Article 6*
Article 6 – Lawfulness of processing
Commission Proposal
1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of their personal data for one or more specific purposes; 2. Processing of personal data which is necessary for the purposes of historical, statistical or scientific research shall be lawful subject to the conditions and safeguards referred to in Article 83. 3. The basis of the processing referred to in points (c) and (e) of paragraph 1 must be provided for in: (a) Union law, or 4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract. 5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child. |
Go to related Recital 31 – Go to related Recital 35 – Go to related Recital 36 – Go to related Recital 37 – Go to related Recital 38 – Go to related Recital 39 – Go to related Recital 126
EDRi’s Proposed amendment
1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of their personal data for one or more specific purposes; 2. Processing of personal data which is necessary for the purposes of historical, statistical or scientific research shall be lawful subject to the conditions and safeguards referred to in Article 83. 3. The basis of the processing referred to in points (c) and (e) of paragraph 1 must be provided for in: (a) Union law, or 3b. In the case referred to in point (f) of paragraph 1, the controller shall inform the data subject about this explicitly and separately. The controller shall also publish the reasons for believing that its interests override the interests or fundamental rights and freedoms of the data subject.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child. |
Justification
Article 6(1)(f), as drafted by the Commission, can in practice offer controllers a way to avoid many processing restrictions altogether, since current experience suggests that few data subjects will be able or willing to test reliance on this criterion in court. Moreover, the broadness of the term “legitimate interest” creates legal uncertainty, both for data subjects and business. Furthermore this uncertainty will most probably lead to divergences in practice between different Member States and therefore a failure to achieve the goal of harmonisation. In the interest of legal certainty, it should at least be specified that direct marketing is not a legitimate interest in the scope of this Article, as the proposed amendment to recital 38 states, which would also remove inconsistencies with the revised ePrivacy Directive.
If a data controller wishes to use “legitimate interest” as a basis for processing, this must be separately and explicitly flagged to the data subject and the data processor should publish its grounds for believing that its interests override those of the data subject. The amendment introduces obligations on controllers to this effect.
As mentioned in recital 38, paragraph 1, point (f) should not apply to the processing carried out by public authorities. In the Commission proposal, it was unclear whether the last sentence of paragraph 1, point (f) referred only to the sentence before (i.e. the balancing test), or to the whole point. The proposed amendment clarifies this. For other controllers, this ground for lawfulness should only be used as a “last resort”, with it being preferable to have processing based on one or several of the other grounds.
The exception foreseen in paragraph 4 undermines the principle of purpose limitation, one of the key concepts of data protection. For this reason, this paragraph should be deleted. See also the EDPS Opinion on the data protection reform package, pts. 122-124 and the Opinion of the Article 29 Working Party on the same subject, p.11. The Article 29 Working Party has also announced that it will issue an opinion on compatible use in the course of 2012.