [[Article 4 GDPR|Article 4(11)]] GDPR.] Furthermore, under Article 7 GDPR, consent must be requested in a transparent and fair way (Article 7(2) GDPR) and should be withdrawable at any time (Article 7(3) GDPR) [See this Commentary under [[Article 7 GDPR]].]. Finally, Article 8 GDPR stipulates that specific requirements must be respected when consent is given by children [See this Commentary under [[Article 8 GDPR]].]. Consequently, the conditions for valid consent are split between Articles 4(11), 6(1)(a), 7 and 8 GDPR.
It seems clear that the contract mentioned in Article 6(1)(b) must be valid. The GDPR, however, does not express any indication as to the validity of the contract.


The doctrine, on this point, seems to agree in clarifying that contracts vitiated by nullity are not included in the definition of Article 6(1)(b) GDPR. Heberlein, for example, and barring our mistakes in translation, seems to suggest that “''the contract must be effective and in any case must not suffer from legal defects that lead to its nullity''”.<ref>''Heberlein'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 6 GDPR, margin number 13 (Beck, 2nd edition 2018) (accessed 5 October 2021)</ref> Buchner and Petri seem to go in the same direction, confirming that in the case of void contracts recourse to Article 6(1)(b) GDPR seems out of the question.<ref>''Bucher, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 31 (C.H. Beck 2020) (accessed 5 October 2021).</ref>


Defining the concept of contractual "nullity", however, does not seem easy, especially in terms of European uniform law. The regulation of contractual defects is in fact mostly left to the choices of the national legislator, with the consequence that a certain contractual defect may be a cause of nullity in some legal systems and not in others. Certainly there appear to be defects of nullity common to European legal traditions: for example lack of will, deception and threat. Beyond such exemplary cases, however, there are circumstances in which the breach does not necessarily lead to nullity but to declarations of annulment (of an originally valid, albeit flawed, contract).
'''''(b) Contract'''''


The uncertainty mentioned above seems, however, to be further limited, at least in certain areas, by the existence of common European principles. In this perspective, for example, the principles of contractual fairness towards the consumer, as set out in the Unfair Terms Directive 93/13/EEC and other related directives. Example: A Spanish controller and a French consumer concluded a contract that is illegal under the applicable French law. The lack of any valid contract means there is no legal basis.
The execution of a contract between two or more parties often involves some processing of personal data. Take, for instance, a data subject who buys a product in an online shop. Performance of this contract by the seller may well require processing of personal data. For example, the data subject's credit card number may be transferred to financial institutions for payment verification purposes. The buyer’s name and physical address can be shared with the shipment service for product delivery. In these cases, (i.e. when processing activities are necessary for the performance of the contract), Article 6(1)(b) GDPR is applicable and no further action from the data subject is required (for example, obtaining their consent to share the data with financial institutions). [Scholars suggest that, together with consent ([[Article 6 GDPR|Article 6(1)(a) GDPR]]), contract is the only legal basis covered by [[Article 6 GDPR|Article 6]] in which processing is based on the data subject's will. A direct will in the case of consent, and indirect in the case of contract (by agreeing to the Terms). See ''Resta'', in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 6 GDPR p. 69 (Wolters Kluwer 2018), which, in turn, refers to Pelino, Bistolfi, Bolognini, Il regolamento privacy europeo (Giuffrè 2018).]  legal basis applies if two conditions are met: (i) the contract between data subject and controller is valid and (ii) the (specific) processing is necessary for the performance of the contract.


In conclusion, in order to understand whether or not a contract is valid, it seems appropriate first to identify the law applicable to the case and secondly to verify whether in the light of that law the contract is valid.<ref>The EDBP seems to accept this reading in some recent guidelines where it is made clear that "''contracts and contractual terms must comply with the requirements of contract laws and, as the case may be for consumer contracts, consumer protection laws in order for processing based on those terms to be considered fair and lawful''". See, EDPB, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, 8 October 2019, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf here]).</ref>


=====Necessity=====
''Existence of a Valid Contract''


The scope of a contract has to be assessed. Elements that are not within the scope of the contract cannot serve as a legal basis for processing personal data.
A contract under Article 6(1)(b) must be valid. Heberlein suggests that “''the contract must be effective and in any case must not suffer from legal defects that lead to its nullity''” [unofficial translation].[''Heberlein'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 6 GDPR, margin number 13 (C.H.Beck 2018, 2nd Edition 2018).] Buchner and Petri appear to go in the same direction, confirming that in the case of void contracts recourse to Article 6(1)(b) GDPR seems out of the question. [''Bucher, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 31 ( C.H. Beck 2020, 3<sup>rd</sup> Edition).]


::<u>Example:</u> An order of a product cannot serve as a basis to sell customer data to a data broker.


The processing of personal data must be necessary for the performance of a contract. A mere relationship with the contract is not sufficient. This does not mean that the controller may only use personal data if there is absolutely no other way to provide to the contract, but processing that is not necessary cannot be justified by Article 6(1)(b) GDPR.
Example: A Spanish controller and a French consumer concluded a contract that is illegal under the applicable French law. The lack of any valid contract means there is no legal basis under Article 6(1)(b).


::<u>Example:</u> It is not necessary to track a user to generate personal suggestions simply because the data subject bought a mobile application.


=====Party to the Contract=====
However, defining the concept of contractual "invalidity" is not an easy task. The European Union does not have a comprehensive regulation of contracts, meaning that certain contractual flaws may bring to an invalid agreement in some legal systems and not in others. Indeed, certain contractual defects seem to be common to many European legal traditions: for example, intention, misrepresentation and duress. However, beyond such standard cases there are circumstances in which a breach does not necessarily lead to a contract being void, but only voidable.


The controller and the data subject must be parties to the contract. Contracts cannot lead to the processing of personal data of third party data subjects.


::<u>Example:</u> A contract between company A and B on personalized advertisement does not form a legal basis to process the personal data of data subject C.
Further, where common principles of European contract law are available, such contractual uncertainty is less significant. Take, for instance, the regulation on contractual fairness and transparency towards the consumer. The Unfair Contract Terms Directive, for instance, declares that a contractual clause “''shall be regarded as unfair if, contrary to the requirement of good faith, it causes a significant imbalance in the parties’ rights and obligations arising under the contract, to the detriment of the consumer''.” The EDPB has clarified that these rules can be taken into account in assessing the validity of a national contract: “''contracts and contractual terms must comply with'' […] ''consumer protection laws in order for processing based on those terms to be considered fair and lawful''”. [EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 5 (available here).]


=====Precontractual Steps=====


Under Article 6(1)(b) GDPR, processing may also be lawful in precontractual situations at the request of the data subject, for example where data is processed to prepare an offer for a package tour. As noted by ''Kotschy'', although such data processing could be based on explicit consent or legitimate interest, “mentioning it under Article 6(1)(b) GDPR makes a difference as to the consequences, as in case of Article 6(1)(b) GDPR the data subject cannot terminate lawful processing either by withdrawing consent or by objecting” (see [[Article 7 GDPR|Articles 7(3)]] and [[Article 21 GDPR|21(1) GDPR]]). <ref>''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 332 (Oxford University Press 2020) citing Dammann and Simitis 1997, p. 149.</ref>
In conclusion, in order to understand whether a contract is valid or not, it seems appropriate to first identify the applicable law and, second, verify whether the contract is valid under that law (including any applicable EU law).


====(c) Legal Obligation====


GDPR recognizes any legal obligation that the controller may be subject to. In countless European and national laws, controllers are subject to obligations to collect, process, and store personal information.
''Necessary for the Performance of the Contract''


Processing that goes beyond these legal obligations is not legal under this provision. Equally, national permissions (and not obligations) to process data do not fall under this provision. Any obligation to process data under another law must itself be proportionate ([https://fra.europa.eu/en/charterpedia/article/7-respect-private-and-family-life Article 7] and [https://fra.europa.eu/en/charterpedia/article/8-protection-personal-data 8 EU Charter of Fundamental Rights]) and in compliance with Article 6(2) and (3) GDPR.
The necessity of a processing operation for the performance of the contract is one of the most controversial legal bases existing under the EU’s data protection framework.


::<u>Example:</u> Tax law requires the keeping of certain records for 7 years, which GDPR recognizes.


====(d) Vital Interest====
Contractual necessity can be either a very logical and meaningful basis for processing (see the example of the e-commerce provided above) or, according to some, the perfect tool to bypass the application of more stringent and transparent legal bases (for instance, consent or legitimate interest), if not the whole GDPR. [Austrian Supreme Court asks CJEU if Facebook "undermines" the GDPR by confusing 'consent' with an alleged 'contract'. (Available here).]
Recital 46 clarifies that a vital interest is one which is "''essential for the life''" of the data subject, and includes processing necessary for humanitarian purposes, as well as to "''monitor epidemics and their spreads''" and "''situations of natural and man-made disasters''". Further, Article 6(1)(d) GDPR should only be used when no other legal basis applies.  


Unlike in [[Article 9 GDPR]], the capability of the data subject to provide consent to processing is not mentioned. However, ''Kotschy'' argues that the principle of fair processing “''might require that the data subject should be consulted if possible.''”<ref>''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 334 (Oxford University Press 2020).</ref>


The vital interest of a natural person other than the data subject may also be used as a legal basis under Article 6(1)(d) GDPR. Processing of a data subject’s personal data in order to protect the life of another could also constitutes a "legitimate interest" under Article 6(1)(e) GDPR, however Article 6(1)(e) GDPR notably excludes public sector controllers.  
The concept of “necessity” must be interpreted in the light of applicable European law: “''what is at issue is a concept'' [necessity] ''which has its own independent meaning in Community law and which must be interpreted in a manner which fully reflects the objective of that Directive,'' [Directive 95/46]'', as laid down in Article 1(1) thereof''”. [CJEU, Case C‑524/06, ''Huber'', 18 December 2008, margin number 52 (available here).]


====(e) Public Interest====
Under Article 6(1)(e) GDPR, data controllers can legally process personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This acts as the general basis for personal data processing in the public sector. <ref>''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 336 (Oxford University Press 2020).</ref>


Recital 46 provides examples of the types of processing that qualify under Article 6(1)(e) GDPR.


''Kotschy'' highlights how in the English version of the GDPR it is unclear whether it is the "''task''", or the "''official authority''" that must be "''vested in the controller''", whilst a reading of the German version suggests that it is the task. This "''vesting''" of a task requires a legal provision, excluding situations where tasks are assigned by contract, even in the public interest. This is particularly significant for private entities.<ref>''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 340 (Oxford University Press 2020).</ref>
From a systematic point of view, the contract (and to be accurate, all other legal bases) constitutes an exemption to the general prohibition of data processing (“''Processing shall be lawful '''only if''' and '''to the extent that at least one''' of the''” legal bases applies, Article 6(1) GDPR). As such, the exemption itself and all the wording it carries, including the “necessity” requirement, should be interpreted narrowly. This was confirmed by CJEU in the Rīgas case: “''As regards the condition relating to the necessity of processing personal data, it should be borne in mind that derogations and limitations in relation to the protection of personal data must apply only in so far as is '''strictly necessary'''''”. [CJEU, Case C‑13/16, ''Rīgas satiksme'', 4 May 2017, margin number 30 (available here).]


The extent to which private entities must also be vested with official authority in order to qualify under Article 6(1)(e) GDPR is disputed.


Processing under Article 6(1)(e) GDPR must be "necessary" for the performance of relevant tasks. This should be interpreted strictly in light of proportionality, and "if there are several alternatives," the "least intrusive" is appropriate.  
Now, if “necessity” under Article 6(1)(b) must fully reflect the objectives of the GDPR (see paragraph above), then further (normative) factors contribute to its definition, such as the principles of purpose and data minimization, fairness and transparency. The concept of “necessity” therefore seems to imply that, in deciding which specific processing method a controller may want to implement, they should take into account all the alternative, less intrusive measures available. [CJEU, Joined Cases C‑92/09 and C‑93/09, ''Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen'', 9. November 2010 (available here).]


Finally, in its Joint Response on the US Cloud Act, the EDPB made clear that Article 6(1)(e) GDPR is not satisfied "solely on the basis of a compelling request" from a foreign authority.<ref>''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 339 (Oxford University Press 2020) with reference to EDPB-EDPS Joint Response to the LIBE Committee on the impact of the US Cloud Act on the European legal framework for personal data protection, 12 July 2019, [https://edpb.europa.eu/our-work-tools/our-documents/letters/edpb-edps-joint-response-libe-committee-impact-us-cloud-act_sk p. 4].</ref>


====(f) Legitimate Interest====
Drawing on the above, the EDPB has clarified that assessing what is “necessary” involves a factual assessment of the processing for the objective pursued and of whether less intrusive alternatives that achieve the same goal exist. If there are realistic, less intrusive alternatives, then the other more intrusive ones must be excluded – i.e. they are not “necessary” following a GDPR-oriented interpretation. Thus, Article 6(1)(b) does not “''cover processing which is useful but not objectively necessary for performing the contractual service''”. [EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, 8 October 2019’ (Version 2.0), p. 8 (available here), which seems in perfect accordance with a previous Working Party 29 Opinion according to which the requirement of necessity should have been interpreted strictly and does not cover situations where the processing “''is not genuinely necessary for the performance of a contract, but rather unilaterally imposed on the data subject by the controller. Also the fact that some processing is covered by a contract does not automatically mean that the processing is necessary for its performance''”. For further guidance, see WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, pp. 16–17 (available here).]


The most debated exception on the prohibition of the processing of others' personal data is the so-called ''legitimate interest''. While there are cases at the core of the balancing test where there is a clear overriding interest in processing personal data (e.g. when enforcing a legal claim against a criminal), there are other areas where the existence of a ''legitimate interest'' that overrides the interest of the data subject is more controversial or a minority view.


Because it is in many cases inherently unclear if a legitimate interest exists, controllers may want to avoid this legal basis whenever any of the other six legal basis is available to them.
To this end, “''It is important to determine the exact rationale of the contract, i.e. its substance and fundamental objective, as it is against this that it will be tested whether the data processing is necessary for its performance''”. [This view was recently endorsed by the EDPB in EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 9 (available here).] In practice, the assessment should be driven by questions such as: what is the nature of the service being provided to the data subject? What are its distinguishing characteristics? What is the exact rationale of the contract (i.e. its substance and fundamental object) and essential elements? What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party? [EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 10 (available here).]


=====Legitimate interest of the Controller or Third party=====


A legitimate interest may be a legal, factual or economic interest. It must be "legitimate", so more than just legal or possible. It must be "pursued by the controller or by a third party", which means it must actively be followed. It must be an interest by the controller or third party, but may not be a public interest (see Article 6(1)(e) GDPR).
''Pending issues''


======Controller or Third Party======
According to Buchner and Petri, the EDPB’s guidance provides clear in-principle support in “traditional” cases “''such as a purchase or work contract,'' [where necessity] ''can be easily determined'' […] ''For example, it is undisputed that personal data such as name, address and payment data'' […] ''must be processed in order to execute an online purchase order''” [unofficial translation]. At the same time, however, it does not seem particularly helpful in case of complex contracts whose "ultimate" meaning is not immediately available. [ ''Bucher, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 39, (C.H. Beck 2020, 3rd Edition). See also the examples provided in EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 14-15 (available here).]


The legitimate interest may be the interest of a controller or anyone else ("third party").


::<u>Example:</u> A video surveillance system at a bank may not only process data in the interest of the bank (usually the controller) but also to protect customers in a bank if a robbery were to occur.
The above seems confirmed by the EDPB’s unclear views on online behavioral advertising. If, on the one hand, the EDPB states that “''As a general rule, processing of personal data for behavioural advertising is not necessary for the performance of a contract for online services''” and that “[n]''ormally, it would be hard to argue that the contract had not been performed because there were no behavioural ads''”. [As the reader can see, the EDPB introduces a range of qualitative tests that are not – or do not look – entirely “objective”. See, EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 14 (available here).], on the other, it admits that “''Within the boundaries of contractual law, and if applicable, consumer law, controllers are free to design their business, services and contracts''”, and that “''In some cases, a controller may wish to bundle several separate services or elements of a service with different fundamental purposes, features or rationale into one contract''”. [EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 11 (available here).]


======Public Authorities======


Article 6(1)(f) GDPR may not be relied upon by public authorities insofar as they perform authority tasks.
In conclusion, in light of available information, it does not seem easy to understand what the limit to controllers contractual freedom is, especially where the processing of personal data is in some way instrumental to the controller's general business model (and contracts). In such cases, the question boils down to the degree to which freedom to conduct a business may be limited in pursuance of other protected interests, including data protection.


=====Necessity=====


The processing of personal data must be "necessary" to achieve the legitimate interests of the controller or the third party.
That said, Article 16 of the EU Charter states that “''the freedom to conduct a business in accordance with Community law and national laws and practices is recognised''”. It is apparent from this wording that the controller’s contractual freedom is not absolute, but must be viewed in relation to its social function [See, to that effect, Joined Cases C‑184/02 and C‑223/02, ''Spain and Finland'' v ''Parliament'' ''and Council'', 9 September 2004,  margin numbers 51-52 (available here), and Case C‑544/10, ''Deutsches Weintor'', 6 September 2012, margin number 54 (available here) and the case‑law cited.]. Indeed, “''the freedom to conduct a business may be subject to a broad range of interventions on the part of public authorities which may limit the exercise of economic activity in the public interest''”. [CJEU, Case C‑283/11, ''Sky Österreich'', 22 January 2013, margin number. 46 (available here).]


=====Balancing=====


Once a legitimate interest and the necessity to process personal data is established, the interests of the controller and the data subject must be balanced.<ref>In CJEU, 24 November 2011, ASNEFF and FECEMD, C-468/10 and C-469/10, margin number 38 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=115205&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=135346, the CJEU named two elements for a test under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 7(f) of Directive 95/46/EC]:
Further, in Sky Österreich, the CJEU has clarified that, in accordance with Article 52(1) of the Charter, any limitation on the exercise of the rights and freedoms recognised by the Charter “''must be provided for by law and respect the essence of those rights and freedoms and, in compliance with the principle of proportionality, must be necessary and actually meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others''”. [CJEU, Case C‑283/11, ''Sky Österreich'', 22 January 2013, margin number 48 (available here).]


Firstly, the processing of the personal data must be necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed; and,


Secondly, such interests must not be overridden by the fundamental rights and freedoms of the data subject.
It is clear, in our case, that the “necessity” clause stipulated in Article 6(1)(b) constitutes a good example of a limit to the controller’s contractual freedom. Otherwise, if a controller (dealing with personal data) could arbitrarily arrange the scope of its contracts as to make any processing activity “necessary” then the reference to “necessity” would become absolutely useless (and contracts would become, indeed, a tool to bypass the Regulation).


The wording of Article 6(1)(f) GDPR and [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 7(f) of Directive 95/46] are sufficiently overlapping to be able to apply this test after the introduction of GDPR.</ref><ref>The following situations are generally assumed to form a legitimate interest:


''Defense of legal claims''
At least in theory, such limitation seems to respect the threshold set up by the CJEU. It does not prohibit data processing based on contractual necessity and therefore does not seem to “''affect the core content of the freedom to conduct a business''”. It also seems proportionate because, by indirectly calling into action the GDPR and its guiding principles, it does not “''exceed the limits of what is appropriate and necessary in order to attain the objectives legitimately pursued by the legislation in question'' [the GDPR, in this case]”. [CJEU, Case C‑283/11, ''Sky Österreich'', 22 January 2013, margin numbers 49-50 (available here).]


It is generally accepted that the defence of legal claims is a legitimate interest. This includes civil law claims (whether contractual or not), administrative or criminal cases. Any such use of personal data must still comply with other provisions like the general principles in [https://gdprhub.eu/Article_5_GDPR Article 5 GDPR].


''Fraud prevention''
That being said, a general and conclusive answer does not seem possible. Rather, the necessity assessment must be based on a case-by-case analysis. It goes without saying that such an assessment will only be possible if both the services provided and the related “necessary” processing are well defined. At the moment, however, there seems to be no answer to these long-standing questions, and this is why a preliminary referral to the CJEU by the Austrian Supreme Court seems of particular interest as meant to clarify the relationship between Article 6(1)(a) and 6(1)(b) GDPR. [One of the questions is: “''Are the provisions of Article 6(1)(a) and (b) of the General Data Protection Regulation (GDPR) 1 to be interpreted as meaning that the lawfulness of contractual provisions in general terms of service for platform agreements such as that in the main proceedings (in particular, contractual provisions such as: ‘Instead of paying … by using the Facebook Products covered by these Terms you agree that we can show you ads … We use your personal data … to show you ads that are more relevant to you.’) which provide for the processing of personal data with a view to aggregating and analysing it for the purposes of personalised advertising must be assessed in accordance with the requirements of Article 6(1)(a) of the GDPR, read in conjunction with Article 7 thereof, which cannot be replaced by invoking Article 6(1)(b) thereof?''” CJEU, Case C-446/21, ''Schrems v Facebook Ireland'', 20 July 2021, (available here). .


Recital 47 explicitly names the prevention of fraud as a legitimate interest. In practice, an assessment and balancing of the likeliness of any fraudulent activity and the interference with the rights of the data subject needs to be made. Previous fraudulent activity may be an indicator. Any such use of personal data must still comply with other provisions like the general principles in [https://gdprhub.eu/Article_5_GDPR Article 5 GDPR].


''Network security''
''Termination of Contract''


Recital 49 explicitly deals with data processing for network security. Processing of personal data for these purposes can also be derived as a legal duty under [https://gdprhub.eu/Article_32_GDPR Article 32 GDPR]. Any such use of personal data must still comply with other provisions like the general principles in [https://gdprhub.eu/Article_5_GDPR Article 5 GDPR].
Where the processing is based on the performance of a contract, full termination of the latter involves the complete interruption of the processing activities. Furthermore, under Article 17(1)(a) GDPR, the erasure of data is mandatory when it is no longer required in relation to the purposes for which it was collected. Of course, the same data can be still be processed for other purposes including compliance with a legal obligation, establishment, exercise or defense of legal claims and other legal purposes.


''Search engines''


Insofar as search engines process personal data, the right to freedom of information by the user as well as the rights of the search engine operators generally leads to an overriding legitimate interest. This may, however, be overridden by the interests of specific data subjects.
''Necessary for Taking Steps prior to Entering into a Contract''


''Video surveillance:''
Under Article 6(1)(b) GDPR, data processing may also be lawful in pre-contractual situations at the request of the data subject, for example where data is processed to prepare an offer for a package tour.


In many national laws under [https://eur-lex.europa.eu/eli/dir/1995/46/oj Directive 95/46/EC], video surveillance ("CCTV") was accepted under the legitimate interest. Many limitations on the specific situations when a controller has an overriding interest in surveillance over the interest of others were defined in national laws.


When there is a genuine security challenge or threat, the use of structural surveillance may override the interests of data subjects. This includes the security of third parties, like the safety of passengers on a train. Such examples may include a high risk institution (e.g. banks) or previous criminal activity (e.g. thefts, violent crime or vandalism). Any video surveillance system must still comply with other provisions like the general principles in [https://gdprhub.eu/Article_5_GDPR Article 5 GDPR]. This means that the records must be destroyed as soon as the purpose is fulfilled (usually the time that realization of a crime takes, which may be 72 hours over a weekend). Data minimization also requires that only the strictly necessary area is filmed. Other obliogations like information to the public through signs under [https://gdprhub.eu/Article_13_GDPR Article 13 GDPR] also need to be observed.
As noted by ''Kotschy'', although such data processing could be based on explicit consent or legitimate interest, “''mentioning it under Article 6(1)(b) GDPR makes a difference as to the consequences, as in case of Article 6(1)(b) GDPR the data subject cannot terminate lawful processing either by withdrawing consent or by objecting''” (see [[Article 7 GDPR|Articles 7(3)]] and [[Article 21 GDPR|21(1) GDPR]]). [''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 331 (Oxford University Press 2020), citing Dammann and Simitis 1997, p. 149.]


''Direct marketing:''


During the negotiations on the GDPR there were multiple attempts to include "direct marketing" into the list of legitimate interests. In the end, the negotiating parties agreed to not reach a clear agreement: "Direct marketing" was moved to the last sentence of the non-binding recitals and the word "may" was added.
The EDPB points out that “''this provision would not cover unsolicited marketing or other processing which is carried out solely on the initiative of the data controller, or at the request of a third party''”. [EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 13 (available here).]


Recital 47 now says that direct marketing "''may'' be regarded" as carried out for a legitimate interest. At the same time, [[Article 21 GDPR|Article 21(2) GDPR]] includes an absolute right to object to direct marketing. Generally, the GDPR therefore seems to accept that direct marketing ''can'' be a legitimate interest ("''may''") while recognizing that it will not always be a legitimate interest across all situations. After all, a controller must engage in a balancing test in each individual case.


The only legal description of "direct marketing" can be found in [https://eur-lex.europa.eu/eli/dir/2002/58/oj Article 13(3) of the ePrivacy Directive 2002/58/EC], which requires (1) obtaining the personal data in the context of the sale of a product or service (''existing relationship''), (2) the use by the same controller, for (3) its own similar products or services and (4) a clear and distinctive opportunity to object when the data is collected and with any further communication. It can be assumed that these situations also form a legitimate interest within the meaning of the GDPR.</ref>
'''''(c) legal obligation'''''


======Interests, Rights and Freedoms of the Data Subject======
The GDPR recognises that under countless European and national laws controllers may be obliged to collect, store, and otherwise process personal information. Under Article 6(1)(c), such processing operations are considered lawful if they are necessary for the fulfilling of the obligation. This happens to be the case, for instance, when an employer processes personal data for social insurance purposes, or when a bank carries out processing required by money laundering legislation.


On the side of the data subject, not only the rights to privacy and data protection ([https://fra.europa.eu/en/eu-charter/article/7-respect-private-and-family-life Articles 7] and [https://fra.europa.eu/en/eu-charter/article/8-protection-personal-data 8 EU Charter of Fundamental Rights]) must be considered, but also other rights, freedoms, and interests. This can include anything from minor personal or economic interests all the way to the freedom of speech.


The legitimate interests of the controller on the one hand and the rights of the data subject on the other have to be balanced. Recital 47 highlights the importance of the data subject's reasonable expectations, based on the relationship between the data subject and the controller, within the balancing test.
The legal obligation to which the controller is subject must originate directly from the law and not from a contractual arrangement [WP 29, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, 844/14/EN, 9 April 2014, p. 19 (available here: <nowiki>https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf</nowiki>)]. Such law does not have to be parliamentary law (or at least, not entirely). According to ''Kotschy'', “''Article 6(l)(c) would also cover situations where the obligation is not entirely specified in a law but by an additional legal act under public law such as secondary or delegated legislation or even by a binding decision of a public authority in a concrete case''”. [''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, p. 333 (Oxford University Press 2020).]


======Reasonable Expectations======
The controller must objectively and fairly assess what a data subject would reasonably expect in a given situation.


::<u>Example:</u> While the average person may expect CCTV in a bank, they may oppose any such surveillance inside a private space like a hotel room.
The legal provision which defines the legal obligations for the controller does not need to be specific to each individual processing. It must, however, be sufficiently clear, precise and foreseeable and, in particular, define the purposes of the processing. [''Heberlein'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 6 GDPR, margin number 15 (C.H. Beck 2018, 2nd Edition).]


======Relationship Between Controllers and Data Subjects======
Relationships between controllers and data subjects may lead to a certain level of trust but also to certain expectations by both parties. There is no clear rule that a more intense relationship should lead to more intense data protection. In many cases the opposite may be true.


While it may be reasonable to distrust a new customer, it may not be reasonable for a loyal long-term customer. Similarly, it may be unreasonable to expect that a controller will conduct surveillance on third-party property. However, the fact that a data subjects enters the property of the controller may make certain surveillance reasonable.
Processing that goes beyond these legal obligations is not lawful under this provision. Any obligation to process data under another law must itself be proportionate (Article 7 and 8 EU Charter of Fundamental Rights) and in compliance with Article 6(2) and (3) GDPR.


======Children======


Article 6(1)(f) GDPR explicitly mentions situations "in particular where the data subject is a child". This seems to indicate that a balancing test needs to take the specific interests and expectations of a child into account.
'''''(d) Vital Interest'''''


===(2) Option to Further Determine Article 6(1)(c) and (e) GDPR===
A data processing may also be lawful if it is necessary to protect the vital interests of the data subject or of another natural person. The underlying assumption here is that the right to life takes precedence over data protection. Recital 46 clarifies that a vital interest is one which is "''essential for the life''" of the data subject. It follows that data processing on this ground “''requires that a situation of concrete and imminent danger exists for the data subject or a third (natural) person''”. [''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 333 (Oxford University Press 2020).
Member states can maintain or introduce provisions to specify and adapt the requirements for legal processing under Article 6(1)(c) GDPR (processing based on a "legal obligation") and Article 6(1)(e) GDPR ("public interest"), as well as to ensure lawful and fair processing regarding the specific processing situations outlined in GDPR Chapter IX.  


Member states can consequently keep sector-specific data protection law in the public sector so long as it complies with the GDPR, as such law would be based on Article 6(1)(e) GDPR.<ref>''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 340 (Oxford University Press 2020).</ref>
''Vital interest as a form of legitimate interest?''


In terms of private sector laws, Article 6(2) GDPR notably does not refer to Article 6(1)(f) GDPR. However, national laws regarding private sector entities may qualify where these deal with the situations prescribed in GDPR Chapter IX. <ref>''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 340 (Oxford University Press 2020).</ref>
It seems undisputed that the survival of an individual is a legitimate interest. According to ''Kotschy'', if a controller processes personal data of an individual in order to protect the survival of a third person, this is “''a clear case of processing on the basis of Article 6(1)(f)''” - and one with a perfect balance of interests because “''As long as processing data for the vital interests of a third person respects proportionality concerning the interference with the rights of the data subject, all legitimate interests at stake in such a situation are properly taken care of''”. [''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 334 (Oxford University Press 2020).]


Details on Member States’ varying implementations of the GDPR can be found in the GDPRhub [[:Category:Country Overview|Country Overview]].
===(3) Formal Requirements Under Article 6(1)(c) and (e) GDPR===
Article 6(3) GDPR specifies that in order for processing to be based on Article 6(1)(c) and (e) GDPR, the controller’s legal obligation, or the task vested in the controller, must be laid down by Union Law or Member State Law to which the controller is subject. In other words, "tasks based exclusively on foreign law cannot provide a legal basis for processing."


Under Recital 45 GDPR, the GDPR "''does not require a specific law for each individual processing''". "''A law as a basis for several processing operations [...] may be sufficient.''"
This interpretatioon should be welcomed for two reasons. First, since Article 6(1)(f) only applies to private sectors controllers, it allows vital interests be taken into account by public bodies as well. Second, it helps to prevent a rather controversial interpretation of Article 9(2)(c) GDPR.


Article 6(3) and Recital 45 GDPR also provide examples of content for Member State Laws which, in accordance with Article 6(2) GDPR, specify and adapt the GDPR's rules regarding processing under Article 6(1)(c) or (e) GDPR.


===(4) Change of Purpose===
For example, this provision (“''processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent''”) applies when the treatment of an unconscious car accident victim requires the processing of their personal data and there is no time or possibility to ask their previous consent (for example, regarding the transmission of their blood values to a third party, ​​or the health data of a child must be shared in the absence of their parents’ authorization). [''Heberlein'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 6 GDPR, margin number 18 (C.H. Beck 2018, 2nd Edition).]
Article 6(4) GDPR prescribes factors to be taken into account where a controller wishes to further process personal data for a purpose other than that for which it was collected, where no other legal basis applies. This is only possible where the original and further purposes are "compatible." The factors set out in Article 6(4)(a)-(c) GDPR are not exhaustive.


''Kotschy'' notes two key issues emerging from the factors in Article 6(4)(a)-(c) GDPR.<ref>''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 341 (Oxford University Press 2020).</ref> The first regards the relationship between the initial and further purpose. Notably, the new purpose does not need to be a "''sub purpose''" of the initial purpose. Rather, compatibility can exist where the initial and further purpose are “''pursued ‘together’ in close vicinity''” or where the further purpose is “''a logical consequence of the initial purpose.''” <ref>''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 341 (Oxford University Press 2020).</ref>


Recital 50 GDPR adds that "''the reasonable expectations of data subjects based on their relationship with the controller''" should be considered. As ''Kotschy'' argues, "compatibility" thus largely rests on “''what is usual and what is to be expected in certain circumstances.''” For example, where a customer receives further marketing information from an organisation they recently purchased from, this would classify as compatible further use, as customer relationship management “''is a usual activity resulting from the customer relationship."''<ref>''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 341 (Oxford University Press 2020).</ref>
The same clause, however, could be misunderstood as providing the data subject with the power to decide about the life and death of another individual by granting or refusing consent to the processing of their data (“''processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent'').


The second issue regards the assessment of risk that may stem from processing, prescribed in Article 6(4)(c)-(e) GDPR. Importantly, further processing “''must not result in a substantially higher risk than the initial lawful processing.''” The presence of sensitive personal data is specifically mentioned as a risk factor. Risks may be mitigated by various safeguards, such as encryption or pseudonymisation. To rely on further processing compatibility, controllers must be able to demonstrate that an assessment of all relevant risks was done.<ref>''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 341 (Oxford University Press 2020).


</ref>
According to ''Kotschy'', “''Irrespective of its formulation, the last part of Article 9(2)(c), prioritising consent, must be read as referring only to the case of 'vital interests of the data subject as the legitimate interest of a third person in survival clearly overrides the data protection interests of the data subject''” [''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 334 (Oxford University Press 2020).]


The potential to legally process information for a purpose that does not directly correlate with the original, but where there is a very high level of safeguards in place, is not yet clear from the law or relevant jurisprudence.<ref>''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 341 (Oxford University Press 2020).</ref>


'''''(e) public interest'''''
Data controllers can rely on this legal basis for lawful processing if the data is processed for public sector purposes. [''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 335 (Oxford University Press 2020).] Such purposes include tasks that are traditionally performed by the state and carried out administratively.[''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 124 (C.H. Beck 2020, 3rd Edition).] Though, the provision follows a functional approach,[''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 111 (C.H. Beck 2020, 3rd Edition), citing Dammann & Simitis, DSRL Art. 7,  (Nomos 1997) p. 10.] meaning that private entities could also, in theory, rely on this legal basis. [''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 111 (C.H. Beck 2020, 3rd Edition).] For example, one can think of a private operator of an electricity supply network, who is responsible for the performance and reducing overall consumption of electricity, uses smart meters to do so.[ ''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 131 (C.H. Beck 2020, 3rd Edition).] However, this is rarely the case, since, typically, private entities would rely on Article 6(1)(f). Since there are many exceptions as to ''who'' can rely in ''which case'', it is essential to reflect on the exact wording of the provision, and to analyse each part. 
''Necessary for''
In order to determine whether this requirement is met, one must assess whether the purpose of the processing is in line with Articles 7 and 8 CFR. Moreover restrictions to these rights must be proportionate.[ ''Buchner,  Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 119 (C.H. Beck 2020, 3rd Edition).] This is not the case if there are less intrusive alternatives to reach the same objective.[ ''Kotschy'', in Kuner , Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 336 (Oxford University Press 2020).] Ultimately, restrictions and limitations to the rights must be limited to ‘what is strictly necessary’.[CJEU, Case C-73/07, ''Satakunnan Markkinapörssi Oy,'' 16 December 2008, margin number 56 (available here).] Following the CJEU in ''Huber'', it seems that the threshold of ‘necessity’, is met if data processing leads to a more efficient application of regulations.[CJEU, Case C-524/06, ''Huber,'' 16 December 2008, margin number 52 (available here).]
''Performance of a task carried out in the public interest or in the exercise of official authority''
The use of the word ‘or’, rather than ‘and’, suggests two things. First, the provision seems to include private bodies, vested to perform a task which serves the public interest.[ ''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 336 (Oxford University Press 2020).] Second, it is up to the legislator, whether these private bodies are also granted ‘official authority’.[''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 336 (Oxford University Press 2020).] After all, it could be that the private body operates without this ‘official authority’, but still processes to perform a task that benefits the public. [''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 336 (Oxford University Press 2020).] For instance, if a company pursues a commercial purpose that can ''also'' be seen as a public interest, i.e., a telecommunication provider.[ ''Frenzel,'' in Paal/Pauly, DS-GVO BDSG, Article 6, margin number 24 (C.H. Beck 2021, 3rd Edition).]
''Vested in the controller''  
''Kotschy'' states that the English version of the provision creates uncertainty since it is unclear whether the part ''“vested in the controller”'' relates to ''“a task”'', or to ''“in the exercise of official authority”''. By comparing the text to the German version, which places a comma right before ''“vested in the controller”'', he concludes that this part relates to ''“a task”''. This means that a controller can only rely on this legal basis if this task has been “''entrusted to the controller”'', [''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 335 (Oxford University Press 2020).] which is only the case if this follows from a legal provision.[ ''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 335 (Oxford University Press 2020), citing Albrecht and Jotzo 2017, margin number 45; Kramer 2017, margin number 24; Frenzel 2017,margin number 24,.]
'''''(f) legitimate interest'''''
The legal basis in Article 6(1)(f) GDPR often requires a delicate balancing of relevant interests. In general terms, the controller may adopt this legal basis whenever its own interests in performing a certain processing operation override those of the data subject.
The balancing act in question is “''not a straightforward balancing test which would simply consist of weighing two easily quantifiable and easily comparable 'weights' against each other''”. [WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 23 (available here).] The WP29,in the only and now outdated guidance on the point, suggests a multi-step procedure. First, controllers ought to verify whether their interest is actually “legitimate”. Second, they need to identify the data subject’s interests, rights and freedoms. Third, they have to establish (through an appropriate balancing operation) whether the controller’s (presumably, legitimate) interests are overridden by those of the data subject. [WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 23 (available here).]
''Whether the Interest is Legitimate''
In the view of the Working Party, the notion of interest [A distinction must first be made between interest and purpose. Interest is the general objective that a controller intends to pursue (i.e. ensuring the occupational safety of its employees). The purpose, on the other hand, is the specific aim of a certain processing activity (for instance, implementation of specific access control procedures to only allow trained personnel in certain areas of the workplace). See, WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 24 (available here).] can include a broad range of activities, whether trivial or very compelling, straightforward or more controversial. In general terms, an interest is “legitimate” if the controller can legitimately pursue it and thus in accordance with the GDPR and any applicable law.
As to what “law” means in this case, in the absence of updated guidance, reference should be made to the instructions provided by the WP29 in Opinion 3/2013 on purpose limitation, according to which the notion of "law" must be interpreted in an extensive manner, including all forms of written or common law, as interpreted by the competent courts and supplemented by other official sources. [See, WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 25 (available here).]
The above seems to be confirmed by the recent guidelines on contract-based treatment. There, the EDPB clarified that the contract (and thus, by analogy, the legitimate interest) must be valid i.e. “''must comply with the requirements of contract laws and, as the case may be for consumer contracts, consumer protection laws in order for processing based on those terms to be considered fair and lawful''”. [EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 5 (available here).]
''--Legitimate Interest pursued by the Controller''
The interest at stake must also be “''pursued by the controller''”. This requires a real and present interest, instrumental to the controller’s current activities or benefits expected in the very near future. In other words, interests that are too vague or speculative will not be sufficient. [WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 24 (available here).]
''--Legitimate interest of the third party''
According to Article 6(1)(f) the processing can also lawfully take place for the legitimate interests pursued by a third party. This is “secondary use” of data (or “further processing”) per Article 5(1)(b) GDPR and, under Article 6(4) GDPR, in the absence of consent or a law explicitly allowing it, “''is permitted only if it is compatible with the purpose of the initial processing''”. It follows that the third party’s interest must fulfill two conditions: it shall be “legitimate” and “compatible” with the purpose of the initial processing. [''Kotschy,'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, [Update of Selected Articles - May 2021] Article 6 GDPR, p. 74 (Oxford University Press 2020).]
''Interests or fundamental rights and freedoms of the data subject''
In general, the definition of “fundamental rights and freedom” includes all the traditional rights foreseen in the European constitutions, the Charter of Fundamental Rights of the EU as well as the European Convention on Human Rights. This obviously includes the right to the protection of personal data, personal and family life, freedom of expression and human dignity. In addition to the fundamental rights of the data subject, other “freedoms or interests” must also be taken into account. This includes the interest not to suffer any economic disadvantages, regardless of whether the damage occurs following the publication of personal data or in another way, such as via a discriminatory personalized pricing policy. [''Bucher, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin numbers 148-148a (C.H. Beck 2020, 3rd Edition).]
Finally, it is important to note that unlike the case of the controller’s interests, the adjective “legitimate” is not used here to precede the ‘interests’ of the data subjects. This implies a wider scope to the protection of individuals’ interests and rights. It follows that even individuals engaged in illegal activities should not be subject to disproportionate interference with their rights and interests. For example, “''an individual who may have perpetrated theft in a supermarket could still see his interests prevailing against the publication of his picture and private address on the walls of the supermarket and/or on the Internet by the owner of the shop''”. [WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 30 (available here).]
''Balancing test (“''overridden by''”)''
The fact that the controller has such a legitimate interest in the processing of certain data does not mean that it can necessarily rely on Article 6(1)(f) as a legal ground for the processing. The legitimacy of the data controller’s interest is just a starting point, while the overall lawfulness of the entire processing operation based on legitimate interests will depend on the outcome of the balancing test between the two opposed positions. To do so, the WP29 suggests a four-step test which includes (a) assessing the controller’s legitimate interest, (b) evaluating the impacts of such interest on the data subjects, (c) striking a provisional balance and, should the situation still be uncertain, (d) applying additional safeguards to reduce any negative impact on the data subjects.
''Assessing the controller’s legitimate interest''
The WP29 points out that a controller’s legitimate interest may be justified by their freedom of expression and information, academic and scientific research, right of access to documents, as well as the right to liberty and security, freedom of thought, conscience and religion, the freedom to conduct a business, the right to property and to an effective judicial remedy or the presumption of innocence. In other cases, the controller may even invoke the public interest, for instance when it enforces policies that ensure the safety of an online community.
''Evaluating the Impact on the Data Subject''
Once the controller´s interest has been assessed, the impact of the processing on the data subject´s interests or fundamental rights should be evaluated. Several elements can be useful at this stage, including the likelihood that a risk can materialise, the severity of its consequences, the number of individuals potentially impacted as well as the nature of the data. In general, it appears that the more sensitive the information involved is, the more consequences for the data subject there may be.
Also of relevance is the way the information is being processed, whether it is shared with a large number of actors or persons or combined with other data sets. Finally, the reasonable expectations of the data subjects and the status of the controller should be considered (Recital 47). In particular, it is important to evaluate whether the status of the data controller, the nature of the relationship or the service provided, or the applicable legal or contractual obligations (or other promises made at the time of collection) could give rise to reasonable expectations of stricter confidentiality and stricter limitations on further use. [WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 40 (available here).].
In C-708/18, TK, para. 53-59, the CJEU elaborated on the criteria for the balancing of interests. In a case involving the lawfulness of a CCTV surveillance system, the Court considered different factors including whether the data to be processed were retrieved from publicly accessible sources or were rather related to the data subject’s private life; the nature of the data, particularly their sensitiveness; and the modalities of processing, including the number of persons having access to the data. As Kotschy points out, the Court also “''took implicitly into account recital 47,17 which stresses the importance of the reasonable expectations of the data subjects based on the time and context of the processing, and indicates that conflict with these expectations could, in certain cases, ‘override’ a controller’s interest in ‘further processing’''”. [See, ''Kotschy,'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary [Update of Selected Articles - May 2021] Article 6 GDPR, p. 74 (Oxford University Press 2020). In CJEU, Case C-468/10 and C-469/10, ''ASNEFF and FECEMD'', 24 November 2011,  , margin number 38 (available here) , the CJEU named two elements for a test under Article 7(f) of Directive 95/46/EC. Firstly, the processing of the personal data must be necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed. Secondly, such interests must not be overridden by the fundamental rights and freedoms of the data subject. The wording of Article 6(1)(f) GDPR and Article 7(f) of Directive 95/46 are sufficiently overlapping to be able to apply this test after the introduction of GDPR.]
''Provisional balance''
The essence of the balancing act is not clarified by the WP29´s opinion (nor does the GDPR provide any general instruction on the matter). It follows that, in accordance with the principle of accountability, the balancing act is entirely in the hands of the data controller who, taking into account the elements described above, must proceed in one direction or another, assuming full responsibility for the choice.
It goes without saying that the controller should document and be able to demonstrate the reasoning used to reach their conclusions. These assessments must therefore be made on a case-by-case basis. [The following situations are generally assumed to form a legitimate interest: Defense of legal claims It is generally accepted that the defense of legal claims is a legitimate interest. This includes civil law claims (whether contractual or not), administrative or criminal cases. Any such use of personal data must still comply with other provisions like the general principles in Article 5 GDPR. Fraud prevention Recital 47 explicitly names the prevention of fraud as a legitimate interest. In practice, an assessment and balancing of the likeliness of any fraudulent activity and the interference with the rights of the data subject needs to be made. Previous fraudulent activity may be an indicator. Any such use of personal data must still comply with other provisions like the general principles in Article 5 GDPR. Network security Recital 49 explicitly deals with data processing for network security. Processing of personal data for these purposes can also be derived as a legal duty under Article 32 GDPR. Any such use of personal data must still comply with other provisions like the general principles in Article 5 GDPR. Search engines Insofar as search engines process personal data, the right to freedom of information by the user as well as the rights of the search engine operators generally leads to an overriding legitimate interest. This may, however, be overridden by the interests of specific data subjects. Video surveillance: In many national laws under Directive 95/46/EC, video surveillance ("CCTV") was accepted under the legitimate interest. Many limitations on the specific situations when a controller has an overriding interest in surveillance over the interest of others were defined in national laws. When there is a genuine security challenge or threat, the use of structural surveillance may override the interests of data subjects. This includes the security of third parties, like the safety of passengers on a train. Such examples may include a high risk institution (e.g. banks) or previous criminal activity (e.g. thefts, violent crime or vandalism). Any video surveillance system must still comply with other provisions like the general principles in Article 5 GDPR. This means that the records must be destroyed as soon as the purpose is fulfilled (usually the time that realization of a crime takes, which may be 72 hours over a weekend). Data minimization also requires that only the strictly necessary area is filmed. Other obliogations like information to the public through signs under Article 13 GDPR also need to be observed. Direct marketing: During the negotiations on the GDPR there were multiple attempts to include "direct marketing" into the list of legitimate interests. In the end, the negotiating parties agreed to not reach a clear agreement: "Direct marketing" was moved to the last sentence of the non-binding recitals and the word "may" was added. Recital 47 now says that direct marketing "may be regarded" as carried out for a legitimate interest. At the same time, [[Article 21 GDPR|Article 21(2) GDPR]] includes an absolute right to object to direct marketing. Generally, the GDPR therefore seems to accept that direct marketing can be a legitimate interest ("may") while recognizing that it will not always be a legitimate interest across all situations. After all, a controller must engage in a balancing test in each individual case. The only legal description of "direct marketing" can be found in Article 13(3) of the ePrivacy Directive 2002/58/EC, which requires (1) obtaining the personal data in the context of the sale of a product or service (existing relationship), (2) the use by the same controller, for (3) its own similar products or services and (4) a clear and distinctive opportunity to object when the data is collected and with any further communication. It can be assumed that these situations also form a legitimate interest within the meaning of the GDPR.] However, this does not mean that, where possible, certain official guidelines may not be used to draw useful indications with respect to processing operations having common characteristics. [''Heberlein'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 6 GDPR, margin number 32 (C.H. Beck, 2nd edition 2018).
''Additional safeguards''
In cases where it is not clear which way the balance should be struck, the controller may consider whether it is possible to introduce additional safeguards.  For example, these may include the “''strict limitation on how much data is collected, or immediate deletion of data after use. While some of these measures may already be compulsory under the Directive, they are often scalable and leave room for controllers to ensure better protection of data subjects''” as well as “''providing an easily workable and accessible mechanism to ensure an unconditional possibility for data subjects to opt-out of the processing''”. These additional measures may in some cases help tip the balance and help ensure that the processing can be based on Article 6(1)(f), whilst simultaneously protecting the rights and interests of the data subjects. [WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, pp. 40-41 (available here).]
''Children''
Article 6(1)(f) GDPR explicitly mentions situations "''in particular where the data subject is a child''". This seems to indicate that a balancing test needs to take the specific interests and expectations of a child into account.
'''(2) In case of processing under Article 6(1)(c) and (e) specific national rules are possible'''
This provision gives Member States more competence in the public sector, [''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 326 (Oxford University Press 2020).] since it allows them to adopt, or keep,[ This is clear from the wording ‘maintain’. See ''Plath'', in Plath, DSGVO BDSG , Art. 6 DSGVO, margin number 126 , (Otto Schmidt 2018).] their own (material) rules that regulate in which instances a controller can rely on the legal bases provided for in Article 6(1)(c) and Article 6(1)(e).
Member States can do so by providing specific requirements for the processing (including provisions relating to specific processing situations), to, ultimately, ensure that this processing is more lawful and fair. [''Frenzel'', in Paal/Pauly, DS-GVO BDSG, Article 6, margin number 32 (C.H. Beck 2021, 3rd Edition).] Through this wording it is apparent that these national provisions must stay within, and cannot go beyond the framework of the GDPR.[''Plath'', in Plath, DSGVO BDSG, Article 6 DSGVO, margin number 125, (Otto Schmidt 2018).]
Since this provision allows Member States to enact denser regulation, as well as more concrete requirements for controllers. ''Frenzel'' notes this can lead to conflicts, not only between a Member State and the Commision (since the latter monitors the application of Union law), but also in case of different processing situations by the same controller or vis-à-vis the same data subject.[''Frenzel'', in Paal, Pauly, DS-GVO BDSG, Article 6, margin number 32 (C.H. Beck 2021, 3rd Edition).]
'''(3) In case of processing under Article 6(1)(c) and (e) specific national rules must follow the GDPR instructions'''
According to Article 6(3), the legal basis for processing under Article 6(1)(c) (legal obligation) and Article 6(1)(e) (public interest) ''shall'' be laid down by (a) Union, or (b) Member State law. Contrary to Article 6(1)(c), however, the public interest processing does not have to be ''expressly'' laid down in a legal basis. It suffices if the processing is necessary to fulfil a task which serves the public interest, or in the exercise of official authority, and the task is described in a specific and clear manner. [''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 121 (C.H. Beck 2020, 3rd Edition).]
Moreover, the provision allows Member States to implement specific provisions contained in this legal basis, and suggests, ''inter alia'', the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures. These concretisations are non-exhaustive and non-binding, but are certainly permissible specific provisions. [''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 94 (C.H. Beck 2020, 3rd Edition).] Lastly, the constituent element ‘Member State law’ refers to all material law of that Member State. [''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 197 (C.H. Beck 2020, 3rd Edition).]
''Relationship 6(2) and 6(3): unclear and grounds for dispute''
It is important to set out that it remains unclear how Articles 6(2) and 6(3) relate to one another, legally and systematically. [''Jahnel'', , in Jahnel, DSGVO), Article 6, margin number 85, (Jan Sramek Verlag 2021).] The exact relationship between the two clauses remains disputed. Some authors ascribe a more ‘declaratory nature’ to Article 6(2),[''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 195 (C.H. Beck 2020, 3rd Edition).] and see Article 6(3) as the clause that offers the ''actual'' competence to enact material-specific data protection regulation.[''Buchner, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6, para 195 (C.H. Beck 2020, 3rd Edition);  ''Jahnel'', in Jahnel, DSGVO, Article 6, margin number 85, (Jan Sramek Verlag 2021).] Other authors state that Article 6(2) ''does'' permit Member States to adopt material-specific regulation, and see Article 6(3) as a clause that sets out concrete requirements for this regulation. [For example ''Plath'', in Plath, DSGVO BDSG, Article 6 DSGVO, margin number 3, (Otto Schmidt 2018).] And then there is even another group of authors that does not see these requirements as ‘additional’, but cumulative.[Roßnagel et al., in Zeitschrift für Datenschutz (2015) pp. 455-456.] Hence, the only thing that ''is'' clear, is that the exact relationship between the two clauses remains disputed.
'''(4) Further processing'''
Article 6(4) GDPR prescribes certain factors to be taken into account where a controller wishes to further process personal data for a purpose other than that for which it was collected, where no other legal basis applies. This is only possible where the original and further purposes are "compatible". The factors set out in Article 6(4)(a)-(c) GDPR are not exhaustive.
Kotschy notes two key issues emerging from the factors in Article 6(4)(a)-(c) GDPR.[''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 341 (Oxford University Press 2020).] The first regards the relationship between the initial and further purpose. Notably, the new purpose does not need to be a "sub purpose" of the initial one. Rather, compatibility can exist where the initial and further purpose are “''pursued ‘together’ in close vicinity''” or where the further purpose is “''a logical consequence of the initial purpose''”. [''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 341 (Oxford University Press 2020).] Recital 50 GDPR adds that "''the reasonable expectations of data subjects based on their relationship with the controller''" should be considered.
As Kotschy argues, "compatibility" therefore largely rests on “''what is usual and what is to be expected in certain circumstances''”. For example, where a customer receives further marketing information from an organisation they recently purchased from, this would classify as compatible further use, as customer relationship management “''is a usual activity resulting from the customer relationship.''"[''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 342 (Oxford University Press 2020).]
The second issue regards the assessment of risk that may stem from processing, prescribed in Article 6(4)(c)-(e) GDPR. Importantly, further processing “''must not result in a substantially higher risk than the initial lawful processing''.” The presence of sensitive personal data is specifically mentioned as a risk factor. Risks may be mitigated by various safeguards, such as encryption or pseudonymisation. To rely on further processing compatibility, controllers must be able to demonstrate that an assessment of all relevant risks was done. [''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 343 (Oxford University Press 2020).]
The potential to lawfully process information for a purpose that does not directly correlate with the original, but where there is a very high level of safeguards in place, is not yet clear from the law or relevant jurisprudence. It will have to be decided by future jurisprudence whether Article 6(4) “''might justify an assumption of ‘compatibility’ also in cases where the new purpose does not specifically ‘correlate’ to the initial purpose, but where a very high standard of risk containment is implemented''” [''Kotschy'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 343 (Oxford University Press 2020).]
==Decisions==
==Decisions==
→ You can find all related decisions in [[:Category:Article 6 GDPR]]
→ You can find all related decisions in [[:Category:Article 6 GDPR]]

Revision as of 06:40, 25 April 2022

Article 6: Lawfulness of processing
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 6 - Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.


2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.


3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

(a) Union law; or
(b) Member State law to which the controller is subject.

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.


4. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
(d) the possible consequences of the intended further processing for data subjects;
(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

Relevant Recitals

Recital 39: Principles of Data Processing
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

Recital 40: Lawfulness of Data Processing
In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Recital 41: Legal Basis or a Legislative Measure
Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.

Recital 42: Proof and Requirements for Consent
Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

Recital 43: Freely Given Consent
In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

Recital 44: Processing in the Context of a Contract
Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.

Recital 45: Legal Basis in Union or Member State Law
Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing. It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association.

Recital 46: Vital Interest of a Natural Person
The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.

Recital 47: Overriding Legitimate Interests
The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

Recital 48: Data Transfers Within a Group of Undertakings
Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.

Recital 49: Network and Information Security as a Legitimate Interest
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

Recital 50: Compatible Purpose for Further Processing
The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations. Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes. In any case, the application of the principles set out in this Regulation and in particular the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured. Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller. However, such transmission in the legitimate interest of the controller or further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or other binding obligation of secrecy.

Recital 171: Repeal of Directive 95/46/EC and Transition Phase
Directive 95/46/EC should be repealed by this Regulation. Processing already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force. Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation. Commission decisions adopted and authorisations by supervisory authorities based on Directive 95/46/EC remain in force until amended, replaced or repealed.

Commentary

The GDPR prohibits all processing of personal data unless it is based on one or more of the six legal bases under Article 6(1).  There is no hierarchy between these legal bases. A controller may use any of them or use different ones for different processing operations. The legal basis has to be disclosed to the data subject under [Article 13 GDPR#1c|Article 13(1)(c)]] or [[Article 14 GDPR#1c|Article 14(1)(c)]. The need for a legal basis under Article 6(1) GDPR is therefore viewed (together with the need to comply with the principles of [[Article 5 GDPR]]) as the "backbone" for the legality of any processing operation.

(1) Lawful basis for processing

(a) Consent

Consent reflects the idea that data subjects must expressly authorise otherwise prohibited processing operations (Article 6(1) GDPR: “Processing shall be lawful only if and to the extent that at least one of the” legal basis applies. See also Article 5(1)(b) GDPR). It has been the traditionally considered the main legal basis for processing operations.


Under the GDPR, consent must satisfy different requirements to be legally binding. According to the available definition provided in Article 4(11) GDPR, consent must be freely given, specific, informed, and unambiguous. [See this Commentary under Article 4(11) GDPR.] Furthermore, under Article 7 GDPR, consent must be requested in a transparent and fair way (Article 7(2) GDPR) and should be withdrawable at any time (Article 7(3) GDPR) [See this Commentary under Article 7 GDPR.]. Finally, Article 8 GDPR stipulates that specific requirements must be respected when consent is given by children [See this Commentary under Article 8 GDPR.]. Consequently, the conditions for valid consent are split between Articles 4(11), 6(1)(a), 7 and 8 GDPR.


(b) Contract

The execution of a contract between two or more parties often involves some processing of personal data. Take, for instance, a data subject who buys a product in an online shop. Performance of this contract by the seller may well require processing of personal data. For example, the data subject's credit card number may be transferred to financial institutions for payment verification purposes. The buyer’s name and physical address can be shared with the shipment service for product delivery. In these cases, (i.e. when processing activities are necessary for the performance of the contract), Article 6(1)(b) GDPR is applicable and no further action from the data subject is required (for example, obtaining their consent to share the data with financial institutions). [Scholars suggest that, together with consent (Article 6(1)(a) GDPR), contract is the only legal basis covered by Article 6 in which processing is based on the data subject's will. A direct will in the case of consent, and indirect in the case of contract (by agreeing to the Terms). See Resta, in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 6 GDPR p. 69 (Wolters Kluwer 2018), which, in turn, refers to Pelino, Bistolfi, Bolognini, Il regolamento privacy europeo (Giuffrè 2018).]  legal basis applies if two conditions are met: (i) the contract between data subject and controller is valid and (ii) the (specific) processing is necessary for the performance of the contract.


Existence of a Valid Contract

A contract under Article 6(1)(b) must be valid. Heberlein suggests that “the contract must be effective and in any case must not suffer from legal defects that lead to its nullity” [unofficial translation].[Heberlein, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 6 GDPR, margin number 13 (C.H.Beck 2018, 2nd Edition 2018).] Buchner and Petri appear to go in the same direction, confirming that in the case of void contracts recourse to Article 6(1)(b) GDPR seems out of the question. [Bucher, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 31 ( C.H. Beck 2020, 3rd Edition).]


Example: A Spanish controller and a French consumer concluded a contract that is illegal under the applicable French law. The lack of any valid contract means there is no legal basis under Article 6(1)(b).


However, defining the concept of contractual "invalidity" is not an easy task. The European Union does not have a comprehensive regulation of contracts, meaning that certain contractual flaws may bring to an invalid agreement in some legal systems and not in others. Indeed, certain contractual defects seem to be common to many European legal traditions: for example, intention, misrepresentation and duress. However, beyond such standard cases there are circumstances in which a breach does not necessarily lead to a contract being void, but only voidable.


Further, where common principles of European contract law are available, such contractual uncertainty is less significant. Take, for instance, the regulation on contractual fairness and transparency towards the consumer. The Unfair Contract Terms Directive, for instance, declares that a contractual clause “shall be regarded as unfair if, contrary to the requirement of good faith, it causes a significant imbalance in the parties’ rights and obligations arising under the contract, to the detriment of the consumer.” The EDPB has clarified that these rules can be taken into account in assessing the validity of a national contract: “contracts and contractual terms must comply with […] consumer protection laws in order for processing based on those terms to be considered fair and lawful”. [EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 5 (available here).]


In conclusion, in order to understand whether a contract is valid or not, it seems appropriate to first identify the applicable law and, second, verify whether the contract is valid under that law (including any applicable EU law).


Necessary for the Performance of the Contract

The necessity of a processing operation for the performance of the contract is one of the most controversial legal bases existing under the EU’s data protection framework.


Contractual necessity can be either a very logical and meaningful basis for processing (see the example of the e-commerce provided above) or, according to some, the perfect tool to bypass the application of more stringent and transparent legal bases (for instance, consent or legitimate interest), if not the whole GDPR. [Austrian Supreme Court asks CJEU if Facebook "undermines" the GDPR by confusing 'consent' with an alleged 'contract'. (Available here).]


The concept of “necessity” must be interpreted in the light of applicable European law: “what is at issue is a concept [necessity] which has its own independent meaning in Community law and which must be interpreted in a manner which fully reflects the objective of that Directive, [Directive 95/46], as laid down in Article 1(1) thereof”. [CJEU, Case C‑524/06, Huber, 18 December 2008, margin number 52 (available here).]


From a systematic point of view, the contract (and to be accurate, all other legal bases) constitutes an exemption to the general prohibition of data processing (“Processing shall be lawful only if and to the extent that at least one of the” legal bases applies, Article 6(1) GDPR). As such, the exemption itself and all the wording it carries, including the “necessity” requirement, should be interpreted narrowly. This was confirmed by CJEU in the Rīgas case: “As regards the condition relating to the necessity of processing personal data, it should be borne in mind that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary”. [CJEU, Case C‑13/16, Rīgas satiksme, 4 May 2017, margin number 30 (available here).]


Now, if “necessity” under Article 6(1)(b) must fully reflect the objectives of the GDPR (see paragraph above), then further (normative) factors contribute to its definition, such as the principles of purpose and data minimization, fairness and transparency. The concept of “necessity” therefore seems to imply that, in deciding which specific processing method a controller may want to implement, they should take into account all the alternative, less intrusive measures available. [CJEU, Joined Cases C‑92/09 and C‑93/09, Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen, 9. November 2010 (available here).]


Drawing on the above, the EDPB has clarified that assessing what is “necessary” involves a factual assessment of the processing for the objective pursued and of whether less intrusive alternatives that achieve the same goal exist. If there are realistic, less intrusive alternatives, then the other more intrusive ones must be excluded – i.e. they are not “necessary” following a GDPR-oriented interpretation. Thus, Article 6(1)(b) does not “cover processing which is useful but not objectively necessary for performing the contractual service”. [EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, 8 October 2019’ (Version 2.0), p. 8 (available here), which seems in perfect accordance with a previous Working Party 29 Opinion according to which the requirement of necessity should have been interpreted strictly and does not cover situations where the processing “is not genuinely necessary for the performance of a contract, but rather unilaterally imposed on the data subject by the controller. Also the fact that some processing is covered by a contract does not automatically mean that the processing is necessary for its performance”. For further guidance, see WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, pp. 16–17 (available here).]


To this end, “It is important to determine the exact rationale of the contract, i.e. its substance and fundamental objective, as it is against this that it will be tested whether the data processing is necessary for its performance”. [This view was recently endorsed by the EDPB in EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 9 (available here).] In practice, the assessment should be driven by questions such as: what is the nature of the service being provided to the data subject? What are its distinguishing characteristics? What is the exact rationale of the contract (i.e. its substance and fundamental object) and essential elements? What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party? [EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 10 (available here).]


Pending issues

According to Buchner and Petri, the EDPB’s guidance provides clear in-principle support in “traditional” cases “such as a purchase or work contract, [where necessity] can be easily determined […] For example, it is undisputed that personal data such as name, address and payment data […] must be processed in order to execute an online purchase order” [unofficial translation]. At the same time, however, it does not seem particularly helpful in case of complex contracts whose "ultimate" meaning is not immediately available. [ Bucher, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 39, (C.H. Beck 2020, 3rd Edition). See also the examples provided in EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 14-15 (available here).]


The above seems confirmed by the EDPB’s unclear views on online behavioral advertising. If, on the one hand, the EDPB states that “As a general rule, processing of personal data for behavioural advertising is not necessary for the performance of a contract for online services” and that “[n]ormally, it would be hard to argue that the contract had not been performed because there were no behavioural ads”. [As the reader can see, the EDPB introduces a range of qualitative tests that are not – or do not look – entirely “objective”. See, EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 14 (available here).], on the other, it admits that “Within the boundaries of contractual law, and if applicable, consumer law, controllers are free to design their business, services and contracts”, and that “In some cases, a controller may wish to bundle several separate services or elements of a service with different fundamental purposes, features or rationale into one contract”. [EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 11 (available here).]


In conclusion, in light of available information, it does not seem easy to understand what the limit to controllers contractual freedom is, especially where the processing of personal data is in some way instrumental to the controller's general business model (and contracts). In such cases, the question boils down to the degree to which freedom to conduct a business may be limited in pursuance of other protected interests, including data protection.


That said, Article 16 of the EU Charter states that “the freedom to conduct a business in accordance with Community law and national laws and practices is recognised”. It is apparent from this wording that the controller’s contractual freedom is not absolute, but must be viewed in relation to its social function [See, to that effect, Joined Cases C‑184/02 and C‑223/02, Spain and Finland v Parliament and Council, 9 September 2004,  margin numbers 51-52 (available here), and Case C‑544/10, Deutsches Weintor, 6 September 2012, margin number 54 (available here) and the case‑law cited.]. Indeed, “the freedom to conduct a business may be subject to a broad range of interventions on the part of public authorities which may limit the exercise of economic activity in the public interest”. [CJEU, Case C‑283/11, Sky Österreich, 22 January 2013, margin number. 46 (available here).]


Further, in Sky Österreich, the CJEU has clarified that, in accordance with Article 52(1) of the Charter, any limitation on the exercise of the rights and freedoms recognised by the Charter “must be provided for by law and respect the essence of those rights and freedoms and, in compliance with the principle of proportionality, must be necessary and actually meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others”. [CJEU, Case C‑283/11, Sky Österreich, 22 January 2013, margin number 48 (available here).]


It is clear, in our case, that the “necessity” clause stipulated in Article 6(1)(b) constitutes a good example of a limit to the controller’s contractual freedom. Otherwise, if a controller (dealing with personal data) could arbitrarily arrange the scope of its contracts as to make any processing activity “necessary” then the reference to “necessity” would become absolutely useless (and contracts would become, indeed, a tool to bypass the Regulation).


At least in theory, such limitation seems to respect the threshold set up by the CJEU. It does not prohibit data processing based on contractual necessity and therefore does not seem to “affect the core content of the freedom to conduct a business”. It also seems proportionate because, by indirectly calling into action the GDPR and its guiding principles, it does not “exceed the limits of what is appropriate and necessary in order to attain the objectives legitimately pursued by the legislation in question [the GDPR, in this case]”. [CJEU, Case C‑283/11, Sky Österreich, 22 January 2013, margin numbers 49-50 (available here).]


That being said, a general and conclusive answer does not seem possible. Rather, the necessity assessment must be based on a case-by-case analysis. It goes without saying that such an assessment will only be possible if both the services provided and the related “necessary” processing are well defined. At the moment, however, there seems to be no answer to these long-standing questions, and this is why a preliminary referral to the CJEU by the Austrian Supreme Court seems of particular interest as meant to clarify the relationship between Article 6(1)(a) and 6(1)(b) GDPR. [One of the questions is: “Are the provisions of Article 6(1)(a) and (b) of the General Data Protection Regulation (GDPR) 1 to be interpreted as meaning that the lawfulness of contractual provisions in general terms of service for platform agreements such as that in the main proceedings (in particular, contractual provisions such as: ‘Instead of paying … by using the Facebook Products covered by these Terms you agree that we can show you ads … We use your personal data … to show you ads that are more relevant to you.’) which provide for the processing of personal data with a view to aggregating and analysing it for the purposes of personalised advertising must be assessed in accordance with the requirements of Article 6(1)(a) of the GDPR, read in conjunction with Article 7 thereof, which cannot be replaced by invoking Article 6(1)(b) thereof?” CJEU, Case C-446/21, Schrems v Facebook Ireland, 20 July 2021, (available here). .


Termination of Contract

Where the processing is based on the performance of a contract, full termination of the latter involves the complete interruption of the processing activities. Furthermore, under Article 17(1)(a) GDPR, the erasure of data is mandatory when it is no longer required in relation to the purposes for which it was collected. Of course, the same data can be still be processed for other purposes including compliance with a legal obligation, establishment, exercise or defense of legal claims and other legal purposes.


Necessary for Taking Steps prior to Entering into a Contract

Under Article 6(1)(b) GDPR, data processing may also be lawful in pre-contractual situations at the request of the data subject, for example where data is processed to prepare an offer for a package tour.


As noted by Kotschy, although such data processing could be based on explicit consent or legitimate interest, “mentioning it under Article 6(1)(b) GDPR makes a difference as to the consequences, as in case of Article 6(1)(b) GDPR the data subject cannot terminate lawful processing either by withdrawing consent or by objecting” (see Articles 7(3) and 21(1) GDPR). [Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 331 (Oxford University Press 2020), citing Dammann and Simitis 1997, p. 149.]


The EDPB points out that “this provision would not cover unsolicited marketing or other processing which is carried out solely on the initiative of the data controller, or at the request of a third party”. [EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 13 (available here).]


(c) legal obligation

The GDPR recognises that under countless European and national laws controllers may be obliged to collect, store, and otherwise process personal information. Under Article 6(1)(c), such processing operations are considered lawful if they are necessary for the fulfilling of the obligation. This happens to be the case, for instance, when an employer processes personal data for social insurance purposes, or when a bank carries out processing required by money laundering legislation.


The legal obligation to which the controller is subject must originate directly from the law and not from a contractual arrangement [WP 29, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, 844/14/EN, 9 April 2014, p. 19 (available here: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf)]. Such law does not have to be parliamentary law (or at least, not entirely). According to Kotschy, “Article 6(l)(c) would also cover situations where the obligation is not entirely specified in a law but by an additional legal act under public law such as secondary or delegated legislation or even by a binding decision of a public authority in a concrete case”. [Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, p. 333 (Oxford University Press 2020).]


The legal provision which defines the legal obligations for the controller does not need to be specific to each individual processing. It must, however, be sufficiently clear, precise and foreseeable and, in particular, define the purposes of the processing. [Heberlein, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 6 GDPR, margin number 15 (C.H. Beck 2018, 2nd Edition).]


Processing that goes beyond these legal obligations is not lawful under this provision. Any obligation to process data under another law must itself be proportionate (Article 7 and 8 EU Charter of Fundamental Rights) and in compliance with Article 6(2) and (3) GDPR.


(d) Vital Interest

A data processing may also be lawful if it is necessary to protect the vital interests of the data subject or of another natural person. The underlying assumption here is that the right to life takes precedence over data protection. Recital 46 clarifies that a vital interest is one which is "essential for the life" of the data subject. It follows that data processing on this ground “requires that a situation of concrete and imminent danger exists for the data subject or a third (natural) person”. [Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 333 (Oxford University Press 2020).]

Vital interest as a form of legitimate interest?

It seems undisputed that the survival of an individual is a legitimate interest. According to Kotschy, if a controller processes personal data of an individual in order to protect the survival of a third person, this is “a clear case of processing on the basis of Article 6(1)(f)” - and one with a perfect balance of interests because “As long as processing data for the vital interests of a third person respects proportionality concerning the interference with the rights of the data subject, all legitimate interests at stake in such a situation are properly taken care of”. [Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 334 (Oxford University Press 2020).]


This interpretatioon should be welcomed for two reasons. First, since Article 6(1)(f) only applies to private sectors controllers, it allows vital interests be taken into account by public bodies as well. Second, it helps to prevent a rather controversial interpretation of Article 9(2)(c) GDPR.


For example, this provision (“processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent”) applies when the treatment of an unconscious car accident victim requires the processing of their personal data and there is no time or possibility to ask their previous consent (for example, regarding the transmission of their blood values to a third party, ​​or the health data of a child must be shared in the absence of their parents’ authorization). [Heberlein, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 6 GDPR, margin number 18 (C.H. Beck 2018, 2nd Edition).]


The same clause, however, could be misunderstood as providing the data subject with the power to decide about the life and death of another individual by granting or refusing consent to the processing of their data (“processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent”).


According to Kotschy, “Irrespective of its formulation, the last part of Article 9(2)(c), prioritising consent, must be read as referring only to the case of 'vital interests of the data subject as the legitimate interest of a third person in survival clearly overrides the data protection interests of the data subject” [Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 334 (Oxford University Press 2020).]


(e) public interest

Data controllers can rely on this legal basis for lawful processing if the data is processed for public sector purposes. [Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 335 (Oxford University Press 2020).] Such purposes include tasks that are traditionally performed by the state and carried out administratively.[Buchner, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 124 (C.H. Beck 2020, 3rd Edition).] Though, the provision follows a functional approach,[Buchner, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 111 (C.H. Beck 2020, 3rd Edition), citing Dammann & Simitis, DSRL Art. 7,  (Nomos 1997) p. 10.] meaning that private entities could also, in theory, rely on this legal basis. [Buchner, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 111 (C.H. Beck 2020, 3rd Edition).] For example, one can think of a private operator of an electricity supply network, who is responsible for the performance and reducing overall consumption of electricity, uses smart meters to do so.[ Buchner, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 131 (C.H. Beck 2020, 3rd Edition).] However, this is rarely the case, since, typically, private entities would rely on Article 6(1)(f). Since there are many exceptions as to who can rely in which case, it is essential to reflect on the exact wording of the provision, and to analyse each part.

Necessary for

In order to determine whether this requirement is met, one must assess whether the purpose of the processing is in line with Articles 7 and 8 CFR. Moreover restrictions to these rights must be proportionate.[ Buchner,  Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 119 (C.H. Beck 2020, 3rd Edition).] This is not the case if there are less intrusive alternatives to reach the same objective.[ Kotschy, in Kuner , Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 336 (Oxford University Press 2020).] Ultimately, restrictions and limitations to the rights must be limited to ‘what is strictly necessary’.[CJEU, Case C-73/07, Satakunnan Markkinapörssi Oy, 16 December 2008, margin number 56 (available here).] Following the CJEU in Huber, it seems that the threshold of ‘necessity’, is met if data processing leads to a more efficient application of regulations.[CJEU, Case C-524/06, Huber, 16 December 2008, margin number 52 (available here).]

Performance of a task carried out in the public interest or in the exercise of official authority

The use of the word ‘or’, rather than ‘and’, suggests two things. First, the provision seems to include private bodies, vested to perform a task which serves the public interest.[ Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 336 (Oxford University Press 2020).] Second, it is up to the legislator, whether these private bodies are also granted ‘official authority’.[Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 336 (Oxford University Press 2020).] After all, it could be that the private body operates without this ‘official authority’, but still processes to perform a task that benefits the public. [Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 336 (Oxford University Press 2020).] For instance, if a company pursues a commercial purpose that can also be seen as a public interest, i.e., a telecommunication provider.[ Frenzel, in Paal/Pauly, DS-GVO BDSG, Article 6, margin number 24 (C.H. Beck 2021, 3rd Edition).]

Vested in the controller  

Kotschy states that the English version of the provision creates uncertainty since it is unclear whether the part “vested in the controller” relates to “a task”, or to “in the exercise of official authority”. By comparing the text to the German version, which places a comma right before “vested in the controller”, he concludes that this part relates to “a task”. This means that a controller can only rely on this legal basis if this task has been “entrusted to the controller”, [Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 335 (Oxford University Press 2020).] which is only the case if this follows from a legal provision.[ Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 335 (Oxford University Press 2020), citing Albrecht and Jotzo 2017, margin number 45; Kramer 2017, margin number 24; Frenzel 2017,margin number 24,.]


(f) legitimate interest

The legal basis in Article 6(1)(f) GDPR often requires a delicate balancing of relevant interests. In general terms, the controller may adopt this legal basis whenever its own interests in performing a certain processing operation override those of the data subject.


The balancing act in question is “not a straightforward balancing test which would simply consist of weighing two easily quantifiable and easily comparable 'weights' against each other”. [WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 23 (available here).] The WP29,in the only and now outdated guidance on the point, suggests a multi-step procedure. First, controllers ought to verify whether their interest is actually “legitimate”. Second, they need to identify the data subject’s interests, rights and freedoms. Third, they have to establish (through an appropriate balancing operation) whether the controller’s (presumably, legitimate) interests are overridden by those of the data subject. [WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 23 (available here).]

Whether the Interest is Legitimate

In the view of the Working Party, the notion of interest [A distinction must first be made between interest and purpose. Interest is the general objective that a controller intends to pursue (i.e. ensuring the occupational safety of its employees). The purpose, on the other hand, is the specific aim of a certain processing activity (for instance, implementation of specific access control procedures to only allow trained personnel in certain areas of the workplace). See, WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 24 (available here).] can include a broad range of activities, whether trivial or very compelling, straightforward or more controversial. In general terms, an interest is “legitimate” if the controller can legitimately pursue it and thus in accordance with the GDPR and any applicable law.


As to what “law” means in this case, in the absence of updated guidance, reference should be made to the instructions provided by the WP29 in Opinion 3/2013 on purpose limitation, according to which the notion of "law" must be interpreted in an extensive manner, including all forms of written or common law, as interpreted by the competent courts and supplemented by other official sources. [See, WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 25 (available here).]


The above seems to be confirmed by the recent guidelines on contract-based treatment. There, the EDPB clarified that the contract (and thus, by analogy, the legitimate interest) must be valid i.e. “must comply with the requirements of contract laws and, as the case may be for consumer contracts, consumer protection laws in order for processing based on those terms to be considered fair and lawful”. [EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, 8 October 2019 (Version 2.0), p. 5 (available here).]


--Legitimate Interest pursued by the Controller

The interest at stake must also be “pursued by the controller”. This requires a real and present interest, instrumental to the controller’s current activities or benefits expected in the very near future. In other words, interests that are too vague or speculative will not be sufficient. [WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 24 (available here).]


--Legitimate interest of the third party

According to Article 6(1)(f) the processing can also lawfully take place for the legitimate interests pursued by a third party. This is “secondary use” of data (or “further processing”) per Article 5(1)(b) GDPR and, under Article 6(4) GDPR, in the absence of consent or a law explicitly allowing it, “is permitted only if it is compatible with the purpose of the initial processing”. It follows that the third party’s interest must fulfill two conditions: it shall be “legitimate” and “compatible” with the purpose of the initial processing. [Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, [Update of Selected Articles - May 2021] Article 6 GDPR, p. 74 (Oxford University Press 2020).]


Interests or fundamental rights and freedoms of the data subject

In general, the definition of “fundamental rights and freedom” includes all the traditional rights foreseen in the European constitutions, the Charter of Fundamental Rights of the EU as well as the European Convention on Human Rights. This obviously includes the right to the protection of personal data, personal and family life, freedom of expression and human dignity. In addition to the fundamental rights of the data subject, other “freedoms or interests” must also be taken into account. This includes the interest not to suffer any economic disadvantages, regardless of whether the damage occurs following the publication of personal data or in another way, such as via a discriminatory personalized pricing policy. [Bucher, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin numbers 148-148a (C.H. Beck 2020, 3rd Edition).]


Finally, it is important to note that unlike the case of the controller’s interests, the adjective “legitimate” is not used here to precede the ‘interests’ of the data subjects. This implies a wider scope to the protection of individuals’ interests and rights. It follows that even individuals engaged in illegal activities should not be subject to disproportionate interference with their rights and interests. For example, “an individual who may have perpetrated theft in a supermarket could still see his interests prevailing against the publication of his picture and private address on the walls of the supermarket and/or on the Internet by the owner of the shop”. [WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 30 (available here).]


Balancing test (“overridden by”)

The fact that the controller has such a legitimate interest in the processing of certain data does not mean that it can necessarily rely on Article 6(1)(f) as a legal ground for the processing. The legitimacy of the data controller’s interest is just a starting point, while the overall lawfulness of the entire processing operation based on legitimate interests will depend on the outcome of the balancing test between the two opposed positions. To do so, the WP29 suggests a four-step test which includes (a) assessing the controller’s legitimate interest, (b) evaluating the impacts of such interest on the data subjects, (c) striking a provisional balance and, should the situation still be uncertain, (d) applying additional safeguards to reduce any negative impact on the data subjects.


Assessing the controller’s legitimate interest

The WP29 points out that a controller’s legitimate interest may be justified by their freedom of expression and information, academic and scientific research, right of access to documents, as well as the right to liberty and security, freedom of thought, conscience and religion, the freedom to conduct a business, the right to property and to an effective judicial remedy or the presumption of innocence. In other cases, the controller may even invoke the public interest, for instance when it enforces policies that ensure the safety of an online community.

Evaluating the Impact on the Data Subject

Once the controller´s interest has been assessed, the impact of the processing on the data subject´s interests or fundamental rights should be evaluated. Several elements can be useful at this stage, including the likelihood that a risk can materialise, the severity of its consequences, the number of individuals potentially impacted as well as the nature of the data. In general, it appears that the more sensitive the information involved is, the more consequences for the data subject there may be.


Also of relevance is the way the information is being processed, whether it is shared with a large number of actors or persons or combined with other data sets. Finally, the reasonable expectations of the data subjects and the status of the controller should be considered (Recital 47). In particular, it is important to evaluate whether the status of the data controller, the nature of the relationship or the service provided, or the applicable legal or contractual obligations (or other promises made at the time of collection) could give rise to reasonable expectations of stricter confidentiality and stricter limitations on further use. [WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, p. 40 (available here).].


In C-708/18, TK, para. 53-59, the CJEU elaborated on the criteria for the balancing of interests. In a case involving the lawfulness of a CCTV surveillance system, the Court considered different factors including whether the data to be processed were retrieved from publicly accessible sources or were rather related to the data subject’s private life; the nature of the data, particularly their sensitiveness; and the modalities of processing, including the number of persons having access to the data. As Kotschy points out, the Court also “took implicitly into account recital 47,17 which stresses the importance of the reasonable expectations of the data subjects based on the time and context of the processing, and indicates that conflict with these expectations could, in certain cases, ‘override’ a controller’s interest in ‘further processing’”. [See, Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary [Update of Selected Articles - May 2021] Article 6 GDPR, p. 74 (Oxford University Press 2020). In CJEU, Case C-468/10 and C-469/10, ASNEFF and FECEMD, 24 November 2011,  , margin number 38 (available here) , the CJEU named two elements for a test under Article 7(f) of Directive 95/46/EC. Firstly, the processing of the personal data must be necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed. Secondly, such interests must not be overridden by the fundamental rights and freedoms of the data subject. The wording of Article 6(1)(f) GDPR and Article 7(f) of Directive 95/46 are sufficiently overlapping to be able to apply this test after the introduction of GDPR.]


Provisional balance

The essence of the balancing act is not clarified by the WP29´s opinion (nor does the GDPR provide any general instruction on the matter). It follows that, in accordance with the principle of accountability, the balancing act is entirely in the hands of the data controller who, taking into account the elements described above, must proceed in one direction or another, assuming full responsibility for the choice.


It goes without saying that the controller should document and be able to demonstrate the reasoning used to reach their conclusions. These assessments must therefore be made on a case-by-case basis. [The following situations are generally assumed to form a legitimate interest: Defense of legal claims It is generally accepted that the defense of legal claims is a legitimate interest. This includes civil law claims (whether contractual or not), administrative or criminal cases. Any such use of personal data must still comply with other provisions like the general principles in Article 5 GDPR. Fraud prevention Recital 47 explicitly names the prevention of fraud as a legitimate interest. In practice, an assessment and balancing of the likeliness of any fraudulent activity and the interference with the rights of the data subject needs to be made. Previous fraudulent activity may be an indicator. Any such use of personal data must still comply with other provisions like the general principles in Article 5 GDPR. Network security Recital 49 explicitly deals with data processing for network security. Processing of personal data for these purposes can also be derived as a legal duty under Article 32 GDPR. Any such use of personal data must still comply with other provisions like the general principles in Article 5 GDPR. Search engines Insofar as search engines process personal data, the right to freedom of information by the user as well as the rights of the search engine operators generally leads to an overriding legitimate interest. This may, however, be overridden by the interests of specific data subjects. Video surveillance: In many national laws under Directive 95/46/EC, video surveillance ("CCTV") was accepted under the legitimate interest. Many limitations on the specific situations when a controller has an overriding interest in surveillance over the interest of others were defined in national laws. When there is a genuine security challenge or threat, the use of structural surveillance may override the interests of data subjects. This includes the security of third parties, like the safety of passengers on a train. Such examples may include a high risk institution (e.g. banks) or previous criminal activity (e.g. thefts, violent crime or vandalism). Any video surveillance system must still comply with other provisions like the general principles in Article 5 GDPR. This means that the records must be destroyed as soon as the purpose is fulfilled (usually the time that realization of a crime takes, which may be 72 hours over a weekend). Data minimization also requires that only the strictly necessary area is filmed. Other obliogations like information to the public through signs under Article 13 GDPR also need to be observed. Direct marketing: During the negotiations on the GDPR there were multiple attempts to include "direct marketing" into the list of legitimate interests. In the end, the negotiating parties agreed to not reach a clear agreement: "Direct marketing" was moved to the last sentence of the non-binding recitals and the word "may" was added. Recital 47 now says that direct marketing "may be regarded" as carried out for a legitimate interest. At the same time, Article 21(2) GDPR includes an absolute right to object to direct marketing. Generally, the GDPR therefore seems to accept that direct marketing can be a legitimate interest ("may") while recognizing that it will not always be a legitimate interest across all situations. After all, a controller must engage in a balancing test in each individual case. The only legal description of "direct marketing" can be found in Article 13(3) of the ePrivacy Directive 2002/58/EC, which requires (1) obtaining the personal data in the context of the sale of a product or service (existing relationship), (2) the use by the same controller, for (3) its own similar products or services and (4) a clear and distinctive opportunity to object when the data is collected and with any further communication. It can be assumed that these situations also form a legitimate interest within the meaning of the GDPR.] However, this does not mean that, where possible, certain official guidelines may not be used to draw useful indications with respect to processing operations having common characteristics. [Heberlein, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 6 GDPR, margin number 32 (C.H. Beck, 2nd edition 2018).


Additional safeguards

In cases where it is not clear which way the balance should be struck, the controller may consider whether it is possible to introduce additional safeguards.  For example, these may include the “strict limitation on how much data is collected, or immediate deletion of data after use. While some of these measures may already be compulsory under the Directive, they are often scalable and leave room for controllers to ensure better protection of data subjects” as well as “providing an easily workable and accessible mechanism to ensure an unconditional possibility for data subjects to opt-out of the processing”. These additional measures may in some cases help tip the balance and help ensure that the processing can be based on Article 6(1)(f), whilst simultaneously protecting the rights and interests of the data subjects. [WP29, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ 844/14/EN WP 217, 9 April 2014, pp. 40-41 (available here).]


Children

Article 6(1)(f) GDPR explicitly mentions situations "in particular where the data subject is a child". This seems to indicate that a balancing test needs to take the specific interests and expectations of a child into account.


(2) In case of processing under Article 6(1)(c) and (e) specific national rules are possible

This provision gives Member States more competence in the public sector, [Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 326 (Oxford University Press 2020).] since it allows them to adopt, or keep,[ This is clear from the wording ‘maintain’. See Plath, in Plath, DSGVO BDSG , Art. 6 DSGVO, margin number 126 , (Otto Schmidt 2018).] their own (material) rules that regulate in which instances a controller can rely on the legal bases provided for in Article 6(1)(c) and Article 6(1)(e).


Member States can do so by providing specific requirements for the processing (including provisions relating to specific processing situations), to, ultimately, ensure that this processing is more lawful and fair. [Frenzel, in Paal/Pauly, DS-GVO BDSG, Article 6, margin number 32 (C.H. Beck 2021, 3rd Edition).] Through this wording it is apparent that these national provisions must stay within, and cannot go beyond the framework of the GDPR.[Plath, in Plath, DSGVO BDSG, Article 6 DSGVO, margin number 125, (Otto Schmidt 2018).]


Since this provision allows Member States to enact denser regulation, as well as more concrete requirements for controllers. Frenzel notes this can lead to conflicts, not only between a Member State and the Commision (since the latter monitors the application of Union law), but also in case of different processing situations by the same controller or vis-à-vis the same data subject.[Frenzel, in Paal, Pauly, DS-GVO BDSG, Article 6, margin number 32 (C.H. Beck 2021, 3rd Edition).]


(3) In case of processing under Article 6(1)(c) and (e) specific national rules must follow the GDPR instructions

According to Article 6(3), the legal basis for processing under Article 6(1)(c) (legal obligation) and Article 6(1)(e) (public interest) shall be laid down by (a) Union, or (b) Member State law. Contrary to Article 6(1)(c), however, the public interest processing does not have to be expressly laid down in a legal basis. It suffices if the processing is necessary to fulfil a task which serves the public interest, or in the exercise of official authority, and the task is described in a specific and clear manner. [Buchner, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 121 (C.H. Beck 2020, 3rd Edition).]


Moreover, the provision allows Member States to implement specific provisions contained in this legal basis, and suggests, inter alia, the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures. These concretisations are non-exhaustive and non-binding, but are certainly permissible specific provisions. [Buchner, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 94 (C.H. Beck 2020, 3rd Edition).] Lastly, the constituent element ‘Member State law’ refers to all material law of that Member State. [Buchner, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 197 (C.H. Beck 2020, 3rd Edition).]

Relationship 6(2) and 6(3): unclear and grounds for dispute

It is important to set out that it remains unclear how Articles 6(2) and 6(3) relate to one another, legally and systematically. [Jahnel, , in Jahnel, DSGVO), Article 6, margin number 85, (Jan Sramek Verlag 2021).] The exact relationship between the two clauses remains disputed. Some authors ascribe a more ‘declaratory nature’ to Article 6(2),[Buchner, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6, margin number 195 (C.H. Beck 2020, 3rd Edition).] and see Article 6(3) as the clause that offers the actual competence to enact material-specific data protection regulation.[Buchner, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6, para 195 (C.H. Beck 2020, 3rd Edition);  Jahnel, in Jahnel, DSGVO, Article 6, margin number 85, (Jan Sramek Verlag 2021).] Other authors state that Article 6(2) does permit Member States to adopt material-specific regulation, and see Article 6(3) as a clause that sets out concrete requirements for this regulation. [For example Plath, in Plath, DSGVO BDSG, Article 6 DSGVO, margin number 3, (Otto Schmidt 2018).] And then there is even another group of authors that does not see these requirements as ‘additional’, but cumulative.[Roßnagel et al., in Zeitschrift für Datenschutz (2015) pp. 455-456.] Hence, the only thing that is clear, is that the exact relationship between the two clauses remains disputed.


(4) Further processing

Article 6(4) GDPR prescribes certain factors to be taken into account where a controller wishes to further process personal data for a purpose other than that for which it was collected, where no other legal basis applies. This is only possible where the original and further purposes are "compatible". The factors set out in Article 6(4)(a)-(c) GDPR are not exhaustive.


Kotschy notes two key issues emerging from the factors in Article 6(4)(a)-(c) GDPR.[Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 341 (Oxford University Press 2020).] The first regards the relationship between the initial and further purpose. Notably, the new purpose does not need to be a "sub purpose" of the initial one. Rather, compatibility can exist where the initial and further purpose are “pursued ‘together’ in close vicinity” or where the further purpose is “a logical consequence of the initial purpose”. [Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 341 (Oxford University Press 2020).] Recital 50 GDPR adds that "the reasonable expectations of data subjects based on their relationship with the controller" should be considered.


As Kotschy argues, "compatibility" therefore largely rests on “what is usual and what is to be expected in certain circumstances”. For example, where a customer receives further marketing information from an organisation they recently purchased from, this would classify as compatible further use, as customer relationship management “is a usual activity resulting from the customer relationship."[Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 342 (Oxford University Press 2020).]


The second issue regards the assessment of risk that may stem from processing, prescribed in Article 6(4)(c)-(e) GDPR. Importantly, further processing “must not result in a substantially higher risk than the initial lawful processing.” The presence of sensitive personal data is specifically mentioned as a risk factor. Risks may be mitigated by various safeguards, such as encryption or pseudonymisation. To rely on further processing compatibility, controllers must be able to demonstrate that an assessment of all relevant risks was done. [Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 343 (Oxford University Press 2020).]

The potential to lawfully process information for a purpose that does not directly correlate with the original, but where there is a very high level of safeguards in place, is not yet clear from the law or relevant jurisprudence. It will have to be decided by future jurisprudence whether Article 6(4) “might justify an assumption of ‘compatibility’ also in cases where the new purpose does not specifically ‘correlate’ to the initial purpose, but where a very high standard of risk containment is implemented” [Kotschy, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 6 GDPR, p. 343 (Oxford University Press 2020).]

Decisions

→ You can find all related decisions in Category:Article 6 GDPR

References