Article 6 GDPR
|← Article 6: Lawfulness of processing →|
- 1 Legal Text
- 2 Relevant Recitals
- 3 Commentary
- 3.1 (1) Legal Basis
- 3.1.1 (a) Consent
- 3.1.2 (b) Contract
- 3.1.3 (c) Legal obligation
- 3.1.4 (d) Vital interest
- 3.1.5 (e) Public interest
- 3.1.6 (f) Legitimate interest
- 18.104.22.168 (I.) Legitimate interest of the controller or third party
- 22.214.171.124 (II.) Necessity
- 126.96.36.199 (III.) Balancing
- 188.8.131.52 Proportionality under Article 52(1) CFR
- 184.108.40.206 Balancing test under Directive 95/46/EC
- 220.127.116.11 Examples for an overriding legitimate interest
- 3.2 (2) Option to further determine Article 6(1)(c) and (e)
- 3.3 (3) Formal requirements under Article 6(1)(c) and (e)
- 3.4 (4) Change of purpose
- 3.1 (1) Legal Basis
- 4 Decisions
- 5 References
Legal Text[edit | edit source]
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
- (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- (c) processing is necessary for compliance with a legal obligation to which the controller is subject;
- (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.
3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:
- (a) Union law; or
- (b) Member State law to which the controller is subject.
The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.
4. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
- (a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
- (b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
- (d) the possible consequences of the intended further processing for data subjects;
- (e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.
Relevant Recitals[edit | edit source]
Commentary[edit | edit source]
(1) Legal Basis[edit | edit source]
The need for a legal basis under Article 6(1) GDPR is (together with the need to comply with the principles of Article 5 GDPR) the "bottleneck" for the legality of any processing operation.
The GDPR prohibits all processing of personal data unless it is based on one or more of the six alternative legal bases under Article 6(1). This rather radical approach means that by default processing of other persons' personal data is prohibited - unless one of the exceptions in Article 6(1) are met.
There is no hierarchy between these legal basis. A controller may use any of them or use different ones for different processing operations. The legal basis has to be disclosed to the data subject under Article 13(1)(c) or Article 14(1)(c).
(a) Consent[edit | edit source]
Data subjects can be asked to "consent" to the processing for a specific purpose (see Article 5(1)(b)).
The GDPR wanted to end the various forms of hidden consent in terms and conditions, forced consent (take it or leave it), and the need for click-marathons through pre-ticked consent boxes ("opt-out"). To achieve this aim, consent must meet a very high standard to be legally binding. Under the definition of consent in Article 4(11), consent must be (1) freely given, (2) specific, (3) informed, and (4) unambiguous. Further conditions are also contained in Article 7 and on children's consent in Article 8. Consequently, the conditions for consent are split between Articles 4(11), 6(1)(a), 7 and 8.
→ See also Article 4(11)
→ See also Article 7
→ See also Article 8
Freely Given[edit | edit source]
Consent has to be freely given, which means that the data subject must have the option to say "no" as well. Whether or not consent is freely given cannot be determined objectively; it is subjective to each data subject. Depending on the processing operation and service as well as the respective roles of the controller and the data subject in a given transaction, consent may be freely given in one context but not in another. The standard for a freely given consent is in most cases considerably higher than the standards for an agreement to enter into a contract in national civil law.
Employers, the government or companies with a dominant market position will typically be able to force data subjects to consent against their true wishes. Recital 43 highlights that if there is a "clear imbalance between the data subject and the controller" consent should not provide a legal basis.
- Example: If an employee has to consent that his mobile phone is tracked for fraud prevention purposes it is highly unlikely that an employee has a realistic chance to object.
Recital 43 and Article 7(4) further deal with the situation of "bundled consent", i.e. when the performance of a contract (see below) is made conditional on consent, or when consent to different processing operations is bundled into one single yes/no option for the data subject.
- Example: A controller uses a contract form in which you also agree that personal data can be sold to a third party. You cannot modify the form and must sign it as is.
→ See also Recital 43
→ See also Article 7(4)
Specific[edit | edit source]
Consent must be for each purpose of a processing operation. There must be a clear scope and consequence for the data subject. Blanket consent it not legally binding.
- Example: "I agree to the processing of my data for different business purposes" is not specific.
Informed[edit | edit source]
According to Recital 42, a data subject must know the identity of the controller and the purposes of the processing. The data subject must also be informed about the right to withdraw their consent (see Article 7(3)). Courts have held that informed consent to the sharing of data with third parties requires that each recipient is named. [Source?]
Consent also has to be clearly distinguished if it is given in the context of a written declaration, like a sign-up form.
- Example 2: A data subject is asked for consent "inline". A short, precise description of the processing operation is followed by a yes/no option. Clicking the "yes" button forms valid consent.
→ See also Article 7 GDPR
Unambiguous[edit | edit source]
GDPR requires a "a statement or by a clear affirmative action" (Article 4(11)). This can be checking a box ("opt-in") or a button in the digital environment or for example the obvious grouping for a picture in the analogue world. Actions that do not include a clear affirmative action, such as using a webpage or walking through a picture, are not "unambiguous". A user may simply ignore or not have realized that a picture is being taken or that a webpage uses data in a certain way. This ambiguity extends to assigning certain actions a legal meaning through a disclaimer (e.g. "by using our webpage you agree to X"). In practice the design and common understanding of actions may have to be assessed in each case.
- Example 1: A user clicks a "I agree" button or a person clearly moves into a picture that is taken, which is unambiguous.
- Example 2: A user is merely vising a pare or walking down a street that is under surveillance, which is ambiguous.
(b) Contract[edit | edit source]
In practice, many processing operations are based on an underlying contract. If a data subject orders a product in an online store with a credit card and has it shipped home, there is an "implied consent" that personal data is processed and for example transferred to financial institutions or the postal service to process the payment and deliver the product. Article 6(1)(b) makes these types of processing operations legal.
Existence of a valid contract[edit | edit source]
The content of a contract is defined by the applicable contract law, as defined by the Brussels-I Regulation 1215/2012/EU. In many consumer contract cases, this will be the law of the member state of the consumer.
A contract must itself be valid under the applicable national law. If a contract was not properly concluded, is invalid or was cancelled, no processing operation can be "necessary" for the non-existent contract. This may include cases were "unfair terms" are used, as defined in the Unfair Terms Directive 93/13/EEC.
- Example: A Spanish controller and a French consumer concluded a contract that is illegal under the applicable French law. The lack of any valid contract means there is no legal basis.
Scope of the contract[edit | edit source]
The scope of a contract has to be assessed. Elements that are not within the scope of the contract cannot serve as a legal basis for processing personal data.
- Example: An order of a product cannot serve as a basis to sell customer data to a data broker.
Necessity[edit | edit source]
The processing of personal data must be necessary for the performance of a contract. A mere relationship with the contract is not sufficient. This does not mean that the controller may only use personal data if there is absolutely no other way to provide to the contract, but processing that is not necessary cannot be justified by Article 6(1)(b).
- Example: It is not necessary to track a user to generate personal suggestions simply because the data subject bought a mobile application.
Party to the contract[edit | edit source]
The controller and the data subject must be party to the contract. Contracts cannot lead to the processing of personal data of third party data subjects.
- Example: A contract between company A and B on personalized advertisement does not form a legal basis to process the personal data of data subject C.
Precontractual steps[edit | edit source]
You can help us fill this section!
(c) Legal obligation[edit | edit source]
GDPR recognizes any legal obligation that the controller may be subject to. In countless European and national laws, controllers are subject to obligations to collect, process, and store personal information.
Processing that goes beyond these legal obligations is not legal under this provision. Equally, national permissions (and not obligations) to process data do not fall under this provision. Any obligation to process data under another law must itself be proportionate (Article 7 and 8 EU Charter of Fundamental Rights) and in compliance with Article 6(2) and (3).
- Example: Tax law requires the keeping of certain records for 7 years, which GDPR recognizes.
→ See also Article 6(2) and (3)
(d) Vital interest[edit | edit source]
You can help us fill this section!
(e) Public interest[edit | edit source]
You can help us fill this section!
(f) Legitimate interest[edit | edit source]
The most debated exception on the prohibition of the processing of others' personal data is the so-called legitimate interest. While there are cases at the core of the balancing test where there is a clear overriding interest in processing personal data (e.g. when enforcing a legal claim against a criminal), there are other areas where the existence of a legitimate interest that overrides the interest of the data subject is more controversial or a minority view.
Because it is in many cases inherently unclear if a legitimate interest exists, controllers may want to avoid this legal basis whenever any of the other six legal basis is available to them.
(I.) Legitimate interest of the controller or third party[edit | edit source]
A legitimate interest may be a legal, factual or economic interest. It must be "legitimate", so more than just legal or possible. It must be "pursued by the controller or by a third party", which means it must actively be followed. It must be an interest by the controller or third party, but may not be a public interest (see Article 6(1)(e) GDPR).
Controller or third party[edit | edit source]
The legitimate interest may be the interest of a the controller or anyone else ("third party").
- Example: A video surveillance system at a bank may not only process data in the interest of the bank (usually the controller) but also to protect customers in a bank if a robbery were to occur.
[edit | edit source]
Article 6(1)(f) may not be relied upon by public authorities insofar as they perform public tasks.
(II.) Necessity[edit | edit source]
The processing of personal data must be 'necessary' to achieve the legitimate interests of the controller or the third party.
(III.) Balancing[edit | edit source]
Once a legitimate interest and the necessity to process personal data is established, the interests of the controller and the data subject must be balanced.
Interests, rights and freedoms of the data subject[edit | edit source]
On the side of the data subject, not only the rights to privacy and data protection (Articles 7 and 8 EU Charter of Fundamental Rights) must be considered, but also other rights, freedoms, and interests. This can include anything from minor personal or economic interests all the way to the freedom of speech.
Elements under Recital 47[edit | edit source]
The legitimate interests of the controller on the one hand and the rights of the data subject on the other have to be balanced. Recital 47 highlights the importance of the data subject's reasonable expectations, based on the relationship between the data subject and the controller, within the balancing test.
- Reasonable expectations
The controller must objectively and fairly assess what a data subject would reasonably expect in a given situation.
- Example: While the average person may expect CCTV in a bank, they may oppose any such surveillance inside a private space like a hotel room.
Relationships between controllers and data subjects may lead to a certain level of trust but also to certain expectations by both parties. There is no clear rule that a more intense relationship should lead to more intense data protection. In many cases the opposite may be true.
While it may be reasonable to distrust a new customer, it may not be reasonable for a loyal long-term customer. Similarly, it may be unreasonable to expect that a controller will conduct surveillance on third-party property. However, the fact that a data subjects enters the property of the controller may make certain surveillance reasonable.
Children as an element[edit | edit source]
Article 6(1)(f) explicitly mentions situations "in particular where the data subject is a child". This seems to indicate that a balancing test needs to take the specific interests and expectations of a child into account.
Proportionality under Article 52(1) CFR[edit | edit source]
The GDPR needs to be interpreted in the light of the Charter of Fundamental Rights; as such, the balancing test under Article 6(1)(f) must also be compliant with the general proportionality test of Article 52(1) Charter of Fundamental Rights.
Under Article 52(1) Charter of Fundamental Rights, there are four steps in a proportionality test:
- There must be a legitimate aim for a measure,
- the measure must be suitable to achieve the aim (it must be effective),
- the measure must be necessary to achieve the aim (there must be no less onerous way),
- the measure must be reasonable, considering the competing interests of different groups at hand.
GDPR may structurally violate the Charter of Fundamental Rights insofar as Article 6(1)(f) requires that fundamental rights override the interests of a controller. This would put the burden of proof on the data subject and would make the controller succeed with the balancing test in a 50/50-situation, while under the Charter of Fundamental Rights the opposite is true. In practice, reading Article 6(1)(f) in conjunction with Article 5(2) (accountability) means the controller must still be able to prove their (successful) balancing test.
Balancing test under Directive 95/46/EC[edit | edit source]
In CJEU - C-468/10 and C-469/10 - ASNEF and FECEMD, para 38, the CJEU named two elements for a test under Article 7(f) of Directive 95/46/EC:
- Firstly, the processing of the personal data must be necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed; and,
- Secondly, such interests must not be overridden by the fundamental rights and freedoms of the data subject.
The wording of Article 6(1)(f) GDPR and Article 7(f) of Directive 95/46 are sufficiently overlapping to be able to apply this test after the introduction of GDPR.
Examples for an overriding legitimate interest[edit | edit source]
The following situations are assumed to form a legitimate interest:
- Defense of legal claims
It is generally accepted that the defense of legal claims is a legitimate interest. This includes civil law claims (whether contractual or not), administrative or criminal cases. Any such use of personal data must still comply with other provisions like the general principles in Article 5 GDPR.
- Fraud prevention
Recital 47 explicitly names the prevention of fraud as a legitimate interest. In practice, an assessment and balancing of the likeliness of any fraudulent activity and the interference with the rights of the data subject needs to be made. Previous fraudulent activity may be an indicator. Any such use of personal data must still comply with other provisions like the general principles in Article 5 GDPR.
- Network security
Recital 49 explicitly deals with data processing for network security. Processing of personal data for these purposes can also be derived as a legal duty under Article 32 GDPR. Any such use of personal data must still comply with other provisions like the general principles in Article 5 GDPR.
- Search engines
Insofar as search engines process personal data, the right to freedom of information by the user as well as the rights of the search engine operators generally leads to an overriding legitimate interest. This may, however, be overridden by the interests of specific data subjects.
- Video surveillance:
In many national laws under Directive 95/46/EC, video surveillance ("CCTV") was accepted under the legitimate interest. Many limitations on the specific situations when a controller has an overriding interest in surveillance over the interest of others were defined in national laws.
When there is a genuine security challenge or threat, the use of structural surveillance may override the interests of data subjects. This includes the security of third parties, like the safety of passengers on a train. Such examples may include a high risk institution (e.g. banks) or previous criminal activity (e.g. thefts, violent crime or vandalism). Any video surveillance system must still comply with other provisions like the general principles in Article 5 GDPR. This means that the records must be destroyed as soon as the purpose is fulfilled (usually the time that realization of a crime takes, which may be 72 hours over a weekend). Data minimization also requires that only the strictly necessary area is filmed. Other obliogations like information to the public through signs under Article 13 GDPR also need to be observed.
- Direct marketing:
During the negotiations on the GDPR there were multiple attempts to include "direct marketing" into the list of legitimate interests. In the end, the negotiating parties agreed to not reach a clear agreement: "Direct marketing" was moved to the last sentence of the non-binding recitals and the word "may" was added.
Recital 47 now says that direct marketing "may be regarded" as carried out for a legitimate interest. At the same time, Article 21(2) includes an absolute right to object to direct marketing. Generally, the GDPR therefore seems to accept that direct marketing can be a legitimate interest ("may") while recognizing that it will not always be a legitimate interest across all situations. After all, a controller must engage in a balancing test in each individual case.
The only legal description of "direct marketing" can be found in Article 13(3) of the ePrivacy Directive 2002/58/EC, which requires (1) obtaining the personal data in the context of the sale of a product or service (existing relationship), (2) the use by the same controller, for (3) its own similar products or services and (4) a clear and distinctive opportunity to object when the data is collected and with any further communication. It can be assumed that these situations also form a legitimate interest within the meaning of the GDPR.
(2) Option to further determine Article 6(1)(c) and (e)[edit | edit source]
You can help us fill this section!
(3) Formal requirements under Article 6(1)(c) and (e)[edit | edit source]
You can help us fill this section!
(4) Change of purpose[edit | edit source]
You can help us fill this section!
Decisions[edit | edit source]
→ You can find all related decisions in Category:Article 6 GDPR