Article 6*

Article 6 – Lawfulness of processing

Commission Proposal

Go down to proposed amendment

1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.

2. Processing of personal data which is necessary for the purposes of historical, statistical or scientific research shall be lawful subject to the conditions and safeguards referred to in Article 83.

3. The basis of the processing referred to in points (c) and (e) of paragraph 1 must be provided for in:

(a) Union law, or
(b) the law of the Member State to which the controller is subject.The law of the Member State must meet an objective of public interest or must be necessary to protect the rights and freedoms of others, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued.

4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.

Go to related Recital 31Go to related Recital 35Go to related Recital 36Go to related Recital 37Go to related Recital 38Go to related Recital 39Go to related Recital 126

EDRi’s Proposed amendment

1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This legal ground shall not apply to processing carried out by public authorities in the performance of their tasks. It shall also not apply to processing that can also be based on one or several of the other grounds in this paragraph.

2. Processing of personal data which is necessary for the purposes of historical, statistical or scientific research shall be lawful subject to the conditions and safeguards referred to in Article 83.

3. The basis of the processing referred to in points (c) and (e) of paragraph 1 must be provided for in:

(a) Union law, or
(b) the law of the Member State to which the controller is subject.The law of the Member State must meet an objective of public interest or must be necessary to protect the rights and freedoms of others, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued.

3b. In the case referred to in point (f) of paragraph 1, the controller shall inform the data subject about this explicitly and separately. The controller shall also publish the reasons for believing that its interests override the interests or fundamental rights and freedoms of the data subject.

4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.

Justification

Article 6(1)(f), as drafted by the Commission, can in practice offer controllers a way to avoid many processing restrictions altogether, since current experience suggests that few data subjects will be able or willing to test reliance on this criterion in court. Moreover, the broadness of the term “legitimate interest” creates legal uncertainty, both for data subjects and business. Furthermore this uncertainty will most probably lead to divergences in practice between different Member States and therefore a failure to achieve the goal of harmonisation. In the interest of legal certainty, it should at least be specified that direct marketing is not a legitimate interest in the scope of this Article, as the proposed amendment to recital 38 states, which would also remove inconsistencies with the revised ePrivacy Directive.

If a data controller wishes to use “legitimate interest” as a basis for processing, this must be separately and explicitly flagged to the data subject and the data processor should publish its grounds for believing that its interests override those of the data subject. The amendment introduces obligations on controllers to this effect.

As mentioned in recital 38, paragraph 1, point (f) should not apply to the processing carried out by public authorities. In the Commission proposal, it was unclear whether the last sentence of paragraph 1, point (f) referred only to the sentence before (i.e. the balancing test), or to the whole point. The proposed amendment clarifies this. For other controllers,  this ground for lawfulness should only be used as a “last resort”, with it being preferable to have processing based on one or several of the other grounds.

The exception foreseen in paragraph 4 undermines the principle of purpose limitation, one of the key concepts of data protection. For this reason, this paragraph should be deleted. See also the EDPS Opinion on the data protection reform package, pts. 122-124 and the Opinion of the Article 29 Working Party on the same subject, p.11. The Article 29 Working Party has also announced that it will issue an opinion on compatible use in the course of 2012.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Cancel

Connecting to %s

  • eu logo The launch and upkeep (until December 31, 2013) of this website received financial support from the EU's Fundamental Rights and Citizenship Programme.
  • EDRi.org
%d bloggers like this: