Author: Giovanni Sartor

 

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.
3. The basis for the processing referred to in points (c) and (e) of paragraph 1 shall be laid down by:

(a) Union law; or

(b) Member State law to which the controller is subject.

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

4. Where processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Art. 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;

(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;

(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Art. 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Art. 10;

(d) the possible consequences of the intended further processing for data subjects;

(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

I. General overview

Art. 6 regulates the legal bases for the processing of personal data; namely, it specifies what conditions may justify the processing of such data according to the law. Para. 1 lists six legal bases and specifies that the processing of personal data is lawful only if one of these bases is satisfied. Thus, if a processing activity has no legal basis, then the activity is by this very fact unlawful. On the other hand, having a legal basis is a necessary but not sufficient condition for a processing activity to be legally compliant; the processing activity must also respect all obligations that apply to it, and first of all, the principles stated in Art. 5 para. 1 (→ Art. 5 mn. 1 et seq.).

The legal bases listed in 6 para. 1 have different natures: the first legal basis lies in the consent of the data subject, while the following ones consist in the necessity of the processing relatively to certain objectives. Some of the objectives pertain to interests or determinations of private individuals: performing or entering a contract (lit. b), protecting vital interests of natural persons (lit. d), pursuing a legitimate interest of the controller or of a third party (lit. f). The other objectives pertain to public determinations or interests: compliance with legal obligations of the controller (lit. c), performance of tasks carried out in the public interest or in the exercise of official authority (lit. e). All legal bases have the same legal relevance, i.e., each one of them is sufficient for the processing to meet the legal basis-requirement, and more than one can apply to the same processing.

Para. 2 states that national legislation may introduce specific requirements and measures where the processing is based on authoritative legal sources, which either establish legal obligations upon controllers (lit. c) or confer them tasks to be carried out in the public interest or in the exercise of official authority (lit. e). A contrario, it excludes —for the sake of the harmonisation in data protection (in particular, when private relations are at stake)— that national legislation can similarly regulate processing grounded on other legal bases. National rules can however be introduced for the specific instances of processing listed in Chapter IX of the GDPR.

Para. 3 also addresses the processing operations whose legal bases are described in Art. 6 para. 1 lit. c and 6 para. 1 lit. e. It specifies that the legal provisions providing such bases must pertain to EU law or to the laws of Member States (to the exclusion of the laws of non-European countries) and establishes requirements and possible content for such provisions.

Para. 4 considers the connection between the original legal basis justifying the collection of data for certain purposes, and the further processing of such data to achieve different purposes. Further processing is only allowed when it serves compatible purposes. Processing for purposes at variance with the original ones must be consented by the data subject or authorised by a law meant to achieve important objectives of general public interest (as listed in → Art. 23 mn. 15-30).

 

 

[…]