Article 6 GDPR: Difference between revisions

From GDPRhub
Line 235: Line 235:


====(a) Consent====
====(a) Consent====
Data subjects can be asked to "consent" to the processing for a specific purpose (see [[Article 5 GDPR|Article 5(1)(b) GDPR]]). The GDPR wanted to end the various forms of hidden consent in terms and conditions, forced consent (take it or leave it), and the need for click-marathons through per-ticked consent boxes ("opt-out"). To achieve this aim, consent must meet a very high standard to be legally binding. Under the definition of consent in [[Article 4 GDPR|Article 4(11) GDPR]], consent must be (1) freely given, (2) specific, (3) informed, and (4) unambiguous. Further conditions are also contained in [[Article 7 GDPR]] and [[Article 8 GDPR]] on children's consent. Consequently, the conditions for consent are split between [[Article 4 GDPR|Articles 4(11)]], 6(1)(a), [[Article 7 GDPR|7]] and [[Article 8 GDPR|8 GDPR]].  
Data subjects can be asked to "consent" to the processing for a specific purpose (see [[Article 5 GDPR|Article 5(1)(b) GDPR]]). The GDPR wanted to end the various forms of hidden consent in terms and conditions, forced consent (take it or leave it), and the need for click-marathons through per-ticked consent boxes ("opt-out"). To achieve this aim, consent must meet a very high standard to be legally binding. Under the definition of consent in [[Article 4 GDPR|Article 4(11) GDPR]], consent must be (1) freely given, (2) specific, (3) informed, and (4) unambiguous.
 
The principle of specificity of consent (Article 4(11) GDPR) is confirmed by Article 6(1)(a) which requires consent to be given for “for one or more specific purposes”. This seems in line with the case law of the Court of Justice of the EU, according to which consent must refer to specific processing activities,<ref>CJEU, C‑673/17, Planet49, 1 October 2019, margin number 58-60 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> clearly identified, also in order to allow the user to effectively understand the operations being carried out.<ref>CJEU, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]). This reading seems to be confirmed by ''Bucher, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 20 (C.H. Beck 2020).</ref>
 
Further conditions are also contained in [[Article 7 GDPR]] and [[Article 8 GDPR]] on children's consent. Consequently, the conditions for consent are split between [[Article 4 GDPR|Articles 4(11)]], 6(1)(a), [[Article 7 GDPR|7]] and [[Article 8 GDPR|8 GDPR]].  


====(b) Contract====
====(b) Contract====

Revision as of 09:59, 5 October 2021

Article 6: Lawfulness of processing
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text

Article 6 - Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.


2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.


3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

(a) Union law; or
(b) Member State law to which the controller is subject.

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.


4. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
(d) the possible consequences of the intended further processing for data subjects;
(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

Relevant Recitals

Recital 39: Principles of Data Processing
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

Recital 40: Lawfulness of Data Processing
In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Recital 41: Legal Basis or a Legislative Measure
Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.

Recital 42: Proof and Requirements for Consent
Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

Recital 43: Freely Given Consent
In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

Recital 44: Processing in the Context of a Contract
Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.

Recital 45: Legal Basis in Union or Member State Law
Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing. It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association.

Recital 46: Vital Interest of a Natural Person
The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.

Recital 47: Overriding Legitimate Interests
The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

Recital 48: Data Transfers Within a Group of Undertakings
Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.

Recital 49: Network and Information Security as a Legitimate Interest
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

Recital 50: Compatible Purpose for Further Processing
The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations. Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes. In any case, the application of the principles set out in this Regulation and in particular the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured. Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller. However, such transmission in the legitimate interest of the controller or further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or other binding obligation of secrecy.

Recital 171: Repeal of Directive 95/46/EC and Transition Phase
Directive 95/46/EC should be repealed by this Regulation. Processing already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force. Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation. Commission decisions adopted and authorisations by supervisory authorities based on Directive 95/46/EC remain in force until amended, replaced or repealed.

Commentary

(1) Legal Basis

The GDPR prohibits all processing of personal data unless it is based on one or more of the six alternative legal bases under Article 6(1) GDPR. This means that by default processing of other persons' personal data is prohibited - unless one of the exceptions in Article 6(1) GDPR are met. There is no hierarchy between these legal bases. A controller may use any of them or use different ones for different processing operations. The legal basis has to be disclosed to the data subject under Article 13(1)(c) GDPR or Article 14(1)(c) GDPR.

(a) Consent

Data subjects can be asked to "consent" to the processing for a specific purpose (see Article 5(1)(b) GDPR). The GDPR wanted to end the various forms of hidden consent in terms and conditions, forced consent (take it or leave it), and the need for click-marathons through per-ticked consent boxes ("opt-out"). To achieve this aim, consent must meet a very high standard to be legally binding. Under the definition of consent in Article 4(11) GDPR, consent must be (1) freely given, (2) specific, (3) informed, and (4) unambiguous.

The principle of specificity of consent (Article 4(11) GDPR) is confirmed by Article 6(1)(a) which requires consent to be given for “for one or more specific purposes”. This seems in line with the case law of the Court of Justice of the EU, according to which consent must refer to specific processing activities,[1] clearly identified, also in order to allow the user to effectively understand the operations being carried out.[2]

Further conditions are also contained in Article 7 GDPR and Article 8 GDPR on children's consent. Consequently, the conditions for consent are split between Articles 4(11), 6(1)(a), 7 and 8 GDPR.

(b) Contract

If a data processing is necessary for the fulfillment of a contract, the controller has a legal basis to carry out such operations. For instance, if a data subject orders a product in an online store with a credit card and has it shipped home, some of these processing operations (payment and shipment) are obviously necessary for the performance of the contract. The data subject's data will then be transferred to financial institutions or the postal service to process the payment and deliver the product. Article 6(1)(b) GDPR makes these types of processing operations lawful without any further action required from the data subject (for example, a consent to share the data with financial institutions). [3] According to relevant legal literature, the contract is, together with consent under Article 6(1)(a) GDPR the only legal basis in which processing is based (indirectly in the case of a contract, directly in the case of consent) on the data subject's will.[4]

Existence of a Valid Contract

The content of a contract is defined by the applicable contract law, as defined by the Brussels-I Regulation 1215/2012/EU. In many consumer contract cases, this will be the law of the member state of the consumer.

A contract must itself be valid under the applicable national law. If a contract was not properly concluded, is invalid or was cancelled, no processing operation can be "necessary" for the non-existent contract. This may include cases were "unfair terms" are used, as defined in the Unfair Terms Directive 93/13/EEC.

Example: A Spanish controller and a French consumer concluded a contract that is illegal under the applicable French law. The lack of any valid contract means there is no legal basis.
Scope of the Contract

The scope of a contract has to be assessed. Elements that are not within the scope of the contract cannot serve as a legal basis for processing personal data.

Example: An order of a product cannot serve as a basis to sell customer data to a data broker.
Necessity

The processing of personal data must be necessary for the performance of a contract. A mere relationship with the contract is not sufficient. This does not mean that the controller may only use personal data if there is absolutely no other way to provide to the contract, but processing that is not necessary cannot be justified by Article 6(1)(b) GDPR.

Example: It is not necessary to track a user to generate personal suggestions simply because the data subject bought a mobile application.
Party to the Contract

The controller and the data subject must be parties to the contract. Contracts cannot lead to the processing of personal data of third party data subjects.

Example: A contract between company A and B on personalized advertisement does not form a legal basis to process the personal data of data subject C.
Precontractual Steps

Under Article 6(1)(b) GDPR, processing may also be lawful in precontractual situations at the request of the data subject, for example where data is processed to prepare an offer for a package tour. As noted by Kotschy, although such data processing could be based on explicit consent or legitimate interest, “mentioning it under Article 6(1)(b) GDPR makes a difference as to the consequences, as in case of Article 6(1)(b) GDPR the data subject cannot terminate lawful processing either by withdrawing consent or by objecting” (see Articles 7(3) and 21(1) GDPR). [5]

(c) Legal Obligation

GDPR recognizes any legal obligation that the controller may be subject to. In countless European and national laws, controllers are subject to obligations to collect, process, and store personal information.

Processing that goes beyond these legal obligations is not legal under this provision. Equally, national permissions (and not obligations) to process data do not fall under this provision. Any obligation to process data under another law must itself be proportionate (Article 7 and 8 EU Charter of Fundamental Rights) and in compliance with Article 6(2) and (3) GDPR.

Example: Tax law requires the keeping of certain records for 7 years, which GDPR recognizes.

(d) Vital Interest

Recital 46 clarifies that a vital interest is one which is "essential for the life" of the data subject, and includes processing necessary for humanitarian purposes, as well as to "monitor epidemics and their spreads" and "situations of natural and man-made disasters". Further, Article 6(1)(d) GDPR should only be used when no other legal basis applies.

Unlike in Article 9 GDPR, the capability of the data subject to provide consent to processing is not mentioned. However, Kotschy argues that the principle of fair processing “might require that the data subject should be consulted if possible.[6]

The vital interest of a natural person other than the data subject may also be used as a legal basis under Article 6(1)(d) GDPR. Processing of a data subject’s personal data in order to protect the life of another could also constitutes a "legitimate interest" under Article 6(1)(e) GDPR, however Article 6(1)(e) GDPR notably excludes public sector controllers.

(e) Public Interest

Under Article 6(1)(e) GDPR, data controllers can legally process personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This acts as the general basis for personal data processing in the public sector. [7]

Recital 46 provides examples of the types of processing that qualify under Article 6(1)(e) GDPR.

Kotschy highlights how in the English version of the GDPR it is unclear whether it is the "task", or the "official authority" that must be "vested in the controller", whilst a reading of the German version suggests that it is the task. This "vesting" of a task requires a legal provision, excluding situations where tasks are assigned by contract, even in the public interest. This is particularly significant for private entities.[8]

The extent to which private entities must also be vested with official authority in order to qualify under Article 6(1)(e) GDPR is disputed.

Processing under Article 6(1)(e) GDPR must be "necessary" for the performance of relevant tasks. This should be interpreted strictly in light of proportionality, and "if there are several alternatives," the "least intrusive" is appropriate.

Finally, in its Joint Response on the US Cloud Act, the EDPB made clear that Article 6(1)(e) GDPR is not satisfied "solely on the basis of a compelling request" from a foreign authority.[9]

(f) Legitimate Interest

The most debated exception on the prohibition of the processing of others' personal data is the so-called legitimate interest. While there are cases at the core of the balancing test where there is a clear overriding interest in processing personal data (e.g. when enforcing a legal claim against a criminal), there are other areas where the existence of a legitimate interest that overrides the interest of the data subject is more controversial or a minority view.

Because it is in many cases inherently unclear if a legitimate interest exists, controllers may want to avoid this legal basis whenever any of the other six legal basis is available to them.

Legitimate nterest of the Controller or Third party

A legitimate interest may be a legal, factual or economic interest. It must be "legitimate", so more than just legal or possible. It must be "pursued by the controller or by a third party", which means it must actively be followed. It must be an interest by the controller or third party, but may not be a public interest (see Article 6(1)(e) GDPR).

Controller or Third Party

The legitimate interest may be the interest of a controller or anyone else ("third party").

Example: A video surveillance system at a bank may not only process data in the interest of the bank (usually the controller) but also to protect customers in a bank if a robbery were to occur.
Public Authorities

Article 6(1)(f) GDPR may not be relied upon by public authorities insofar as they perform public tasks.

Necessity

The processing of personal data must be "necessary" to achieve the legitimate interests of the controller or the third party.

Balancing

Once a legitimate interest and the necessity to process personal data is established, the interests of the controller and the data subject must be balanced.[10][11]

Interests, Rights and Freedoms of the Data Subject

On the side of the data subject, not only the rights to privacy and data protection (Articles 7 and 8 EU Charter of Fundamental Rights) must be considered, but also other rights, freedoms, and interests. This can include anything from minor personal or economic interests all the way to the freedom of speech.

The legitimate interests of the controller on the one hand and the rights of the data subject on the other have to be balanced. Recital 47 highlights the importance of the data subject's reasonable expectations, based on the relationship between the data subject and the controller, within the balancing test.

Reasonable Expectations

The controller must objectively and fairly assess what a data subject would reasonably expect in a given situation.

Example: While the average person may expect CCTV in a bank, they may oppose any such surveillance inside a private space like a hotel room.
Relationship Between Controllers and Data Subjects

Relationships between controllers and data subjects may lead to a certain level of trust but also to certain expectations by both parties. There is no clear rule that a more intense relationship should lead to more intense data protection. In many cases the opposite may be true.

While it may be reasonable to distrust a new customer, it may not be reasonable for a loyal long-term customer. Similarly, it may be unreasonable to expect that a controller will conduct surveillance on third-party property. However, the fact that a data subjects enters the property of the controller may make certain surveillance reasonable.

Children

Article 6(1)(f) GDPR explicitly mentions situations "in particular where the data subject is a child". This seems to indicate that a balancing test needs to take the specific interests and expectations of a child into account.

(2) Option to Further Determine Article 6(1)(c) and (e) GDPR

Member states can maintain or introduce provisions to specify and adapt the requirements for legal processing under Article 6(1)(c) GDPR (processing based on a "legal obligation") and Article 6(1)(e) GDPR ("public interest"), as well as to ensure lawful and fair processing regarding the specific processing situations outlined in GDPR Chapter IX.

Member states can consequently keep sector-specific data protection law in the public sector so long as it complies with the GDPR, as such law would be based on Article 6(1)(e) GDPR.[12]

In terms of private sector laws, Article 6(2) GDPR notably does not refer to Article 6(1)(f) GDPR. However, national laws regarding private sector entities may qualify where these deal with the situations prescribed in GDPR Chapter IX. [13]

Details on Member States’ varying implementations of the GDPR can be found in the GDPRhub Country Overview.

(3) Formal Requirements Under Article 6(1)(c) and (e) GDPR

Article 6(3) GDPR specifies that in order for processing to be based on Article 6(1)(c) and (e) GDPR, the controller’s legal obligation, or the task vested in the controller, must be laid down by Union Law or Member State Law to which the controller is subject. In other words, "tasks based exclusively on foreign law cannot provide a legal basis for processing."

Under Recital 45 GDPR, the GDPR "does not require a specific law for each individual processing". "A law as a basis for several processing operations [...] may be sufficient."

Article 6(3) and Recital 45 GDPR also provide examples of content for Member State Laws which, in accordance with Article 6(2) GDPR, specify and adapt the GDPR's rules regarding processing under Article 6(1)(c) or (e) GDPR.

(4) Change of Purpose

Article 6(4) GDPR prescribes factors to be taken into account where a controller wishes to further process personal data for a purpose other than that for which it was collected, where no other legal basis applies. This is only possible where the original and further purposes are "compatible." The factors set out in Article 6(4)(a)-(c) GDPR are not exhaustive.

Kotschy notes two key issues emerging from the factors in Article 6(4)(a)-(c) GDPR.[14] The first regards the relationship between the initial and further purpose. Notably, the new purpose does not need to be a "sub purpose" of the initial purpose. Rather, compatibility can exist where the initial and further purpose are “pursued ‘together’ in close vicinity” or where the further purpose is “a logical consequence of the initial purpose.[15]

Recital 50 GDPR adds that "the reasonable expectations of data subjects based on their relationship with the controller" should be considered. As Kotschy argues, "compatibility" thus largely rests on “what is usual and what is to be expected in certain circumstances.” For example, where a customer receives further marketing information from an organisation they recently purchased from, this would classify as compatible further use, as customer relationship management “is a usual activity resulting from the customer relationship."[16]

The second issue regards the assessment of risk that may stem from processing, prescribed in Article 6(4)(c)-(e) GDPR. Importantly, further processing “must not result in a substantially higher risk than the initial lawful processing.” The presence of sensitive personal data is specifically mentioned as a risk factor. Risks may be mitigated by various safeguards, such as encryption or pseudonymisation. To rely on further processing compatibility, controllers must be able to demonstrate that an assessment of all relevant risks was done.[17]

The potential to legally process information for a purpose that does not directly correlate with the original, but where there is a very high level of safeguards in place, is not yet clear from the law or relevant jurisprudence.[18]

Decisions

→ You can find all related decisions in Category:Article 6 GDPR

References

  1. CJEU, C‑673/17, Planet49, 1 October 2019, margin number 58-60 (available here).
  2. CJEU, C‑61/19, Orange România, 11 November 2020, margin number 46 (available here). This reading seems to be confirmed by Bucher, Petri, in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 20 (C.H. Beck 2020).
  3. Some authors have that the contractual legal basis laid down explicitly in Article 6(1)(b) GDPR can also be derived more generally "from the fact that the controller, as a contractual partner, has a legal obligation to fulfill their contractual obligations according to general legal principles". Furthermore, legitimacy for fulfilling a contractual obligation may also be interpreted as a "special case of 'legal obligations' and even 'legitimate interests of the controller". See, Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 330 (Oxford University Press 2020).
  4. Resta, in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 6 GDPR (Wolters Kluwer 2018), p. 69 which, in turn, refers to Pelino, Bistolfi, Bolognini, Il regolamento privacy europeo (Milano 2018).
  5. Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 332 (Oxford University Press 2020) citing Dammann and Simitis 1997, p. 149.
  6. Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 334 (Oxford University Press 2020).
  7. Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 336 (Oxford University Press 2020).
  8. Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 340 (Oxford University Press 2020).
  9. Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 339 (Oxford University Press 2020) with reference to EDPB-EDPS Joint Response to the LIBE Committee on the impact of the US Cloud Act on the European legal framework for personal data protection, 12 July 2019, p. 4.
  10. In CJEU, 24 November 2011, ASNEFF and FECEMD, C-468/10 and C-469/10, margin number 38 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=115205&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=135346, the CJEU named two elements for a test under Article 7(f) of Directive 95/46/EC: Firstly, the processing of the personal data must be necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed; and, Secondly, such interests must not be overridden by the fundamental rights and freedoms of the data subject. The wording of Article 6(1)(f) GDPR and Article 7(f) of Directive 95/46 are sufficiently overlapping to be able to apply this test after the introduction of GDPR.
  11. The following situations are generally assumed to form a legitimate interest: Defense of legal claims It is generally accepted that the defence of legal claims is a legitimate interest. This includes civil law claims (whether contractual or not), administrative or criminal cases. Any such use of personal data must still comply with other provisions like the general principles in Article 5 GDPR. Fraud prevention Recital 47 explicitly names the prevention of fraud as a legitimate interest. In practice, an assessment and balancing of the likeliness of any fraudulent activity and the interference with the rights of the data subject needs to be made. Previous fraudulent activity may be an indicator. Any such use of personal data must still comply with other provisions like the general principles in Article 5 GDPR. Network security Recital 49 explicitly deals with data processing for network security. Processing of personal data for these purposes can also be derived as a legal duty under Article 32 GDPR. Any such use of personal data must still comply with other provisions like the general principles in Article 5 GDPR. Search engines Insofar as search engines process personal data, the right to freedom of information by the user as well as the rights of the search engine operators generally leads to an overriding legitimate interest. This may, however, be overridden by the interests of specific data subjects. Video surveillance: In many national laws under Directive 95/46/EC, video surveillance ("CCTV") was accepted under the legitimate interest. Many limitations on the specific situations when a controller has an overriding interest in surveillance over the interest of others were defined in national laws. When there is a genuine security challenge or threat, the use of structural surveillance may override the interests of data subjects. This includes the security of third parties, like the safety of passengers on a train. Such examples may include a high risk institution (e.g. banks) or previous criminal activity (e.g. thefts, violent crime or vandalism). Any video surveillance system must still comply with other provisions like the general principles in Article 5 GDPR. This means that the records must be destroyed as soon as the purpose is fulfilled (usually the time that realization of a crime takes, which may be 72 hours over a weekend). Data minimization also requires that only the strictly necessary area is filmed. Other obliogations like information to the public through signs under Article 13 GDPR also need to be observed. Direct marketing: During the negotiations on the GDPR there were multiple attempts to include "direct marketing" into the list of legitimate interests. In the end, the negotiating parties agreed to not reach a clear agreement: "Direct marketing" was moved to the last sentence of the non-binding recitals and the word "may" was added. Recital 47 now says that direct marketing "may be regarded" as carried out for a legitimate interest. At the same time, Article 21(2) GDPR includes an absolute right to object to direct marketing. Generally, the GDPR therefore seems to accept that direct marketing can be a legitimate interest ("may") while recognizing that it will not always be a legitimate interest across all situations. After all, a controller must engage in a balancing test in each individual case. The only legal description of "direct marketing" can be found in Article 13(3) of the ePrivacy Directive 2002/58/EC, which requires (1) obtaining the personal data in the context of the sale of a product or service (existing relationship), (2) the use by the same controller, for (3) its own similar products or services and (4) a clear and distinctive opportunity to object when the data is collected and with any further communication. It can be assumed that these situations also form a legitimate interest within the meaning of the GDPR.
  12. Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 340 (Oxford University Press 2020).
  13. Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 340 (Oxford University Press 2020).
  14. Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 341 (Oxford University Press 2020).
  15. Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 341 (Oxford University Press 2020).
  16. Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 341 (Oxford University Press 2020).
  17. Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 341 (Oxford University Press 2020).
  18. Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 6 GDPR, p. 341 (Oxford University Press 2020).