menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Turkey) language
Contact our local member in Turkey mail_outline
Visit the website of CBL Law office account_balance

arrow_backPrevious Article
Article 6
Next Articlearrow_forward

Lawfulness of processing

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 6 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 6 keyboard_arrow_up

Articles related to article 6

Key words related to article 6

Show the recitals of the Regulation related to article 6 keyboard_arrow_down Hide the recitals of the Regulation related to article 6 keyboard_arrow_up

(40) In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

(41) Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.

(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

(43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

(44) Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.

(45) Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing. It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association.

(46) The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.

(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

(48) Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.

(49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

Show the recitals of the Directive related to article 6 keyboard_arrow_down Hide the recitals of the Directive related to article 6 keyboard_arrow_up

(30) Whereas, in order to be lawful, the processing of personal data must in addition be carried out with the consent of the data subject or be necessary for the conclusion or performance of a contract binding on the data subject, or as a legal requirement, or for the performance of a task carried out in the public interest or in the exercise of official authority, or in the legitimate interests of a natural or legal person, provided that the interests or the rights and freedoms of the data subject are not overriding; whereas, in particular, in order to maintain a balance between the interests involved while guaranteeing effective competition, Member States may determine the circumstances in which personal data may be used or disclosed to a third party in the context of the legitimate ordinary business activities of companies and other bodies; whereas Member States may similarly specify the conditions under which personal data may be disclosed to a third party for the purposes of marketing whether carried out commercially or by a charitable organization or by any other association or foundation, of a political nature for example, subject to the provisions allowing a data subject to object to the processing of data regarding him, at no cost and without having to state his reasons;

(31) Whereas the processing of personal data must equally be regarded as lawful where it is carried out in order to protect an interest which is essential for the data subject's life;

(32) Whereas it is for national legislation to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public administration or another natural or legal person governed by public law, or by private law such as a professional association;

(33) Whereas data which are capable by their nature of infringing fundamental freedoms or privacy should not be processed unless the data subject gives his explicit consent; whereas, however, derogations from this prohibition must be explicitly provided for in respect of specific needs, in particular where the processing of these data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy or in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms;

(34) Whereas Member States must also be authorized, when justified by grounds of important public interest, to derogate from the prohibition on processing sensitive categories of data where important reasons of public interest so justify in areas such as public health and social protection - especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system - scientific research and government statistics; whereas it is incumbent on them, however, to provide specific and suitable safeguards so as to protect the fundamental rights and the privacy of individuals;

(35) Whereas, moreover, the processing of personal data by official authorities for achieving aims, laid down in constitutional law or international public law, of officially recognized religious associations is carried out on important grounds of public interest;

(36) Whereas where, in the course of electoral activities, the operation of the democratic system requires in certain Member States that political parties compile data on people's political opinion, the processing of such data may be permitted for reasons of important public interest, provided that appropriate safeguards are established;

The GDPR

The various assumptions of lawfulness of processing provided by the Directive are listed and sometimes specified in Article 6 of the Regulation or some of its recitals.

Thus, the consent must relate to one or more specific purposes, which excludes any purpose expressed in general. It is also necessary to remember that the consent is defined in Article 4, 11) as meaning the expression of will, free, specific and informed.

These characteristics have to be specified and are exemplified in recitals  42  and following, and in Article 7 of the Regulation. In these recitals, special attention is paid to the free nature of the consent that should be excluded if the data subject has no real freedom of choice and is not able to refuse or withdraw without suffering damages. The consent can not either constitute a valid legal basis where there is a clear imbalance between the data subject and the controller and that imbalance gives rise to doubt on whether the consent has been given freely in all cases of this particular situation.

Recital  47  provides details regarding the consideration of the legitimate interest of the controller in its opposition to the rights and freedoms of the data subject. A legitimate interest may exist in particular when there is a relevant and appropriate link between the data subject and the controller, for example if the data subject is a client of or if is at service to the controller. In any case, the data subject must be entitled to expect, when and as part of data collection, that they are subject to processing for this purpose.

It should be noted that the latest version of the Regulation excludes the criterion of the legitimate interests of the data subject (Art. 6, f)) for the processing by public authorities in carrying out their tasks , imposing a return to a strict lawfulness of the processing in question.

Still according to recital 47  the data subject should be able to object to the respective processing of data, for reasons relating to his or her personal situation, and it's free to do so. To ensure transparency, the controller should be required to explicitly inform the data subject with respect to their legitimate interests pursued and to justify them as well as on the right of the data subject to object to the processing.

The Regulation also gives an important clarification regarding the processing that is justified by a law imposing proceedings in the cases referred to in Article 6, paragraph 1, c) (processing necessary for compliance with a legal obligation) and Article 6, paragraph 1, , subparagraph e) (processing necessary for the performance of a task carried out in the public interest). In both cases, the legal basis of the processing should be defined in accordance with the Union law or the national law of the Member State to which the controller data is subject (see Art. 6, paragraph 3).

Contrary to the idea of ​​the Regulation unifying the rules on the matter, the 3rd paragraph, b) of Article 6 explicitly states that this legal basis can contain specific provisions to adapt the application of the rules in the Regulation (e.g., the general conditions of lawfulness of the processing, the categories of data that being the subject of the treatment, the entities to which the data can be communicated and the purposes for which they can be communicated, the purpose limitation, etc.). The final version of the Regulation states that the law of the Union or the Member States must meet the objective of public interest and be proportionate to the legitimate interests pursued.

The final provision no longer opens the conditions in which a purpose can be changed, in case that the latter is incompatible with the initial purpose. The evolution of the text shows a real debate: the original text contained no rule while the second version introduced a specific paragraph (§ 4). If the data were collected by the same controller, subsequent processing would have been allowed despite the incompatibility of the purposes, as far as such incompatibility could be justified by any of the general assumptions of legality provided for in paragraph 1 of the provision. In other words, the controller could always find a solution to an incompatibility between the initial purpose and the subsequent purposes of processing by identifying a new basis for lawfulness of the processing.

The latest version of the Regulation has purely and simply removed this paragraph. The Group Article 29 had strongly criticized this provision, which would harm and empty the principle of purpose of its substance (cfr. ). G29, Opinion 03/2013 on purpose limitation, 2 April 2013, p. 36 and 37).

The basic principle is therefore that of the requirement of  compatibility of the new purposes with the initial purposes, except by consent of the data subject or where a specific legal text so allows on the same reasons justifying a limitation of the rights and obligations provided for by the Regulation (see article 23 (1). In case of incompatibility, the pursuit of the incompatible purpose is prescribed.

The text of the Regulation (Art. 6, 4) provides some criteria to assess this compatibility. For example, the existence of a link between the purpose, for which the data were collected and the purposes of the proposed future processing, the nature of the personal data which will be processed, the possible consequences of further processing envisaged for the data subjects, or even the existence of appropriate measures, which may include encryption and pseudonymisation.

Finally, the final version of the Regulation introduces a new paragraph 3 allowing the Member States to adapt the provisions of the Regulation in view of the conformity of processing with Article 6, paragraph 1, under c) (legal obligation) and e) (task of public interest), by determining more precisely the obligations for processing and other measures to ensure the legality and lawfulness, also with regard to the special situations of processing referred to in chapter IV.

The Directive

Article 7 of the Directive provides that data processing can be performed only if one of the hypotheses under the provision is met:

The unambiguous consent of the data subject (consent);

- the need for the performance of the contract with the data subject (contract) or

- the need for compliance with a legal obligation to which the controller is subject (legal obligation) or

- the need for safeguarding the vital interest of the data subject (vital interest) or

- the need for the performance of a task of public interest or in the exercise of public authority (task of public interest) vested in the controller or a third party the data communicated to whom are part of these assumptions.

A final hypothesis, the search for a balance of interests, imposes an evaluation that is more difficult in practice. The processing must be necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject (legitimate interest).

Potential issues

The clarifications provided by the Regulation often endorse the interpretations of the former texts advocated by the National Commissions and the Group.  Article 29

The possibility left to the states to adapt the rules applicable to the processing imposed by national legislation, however, is more problematic. It is significant of the willingness of states to reserve part of their sovereignty as there is a relationship between the state or one of its entities and the controller/citizen. Being so understandable, this opportunity to continue to regulate a large number of processing cases on a specific and national basis opens a significant breach in the supposed acquis brought by the Regulation: the unification of the rules at European level.

The biggest disappointment comes from the refusal to make the principle of compatibility of the purposes more flexible. The prohibition of processing in case of incompatibility of the purposes is opposed to the evolution of processing that is somehow “frozen” by its actual initial purpose.  If data have been processed for the purposes of performance of a contract, they cannot be communicated to a third party for feeding a big data profiling process, except with the data subject's consent or legal authorization.

Let's be clear: the case could be to admit it without guarantees, but the data subject would have been perfectly protected if we had departed from the principle - as the second version of the text specified - that the second purpose would give rise to new processing, which should be subject to compliance with all the provisions of the law (new information regarding the data subjects, identification of a new lawfulness criterion, etc.).

The solution of the Regulations is different: no purpose can be changed without data subject’s prior consent. In practice – we think for example of Big Data projects – this strict rule may illegalize a large number of projects. Not to count the data provision services, in particular in the area of marketing, which often do not have the data subject’s prior consent.

arrow_back Previous ArticleArticle 6Next Article arrow_forward
arrow_back Previous ArticleArticle 6 Next Article arrow_forward

Summary

European Union

European Union

European data protection board (EDPB)

Guidelines on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (8 October 2019)

Pursuant to Article 8 of the Charter of Fundamental Rights of the European Union, personal data must be processed fairly for specified purposes and on the basis of a legitimate basis laid down by law. In this regard, Article 6(1) of the General Data Protection Regulation1 (GDPR) specifies that processing shall be lawful only on the basis of one of six specified conditions set out in Article 6(1)(a) to (f). Identifying the appropriate legal basis that corresponds to the objective and essence of the processing is of essential importance. Controllers must, inter alia, take into account the impact on data subjects’ rights when identifying the appropriate lawful basis in order to respect the principle of fairness.

Article 6(1)(b) GDPR provides a lawful basis for the processing of personal data to the extent that “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. This supports the freedom to conduct a business, which is guaranteed by Article 16 of the Charter, and reflects the fact that sometimes the contractual obligations towards the data subject cannot be performed without the data subject providing certain personal data. If the specific processing is part and parcel of delivery of the requested service, it is in the interests of both parties to process that data, as otherwise the service could not be provided and the contract could not be performed. However, the ability to rely on this or one of the other legal bases mentioned in Article 6(1) does not exempt the controller from compliance with the other requirements of the GDPR.

Articles 56 and 57 of the Treaty on the Functioning of the European Union define and regulate the freedom to provide services within the European Union. Specific EU legislative measures have been adopted in respect of ‘information society services’. These services are defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” This definition extends to services that are not paid for directly by the persons who receive them, such as online services funded through advertising. ‘Online services’ as used in these guidelines refers to ‘information society services’.

The development of EU law reflects the central importance of online services in modern society. The proliferation of always-on mobile internet and the widespread availability of connected devices have enabled the development of online services in fields such as social media, e-commerce, internet search, communication, and travel. While some of these services are funded by user payments, others are provided without monetary payment by the consumer, instead financed by the sale of online advertising services allowing for targeting of data subjects. Tracking of user behaviour for the purposes of such advertising is often carried out in ways the user is often not aware of, and it may not be immediately obvious from the nature of the service provided, which makes it almost impossible in practice for the data subject to exercise an informed choice over the use of their data.

Against this background, the European Data Protection Board (EDPB) considers it appropriate to provide guidance on the applicability of Article 6(1)(b) to processing of personal data in the context of online services, in order to ensure that this lawful basis is only relied upon where appropriate.

The Article 29 Working Party (WP29) has previously expressed views on the contractual necessity basis under Directive 95/46/EC in its opinion on the notion of legitimate interests of the data controller. Generally, that guidance remains relevant to Article 6(1)(b) and the GDPR.

Link

Guidelines 05/2020 on consent under Regulation 2016/679 (4 May 2020)

Link

Guidelines on the targeting of social media users (13 April 2021)

A significant development in the online environment over the past decade has been the rise of social media. More and more individuals use social media to stay in touch with family and friends, to engage in professional networking or to connect around shared interests and ideas. For the purposes of these guidelines, social media are understood as online platforms that enable the development of networks and communities of users, among which information and content is shared.

Key characteristics of social media include the ability for individuals to register in order to create “accounts” or “profiles” for themselves, to interact with one another by sharing user-generated or other content and to develop connections and networks with other users.

As part of their business model, many social media providers offer targeting services. Targeting services make it possible for natural or legal persons (“targeters”) to communicate specific messages to the users of social media in order to advance commercial, political, or other interests.

A distinguishing characteristic of targeting is the perceived fit between the person or group being targeted and the message that is being delivered. The underlying assumption is that the better the fit, the higher the reception rate (conversion) and thus the more effective the targeting campaign (return on investment). Mechanisms to target social media users have increased in sophistication over time. Organisations now have the ability to target individuals on the basis of a wide range of criteria. Such criteria may have been developed on the basis of personal data which users have actively provided or shared, such as their relationship status. Increasingly, however, targeting criteria are also developed on the basis of personal data which has been observed or inferred, either by the social media provider or by third parties, and collected (aggregated) by the platform or by other actors (e.g. data brokers) to supportad-targeting options. In other words, the targeting of social media users involves not just the act of “selecting” the individuals or groups of individuals that are the intended recipients of a particular message (the ‘target audience’), but rather it involves an entire process carried out by a set of stakeholders which results in the delivery of specific messages to individuals with social media accounts.

The combination and analysis of data originating from different sources, together with the potentially sensitive nature of personal data processed in the context of social media, creates risks to the fundamental rights and freedoms of individuals. From a data protection perspective, many risks relate to the possible lack of transparency and user control. For the individuals concerned, the underlying processing of personal data which results in the delivery of a targeted message is often opaque. Moreover, it may involve unanticipated or undesired uses of personal data, which raise questions not only concerning data protection law, but also in relation to other fundamental rights and freedoms. Recently, social media targeting has gained increased public interest and regulatory scrutiny in the context of democratic decision making and electoral processes.

Link

Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications (9 March 2021)

The EDPB would like to point out that these guidelines are intended to facilitate compliance of the processing of personal data carried out by a wide range of stakeholders working in this environment. However, they are not intended to cover all use cases possible in this context or to provide guidance for every possible specific situation.

The scope of this document focuses in particular on the personal data processing in relation to the non-professional use of connected vehicles by data subjects: e.g., drivers, passengers, vehicle owners, other road users, etc. More specifically, it deals with the personal data: (i) processed inside the vehicle, (ii) exchanged between the vehicle and personal devices connected to it (e.g., the user’s smartphone) or (iii) collected locally in the vehicle and exported to external entities (e.g., vehicle manufacturers, infrastructure managers, insurance companies, car repairers) for further processing.

Link

Recommendations 02/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions (19 May 2021)

Link

Guidelines 02/2021 on virtual voice assistants (7 July 2021)

A virtual voice assistant (VVA) is a service that understands voice commands and executes them or mediates with other IT systems if needed. VVAs are currently available on most smartphones and tablets, traditional computers, and, in the latest years, even standalone devices like smart speakers. VVAs act as interface between users and their computing devices and online services such as search engines or online shops. Due to their role, VVAs have access to a huge amount of personal data including all users’ commands (e.g. browsing or search history) and answers (e.g. appointments in the agenda). 

These guidelines identify some of the most relevant compliance challenges and provide recommendations to relevant stakeholders on how to address them.

Link

 

Other

Processing Personal Data on the Basis of Legitimate Interests under the GDPR: Practical Cases

Legitimate interest has long been one of the primary methods relied on by organizations for processing data for many different types of processing. Other than in the case of public authorities, “legitimate interests”, as a basis for lawful processing, is not substantially changed by the General Data Protection Regulation1 (GDPR). Indeed, Article 7(1)(f) of Directive 95/462, as well as Article 6(1)(f) of the GDPR allow processing of personal data on the grounds of legitimate interests of the controller or third-parties. However, using the “legitimate interests” ground for lawful processing is far more complicated than merely having a legitimate interest to process the personal data at issue. The “balancing exercise” that must be conducted between the interests of the controller or third parties and the rights and freedoms of the data subject is a very important component of lawfully using this ground for processing. Equally important is the “necessity” of processing that data to accomplish that specific interest. But all this sounds theoretical and difficult to grasp in practice, despite guidance that have been issued by European Data Protection Authorities and by other organizations. The Future of Privacy Forum and NYMITY collaborated to create this Report and identify specific cases that have been decided at the national level by Data Protection Authorities (DPAs) and Courts from the European Economic Area (EEA), as well as the most relevant cases where the Court of Justice of the European Union interpreted and applied the “legitimate interests” ground. We looked at cases across industries and we compiled them in two lists: one for uses of this ground that were found lawful and one for uses that were found unlawful. All of them contain useful examples of how the “balancing exercise” is conducted in practice, as well as examples of safeguards that were needed to tilt the balance and make the processing lawful. Some of them have short comments at the end of the summary that point out interesting features of the case.

Link

Retour au sommaire

Article 29 Working Party

Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (6 February 2018)

(Endorsed by the EDPB)

The General Data Protection Regulation (the GDPR), specifically addresses profiling and automated individual decision-making, including profiling.

Profiling and automated decision-making are used in an increasing number of sectors, both private and public. Banking and finance, healthcare, taxation, insurance, marketing and advertising are just a few examples of the fields where profiling is being carried out more regularly to aid decision-making.

Advances in technology and the capabilities of big data analytics, artificial intelligence and machine learning have made it easier to create profiles and make automated decisions with the potential to significantly impact individuals’ rights and freedoms.

The widespread availability of personal data on the internet and from Internet of Things (IoT) devices, and the ability to find correlations and create links, can allow aspects of an individual’s personality or behaviour, interests and habits to be determined, analysed and predicted.

Profiling and automated decision-making can be useful for individuals and organisations, delivering benefits such as:

  • increased efficiencies; and
  • resource savings.

They have many commercial applications, for example, they can be used to better segment markets and tailor services and products to align with individual needs. Medicine, education, healthcare and transportation can also all benefit from these processes.

However, profiling and automated decision-making can pose significant risks for individuals’ rights and freedoms which require appropriate safeguards.

These processes can be opaque. Individuals might not know that they are being profiled or understand what is involved.

Profiling can perpetuate existing stereotypes and social segregation. It can also lock a person into a specific category and restrict them to their suggested preferences. This can undermine their freedom to choose, for example, certain products or services such as books, music or newsfeeds. In some cases, profiling can lead to inaccurate predictions. In other cases it can lead to denial of services and goods and unjustified discrimination.

The GDPR introduces new provisions to address the risks arising from profiling and automated decision-making, notably, but not limited to, privacy. The purpose of these guidelines is to clarify those provisions.

This document covers:

  • Definitions of profiling and automated decision-making and the GDPR approach to these in general – Chapter II
  • General provisions on profiling and automated decision-making – Chapter III
  • Specific provisions on solely automated decision-making defined in Article 22 - Chapter IV
  • Children and profiling – Chapter V
  • Data protection impact assessments and data protection officers– Chapter VI

The Annexes provide best practice recommendations, building on the experience gained in EU Member States.

The Article 29 Data Protection Working Party (WP29) will monitor the implementation of these guidelines and may complement them with further details as appropriate.

Link

Guidelines on Consent under Regulation 2016/679 (10 April 2018)

(Endorsed by the EDPB)

These Guidelines provide a thorough analysis of the notion of consent in Regulation 2016/679, the General Data Protection Regulation (hereafter: GDPR). The concept of consent as used in the Data Protection Directive (hereafter: Directive 95/46/EC) and in the e-Privacy Directive to date, has evolved. The GDPR provides further clarification and specification of the requirements for obtaining and demonstrating valid consent. These Guidelines focus on these changes, providing practical guidance to ensure compliance with the GDPR and building upon Opinion 15/2011 on consent. The obligation is on controllers to innovate to find new solutions that operate within the parameters of the law and better support the protection of personal data and the interests of data subjects.

Consent remains one of six lawful bases to process personal data, as listed in Article 6 of the GDPR. When initiating activities that involve processing of personal data, a controller must always take time to consider what would be the appropriate lawful ground for the envisaged processing.

Generally, consent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment. When asking for consent, a controller has the duty to assess whether it will meet all the requirements to obtain valid consent. If obtained in full compliance with the GDPR, consent is a tool that gives data subjects control over whether or not personal data concerning them will be processed. If not, the data subject’s control becomes illusory and consent will be an invalid basis for processing, rendering the processing activity unlawful.

The existing Article 29 Working Party (WP29) Opinions on consent remain relevant, where consistent with the new legal framework, as the GDPR codifies existing WP29 guidance and general good practice and most of the key elements of consent remain the same under the GDPR. Therefore, in this document, WP29 expands upon and completes earlier Opinions on specific topics that include reference to consent under Directive 95/46/EC, rather than replacing them.

As stated in Opinion 15/2011 on the definition on consent, inviting people to accept a data processing operation should be subject to rigorous requirements, since it concerns the fundamental rights of data subjects and the controller wishes to engage in a processing operation that would be unlawful without the data subject’s consent. The crucial role of consent is underlined by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Furthermore, obtaining consent also does not negate or in any way diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially Article 5 of the GDPR with regard to fairness, necessity and proportionality, as well as data quality. Even if the processing of personal data is based on consent of the data subject, this would not legitimise collection of data which is not necessary in relation to a specified purpose of processing and be fundamentally unfair.

Meanwhile, WP29 is aware of the review of the ePrivacy Directive (2002/58/EC). The notion of consent in the draft ePrivacy Regulation remains linked to the notion of consent in the GDPR. Organisations are likely to need consent under the ePrivacy instrument for most online marketing messages or marketing calls, and online tracking methods including by the use of cookies or apps or other software. WP29 has already provided recommendations and guidance to the European legislator on the Proposal for a Regulation on ePrivacy.

With regard to the existing e-Privacy Directive, WP29 notes that references to the repealed Directive 95/46/EC shall be construed as references to the GDPR. This also applies to references to consent in the current Directive 2002/58/EC, as the ePrivacy Regulation will not (yet) be in force from 25 May 2018. According to Article 95 GDPR, additional obligations in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks shall not be imposed insofar the e-Privacy Directive imposes specific obligations with the same objective. WP29 notes that the requirements for consent under the GDPR are not considered to be an ‘additional obligation’, but rather as preconditions for lawful processing. Therefore, the GDPR conditions for obtaining valid consent are applicable in situations falling within the scope of the e-Privacy Directive.

Link

European Commission

Letter of the 6 March 2020 to the Dutch Data Protection Authority

According to the Commission, "it is not possible to generally conclude that a pure commercial interest is not capable of overriding the fundamental rights and freedoms of the data subject, as this must be assessed on the basis of a concrete balancing test".

Link

Retour au sommaire
arrow_back Previous Article Article 6 Next Article arrow_forward

Summary

European Union

European Union

CJEU caselaw

C-465/00 ; C-138/01 ; C-139/01 (20 May 2003) - Österreichischer Rundfunk e.a. 

1.   Articles 6(1)(c) and 7(c) and (e) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data do not preclude national legislation such as that at issue in the main proceedings, provided that it is shown that the wide disclosure not merely of the amounts of the annual income above a certain threshold of persons employed by the bodies subject to control by the Rechnungshof but also of the names of the recipients of that income is necessary for and appropriate to the objective of proper management of public funds pursued by the legislature, that being for the national courts to ascertain.

2.    Articles 6(1)(c) and 7(c) and (e) of Directive 95/46 are directly applicable, in that they may be relied on by an individual before the national courts to oust the application of rules of national law which are contrary to those provisions.

Opinion of Advocate general

Judgment of the Court

C-524/06 (16 December 2008) - Huber

1.      A system for processing personal data relating to Union citizens who are not nationals of the Member State concerned, such as that put in place by the Law on the central register of foreign nationals (Gesetz über das Ausländerzentralregister) of 2 September 1994, as amended by the Law of 21 June 2005, and having as its object the provision of support to the national authorities responsible for the application of the law relating to the right of residence does not satisfy the requirement of necessity laid down by Article 7(e) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, interpreted in the light of the prohibition on any discrimination on grounds of nationality, unless:

–        it contains only the data which are necessary for the application by those authorities of that legislation, and

–        its centralised nature enables the legislation relating to the right of residence to be more effectively applied as regards Union citizens who are not nationals of that Member State.

It is for the national court to ascertain whether those conditions are satisfied in the main proceedings.

The storage and processing of personal data containing individualised personal information in a register such as the Central Register of Foreign Nationals for statistical purposes cannot, on any basis, be considered to be necessary within the meaning of Article 7(e) of Directive 95/46.

2.      Article 12(1) EC must be interpreted as meaning that it precludes the putting in place by a Member State, for the purpose of fighting crime, of a system for processing personal data specific to Union citizens who are not nationals of that Member State.

Opinion of Advocate general

Judgment of the Court

C-468/10 ; C-469/10 (24 November 2011) - ASNEF

1.      Article 7(f) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as precluding national rules which, in the absence of the data subject’s consent, and in order to allow such processing of that data subject’s personal data as is necessary to pursue a legitimate interest of the data controller or of the third party or parties to whom those data are disclosed, require not only that the fundamental rights and freedoms of the data subject be respected, but also that the data should appear in public sources, thereby excluding, in a categorical and generalised way, any processing of data not appearing in such sources.

2.      Article 7(f) of Directive 95/46 has direct effect.

Judgment of the Court

C-342/12 (30 May 2013) - Worten

1.      Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is to be interpreted as meaning that a record of working time, such as that at issue in the main proceedings, which indicates, in relation to each worker, the times when working hours begin and end, as well as the corresponding breaks and intervals, is included within the concept of ‘personal data’, within the meaning of that provision.

2.      Article 6(1)(b) and (c) and Article 7(c) and (e) of Directive 95/46 do not preclude national legislation, such as that at issue in the main proceedings, which requires an employer to make the record of working time available to the national authority responsible for monitoring working conditions so as to allow its immediate consultation, provided that this obligation is necessary for the purposes of the performance by that authority of its task of monitoring the application of the legislation relating to working conditions, in particular as regards working time.

Judgment of the Court

C-683/13 (19 June 2014) - Pharmacontinente - Saúde e Higiene e.a.

1.     Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is to be interpreted as meaning that a record of working time, such as that at issue in the main proceedings, which indicates, in relation to each worker, the times when working hours begin and end, as well as the corresponding breaks and intervals, is covered by the concept of ‘personal data’ as referred to in that provision.

2.    Article 6(1)(b) and (c) and Article 7(c) and (e) of Directive 95/46 must be interpreted as not precluding national legislation, such as that at issue in the main proceedings, which requires an employer to make the record of working time available to the national authority responsible for monitoring working conditions so as to allow its immediate consultation, provided that this obligation is necessary for the purposes of the performance by that authority of its task of monitoring the application of the legislation relating to working conditions, in particular as regards working time.

3.    It is for the referring court to determine whether the employer’s obligation to provide the national authority responsible for monitoring working conditions access to the record of working time so as to allow its immediate consultation may be considered necessary for the purposes of the performance by that authority of its monitoring task, by contributing to the more effective application of the legislation relating to working conditions, in particular as regards working time, and, if so, whether the penalties imposed with a view to ensuring the effective application of the requirements laid down by Directive 2003/88/EC of the European Parliament and of the Council of 4 November 2003, concerning certain aspects of the organisation of working time, are consistent with the principle of proportionality.

Judgment of the Court

C-582/14 (19 October 2016) - Breyer

1.      Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.

2.      Article 7(f) of Directive 95/46 must be interpreted as precluding the legislation of a Member State, pursuant to which an online media services provider may collect and use personal data relating to a user of those services, without his consent, only in so far as that the collection and use of that data are necessary to facilitate and charge for the specific use of those services by that user, even though the objective aiming to ensure the general operability of those services may justify the use of those data after a consultation period of those websites.

Opinion of Advocate general

Judgment of the Court

C-13/16 (4 May 2017) - Rīgas satiksme

Article 7(f) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as not imposing the obligation to disclose personal data to a third party in order to enable him to bring an action for damages before a civil court for harm caused by the person concerned by the protection of that data. However, Article 7(f) of that directive does not preclude such disclosure on the basis of national law.

Opinion of Advocate general

Judgment of the Court

C-73/16 (27 September 2017) - Puškár

1.      Article 47 of the Charter of Fundamental Rights of the European Union must be interpreted as meaning that it does not preclude national legislation, which makes the exercise of a judicial remedy by a person stating that his right to protection of personal data guaranteed by Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, has been infringed, subject to the prior exhaustion of the remedies available to him before the national administrative authorities, provided that the practical arrangements for the exercise of such remedies do not disproportionately affect the right to an effective remedy before a court referred to in that article. It is important, in particular, that the prior exhaustion of the available remedies before the national administrative authorities does not lead to a substantial delay in bringing a legal action, that it involves the suspension of the limitation period of the rights concerned and that it does not involve excessive costs.

2.      Article 47 of the Charter of Fundamental Rights of the European Union must be interpreted as precluding that a national court rejects, as evidence of an infringement of the protection of personal data conferred by Directive 95/46, a list, such as the contested list, submitted by the data subject and containing personal data relating to him, if that person had obtained that list without the consent, legally required, of the person responsible for processing that data, unless such rejection is laid down by national legislation and respects both the essential content of the right to an effective remedy and the principle of proportionality.

3.      Article 7(e) Directive 95/46 must be interpreted as not precluding the processing of personal data by the authorities of a Member State for the purpose of collecting tax and combating tax fraud such as that effected by drawing up of a list of persons such as that at issue in the main proceedings, without the consent of the data subjects, provided that, first, those authorities were invested by the national legislation with tasks carried out in the public interest within the meaning of that article, that the drawing-up of that list and the inclusion on it of the names of the data subjects in fact be adequate and necessary for the attainment of the objectives pursued and that there be sufficient indications to assume that the data subjects are rightly included in that list and, second, that all of the conditions for the lawfulness of that processing of personal data imposed by Directive 95/46 be satisfied.

Opinion of Advocate general

Judgment of the Court

C-496/17 (16 January 2019) - Deutsche Post

The second subparagraph of Article 24(1) of Commission Implementing Regulation (EU) 2015/2447 of 24 November 2015 laying down detailed rules for implementing certain provisions of Regulation (EU) No 952/2013 of the European Parliament and of the Council laying down the Union Customs Code, read in the light of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that the customs authorities may require an applicant for AEO status to send to them the tax identification numbers, allocated for the purposes of collection income tax, concerning solely the natural persons who are in charge of the applicant or who exercise control over its management and those who are in charge of the applicant’s customs matters, and the details of the tax offices responsible for the taxation of all those persons, to the extent that that data enables those authorities to obtain information on serious or repeated infringements of customs legislation or taxation rules or on serious criminal offences, committed by those natural persons and relating to their economic activity.

Opinion of Advocate general

Judgment of the Court

C-40/17 (29 July 2019) - Fashion ID

1.  Articles 22 to 24 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as not precluding national legislation which allows consumer-protection associations to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data.

2.      The operator of a website, such as Fashion ID GmbH & Co. KG, that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor can be considered to be a controller, within the meaning of Article 2(d) of Directive 95/46. That liability is, however, limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by transmission of the data at issue.

3.      In a situation such as that at issue in the main proceedings, in which the operator of a website embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor, it is necessary that that operator and that provider each pursue a legitimate interest, within the meaning of Article 7(f) of Directive 95/46, through those processing operations in order for those operations to be justified in respect of each of them.

4.      Article 2(h) and Article 7(a) of Directive 95/46 must be interpreted as meaning that, in a situation such as that at issue in the main proceedings, in which the operator of a website embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor, the consent referred to in those provisions must be obtained by that operator only with regard to the operation or set of operations involving the processing of personal data in respect of which that operator determines the purposes and means. In addition, Article 10 of that directive must be interpreted as meaning that, in such a situation, the duty to inform laid down in that provision is incumbent also on that operator, but the information that the latter must provide to the data subject need relate only to the operation or set of operations involving the processing of personal data in respect of which that operator actually determines the purposes and means.

Opinion of Advocate general

Judgment of the Court

C-673/17 (1 October 2019) - Planet49

1.   Article 2(f) and of Article 5(3) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in conjunction with Article 2(h) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Article 4(11) and Article 6(1)(a) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 (General Data Protection Regulation), must be interpreted as meaning that the consent referred to in those provisions is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent.

2.    Article 2(f) and Article 5(3) of Directive 2002/58, as amended by Directive 2009/136, read in conjunction with Article 2(h) of Directive 95/46 and Article 4(11) and Article 6(1)(a) of Regulation 2016/679, are not to be interpreted differently according to whether or not the information stored or accessed on a website user’s terminal equipment is personal data within the meaning of Directive 95/46 and Regulation 2016/679.

3.   Article 5(3) of Directive 2002/58, as amended by Directive 2009/136, must be interpreted as meaning that the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.

Opinion of Advocate general

Judgment of the Court

C-708/18 (11 December 2019) - Asociaţia de Proprietari bloc M5A-ScaraA

Article 6(1)(c) and Article 7(f) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, must be interpreted as not precluding national provisions which authorise the installation of a video surveillance system, such as the system at issue in the main proceedings, installed in the common parts of a residential building, for the purposes of pursuing legitimate interests of ensuring the safety and protection of individuals and property, without the consent of the data subjects, if the processing of personal data carried out by means of the video surveillance system at issue fulfils the conditions laid down in Article 7(f), which it is for the referring court to determine.

Judgment of the Court

C-61/19 (11 November 2020) - Orange Romania SA

Article 2(h) and Article 7(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Article 4(11) and Article 6(1)(a) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that it is for the data controller to demonstrate that the data subject has, by active behaviour, given his or her consent to the processing of his or her personal data and that he or she has obtained, beforehand, information relating to all the circumstances surrounding that processing, in an intelligible and easily accessible form, using clear and plain language, allowing that person easily to understand the consequences of that consent, so that it is given with full knowledge of the facts. A contract for the provision of telecommunications services which contains a clause stating that the data subject has been informed of, and has consented to, the collection and storage of a copy of his or her identity document for identification purposes is not such as to demonstrate that that person has validly given his or her consent, as provided for in those provisions, to that collection and storage, where

  • the box referring to that clause has been ticked by the data controller before the contract was signed, or where;
  • the terms of that contract are capable of misleading the data subject as to the possibility of concluding the contract in question even if he or she refuses to consent to the processing of his or her data, or where;
  • the freedom to choose to object to that collection and storage is unduly affected by that controller, in requiring that the data subject, in order to refuse consent, must complete an additional form setting out that refusal.

Judgment of the court

C-505/19 - (12 mai 2021) - Bundesrepublik Deutschland

1.      Article 54 of the Convention implementing the Schengen Agreement of 14 June 1985 between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders, signed in Schengen on 19 June 1990 and which entered into force on 26 March 1995, and Article 21(1) TFEU, read in the light of Article 50 of the Charter of Fundamental Rights of the European Union, must be interpreted as not precluding the provisional arrest, by the authorities of a State that is a party to the Agreement between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders, signed in Schengen on 14 June 1985, or by those of a Member State, of a person in respect of whom the International Criminal Police Organisation (Interpol) has published a red notice, at the request of a third State, unless it is established, in a final judicial decision taken in a State that is a party to that agreement or in a Member State, that the trial of that person in respect of the same acts as those on which that red notice is based has already been finally disposed of by a State that is a party to that agreement or by a Member State respectively.

2.      The provisions of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, read in the light of Article 54 of the Convention implementing the Schengen Agreement, signed on 19 June 1990, and of Article 50 of the Charter of Fundamental Rights, must be interpreted as not precluding the processing of personal data appearing in a red notice issued by the International Criminal Police Organisation (Interpol) in the case where it has not been established in a final judicial decision taken in a State that is a party to the Agreement between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders, signed in Schengen on 14 June 1985, or in a Member State that the ne bis in idem principle applies in respect of the acts on which that notice is based, provided that such processing satisfies the conditions laid down by that directive, in particular in that it is necessary for the performance of a task carried out by a competent authority, within the meaning of Article 8(1) of that directive.

3.      The fifth question referred for a preliminary ruling is inadmissible.

Judgment of the court

C-597/19 (17 June 2021) - MICM Ltd. v Telenet BVBA

Point (f) of subparagraph 1 of Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read in conjunction with Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, must be interpreted as meaning that it precludes in principle, neither the systematic recording, by the holder of intellectual property rights as well as by a third party on his or her behalf, of IP addresses of users of peer-to-peer networks whose Internet connections have allegedly been used in infringing activities, nor the communication of the names and of the postal addresses of those users to that rightholder or to a third party in order to enable it to bring a claim for damages before a civil court for prejudice allegedly caused by those users, provided, however, that the initiatives and requests to that effect of that rightholder or of such a third party are justified, proportionate and not abusive and have their legal basis in a national legislative measure, within the meaning of Article 15(1) of Directive 2002/58, which limits the scope of the rules laid down in Articles 5 and 6 of that directive, as amended.

Opinion of Advocate general

Judgment of the Court

C-439/19 (22 June 2021) - Latvijas Republikas Saeima (Points de pénalité)

1.      Article 10 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as applying to the processing of personal data relating to penalty points imposed on drivers of vehicles for road traffic offences.

2.      The provisions of Regulation (EU) 2016/679, in particular Article 5(1), Article 6(1)(e) and Article 10 thereof, must be interpreted as precluding national legislation which obliges the public body responsible for the register in which penalty points imposed on drivers of vehicles for road traffic offences are entered to make those data accessible to the public, without the person requesting access having to establish a specific interest in obtaining the data.

3.      The provisions of Regulation (EU) 2016/679, in particular Article 5(1), Article 6(1)(e) and Article 10 thereof, must be interpreted as precluding national legislation which authorises the public body responsible for the register in which penalty points imposed on drivers of vehicles for road traffic offences are entered to disclose those data to economic operators for re-use.

4.      The principle of primacy of EU law must be interpreted as precluding the constitutional court of a Member State, before which a complaint has been brought challenging national legislation that proves, in the light of a preliminary ruling given by the Court of Justice, to be incompatible with EU law, from deciding, in accordance with the principle of legal certainty, that the legal effects of that legislation be maintained until the date of delivery of the judgment by which it rules finally on that constitutional complaint.

 

Judgment of the Court 

Opinion of Advocate General 

 

C-184/20 (1 October 2022), Vyriausioji tarnybinės etikos komisija

1.      Article 7(c) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and point (c) of the first subparagraph of Article 6(1) and Article 6(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read in the light of Articles 7, 8 and 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as precluding national legislation that provides for the publication online of the declaration of private interests that any head of an establishment receiving public funds is required to lodge, in so far as, in particular, that publication concerns name-specific data relating to his or her spouse, cohabitee or partner, or to persons who are close relatives of the declarant, or are known by him or her, liable to give rise to a conflict of interests, or concerns any transaction concluded during the last 12 calendar months the value of which exceeds EUR 3 000.

2.      Article 8(1) of Directive 95/46 and Article 9(1) of Regulation 2016/679 must be interpreted as meaning that the publication, on the website of the public authority responsible for collecting and checking the content of declarations of private interests, of personal data that are liable to disclose indirectly the sexual orientation of a natural person constitutes processing of special categories of personal data, for the purpose of those provisions.

Judgment of the court

Opinion of the advocate general

C-77/21 (20 October 2022) - Digi

1.      Article 5(1)(b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as meaning that the principle of ‘purpose limitation’, laid down in that provision, does not preclude the recording and storage by the controller, in a database created for the purposes of carrying out tests and correcting errors, of personal data previously collected and stored in another database, where such further processing is compatible with the specific purposes for which the personal data were initially collected, which must be determined in the light of the criteria in Article 6(4) of that regulation.

2.      Article 5(1)(e) of Regulation 2016/679

must be interpreted as meaning that the principle of ‘storage limitation’, laid down in that provision, precludes the storage by the controller, in a database created for the purposes of carrying out tests and correcting errors, of personal data previously collected for other purposes, for longer than is necessary for the conducting of those tests and the correction of those errors.

Judgment of the Court 

Opinion of Advocate General 

C-180/21, VS contre Inspektor v Inspektorata kam Visshia sadeben savet  (8 December 2022)

33. Article 6(1) of Regulation 2016/679 must be interpreted as meaning that where an action for damages against the State is based on alleged misconduct on the part of the public prosecutor’s office in the performance of its tasks in criminal matters, such processing of personal data may be regarded as lawful if it is necessary for the performance of a task carried out in the public interest, within the meaning of point (e) of the first subparagraph of Article 6(1) of that regulation, for the purpose of defending the legal and financial interests of the State which falls to the public prosecutor’s office in those proceedings, provided that that processing of personal data complies with all the applicable requirements provided for by that regulation.

Decision of the Court

Judgment of the court

C-306/21 (20 october 2022) - Koalitsia "Demokratichna Bulgaria - Obedinenie" 

French (not available in English)

1)      L’article 2, paragraphe 2, sous a), du règlement (UE) 2016/679 du Parlement européen et du Conseil, du 27 avril 2016, relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la directive 95/46/CE (règlement général sur la protection des données),

doit être interprété en ce sens que :

n’est pas exclu du champ d’application de ce règlement le traitement des données à caractère personnel dans le contexte de l’organisation d’élections dans un État membre.

2)      L’article 6, paragraphe 1, sous e), et l’article 58 du règlement 2016/679,

doivent être interprétés en ce sens que :

ces dispositions ne s’opposent pas à ce que les autorités compétentes d’un État membre adoptent un acte administratif d’application générale qui prévoit la limitation ou, le cas échéant, l’interdiction de l’enregistrement vidéo du dépouillement du scrutin dans les bureaux de vote lors d’élections dans cet État membre.

Arrêt rendu (french)

C-268/21 (2 March 2023) - Norra Stockholm Bygg

1.      Article 6(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as meaning that that provision applies, in the context of civil court proceedings, to the production as evidence of a staff register containing personal data of third parties collected principally for the purposes of tax inspection.

2.      Articles 5 and 6 of Regulation 2016/679

must be interpreted as meaning that when assessing whether the production of a document containing personal data must be ordered, the national court is required to have regard to the interests of the data subjects concerned and to balance them according to the circumstances of each case, the type of proceeding at issue and duly taking into account the requirements arising from the principle of proportionality as well as, in particular, those resulting from the principle of data minimisation referred to in Article 5(1)(c) of that regulation.

Décision of the Court

Opinion of Advocate General
 

C-60/22 (4 May 2023) - Bundesrepublik Deutschland

1.      Article 17(1)(d) and Article 18(1)(b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that failure by the controller to comply with the obligations laid down in Articles 26 and 30 of that regulation, which relate, respectively, to the conclusion of an arrangement determining joint responsibility for processing and to the maintenance of a record of processing activities, does not constitute unlawful processing conferring on the data subject a right to erasure or restriction of processing, where such a failure does not, as such, entail an infringement by the controller of the principle of ‘accountability’ as set out in Article 5(2) of that regulation, read in conjunction with Article 5(1)(a) and the first subparagraph of Article 6(1) thereof.

2.      EU law must be interpreted as meaning that, where the controller of personal data has failed to comply with its obligations under Articles 26 or 30 of Regulation 2016/679, the lawfulness of the taking into account of such data by a national court is not subject to the data subject’s consent.

Judgment of the Court 

C-204/21 (5 June 2023) - Commission / Pologne (Indépendance et vie privée des juges)

1.      Declares that by conferring on the Disciplinary Chamber of the Sąd Najwyższy (Supreme Court, Poland), whose independence and impartiality are not guaranteed, jurisdiction to hear and determine cases having a direct impact on the status of judges and trainee judges and the performance of their office, such as, on the one hand, applications for authorisation to initiate criminal proceedings against judges and trainee judges or to detain them and, on the other hand, cases relating to employment and social security law that concern judges of the Sąd Najwyższy (Supreme Court) and cases relating to the compulsory retirement of those judges, the Republic of Poland has failed to fulfil its obligations under the second subparagraph of Article 19(1) TEU;

2.      Declares that by adopting and maintaining in force points 2 and 3 of Article 107(1) of the ustawa – Prawo o ustroju sądów powszechnych (Law relating to the organisation of the ordinary courts) of 27 July 2001, as amended by the ustawa o zmianie ustawy – Prawo o ustroju sądów powszechnych, ustawy o Sądzie Najwyższym oraz niektórych innych ustaw (Law amending the Law relating to the organisation of the ordinary courts, the Law on the Supreme Court and certain other laws) of 20 December 2019, and of points 1 to 3 of Article 72(1) of the ustawa o Sądzie Najwyższym (Law on the Supreme Court) of 8 December 2017, as amended by that law of 20 December 2019, which allow the examination of compliance with the EU requirements relating to an independent and impartial tribunal previously established by law to be classified as a disciplinary offence, the Republic of Poland has failed to fulfil its obligations under the second subparagraph of Article 19(1) TEU, read in conjunction with Article 47 of the Charter of Fundamental Rights of the European Union, and under Article 267 TFEU;

3.      Declares that by adopting and maintaining in force Article 42a(1) and (2) and Article 55(4) of the Law relating to the organisation of the ordinary courts, as amended by the abovementioned law of 20 December 2019, Article 26(3) and Article 29(2) and (3) of the Law on the Supreme Court, as amended by that law of 20 December 2019, Article 5(1a) and (1b) of the ustawa – Prawo o ustroju sądów administracyjnych (Law relating to the organisation of the administrative courts) of 25 July 2002, as amended by the law of 20 December 2019, and Article 8 of the law of 20 December 2019, prohibiting any national court from verifying compliance with the requirements stemming from EU law relating to the guarantee of an independent and impartial tribunal previously established by law, the Republic of Poland has failed to fulfil its obligations under the second subparagraph of Article 19(1) TEU, read in conjunction with Article 47 of the Charter of Fundamental Rights, and under the principle of the primacy of EU law;

4.      Declares that by adopting and maintaining in force Article 26(2) and (4) to (6) and Article 82(2) to (5) of the Law on the Supreme Court, as amended by the abovementioned law of 20 December 2019, and Article 10 of the law of 20 December 2019, which establish the exclusive jurisdiction of the Izba Kontroli Nadzwyczajnej i Spraw Publicznych (Extraordinary Review and Public Affairs Chamber) of the Sąd Najwyższy (Supreme Court) to examine complaints and questions of law concerning the lack of independence of a court or a judge, the Republic of Poland has failed to fulfil its obligations under the second subparagraph of Article 19(1) TEU, read in conjunction with Article 47 of the Charter, and under Article 267 TFEU and the principle of the primacy of EU law;

5.      Declares that by adopting and maintaining in force Article 88a of the amended Law relating to the organisation of the ordinary courts, as amended by the law of 20 December 2019, Article 45(3) of the Law on the Supreme Court, as amended by the law of 20 December 2019, and Article 8(2) of the Law relating to the organisation of the administrative courts, as amended by the law of 20 December 2019, the Republic of Poland has infringed the right to respect for private life and the right to protection of personal data, guaranteed by Article 7 and Article 8(1) of the Charter of Fundamental Rights and by points (c) and (e) of the first subparagraph of Article 6(1), Article 6(3) and Article 9(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

6.      Dismisses the action as to the remainder;

7.      Orders the Republic of Poland to bear its own costs and to pay those incurred by the European Commission, including those relating to the proceedings for interim relief;

8.      Orders the Kingdom of Belgium, the Kingdom of Denmark, the Kingdom of the Netherlands, the Republic of Finland, and the Kingdom of Sweden to bear their own costs.

Judgment of the Court 

Opinion of Advocate General 

C-252/21 (4 July 2023), Meta Platforms e.a. (General terms and conditions of use of a social network)

1.      Article 51 et seq. of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as well as Article 4(3) TEU

must be interpreted as meaning that, subject to compliance with its duty of sincere cooperation with the supervisory authorities, a competition authority of a Member State can find, in the context of the examination of an abuse of a dominant position by an undertaking within the meaning of Article 102 TFEU, that that undertaking’s general terms of use relating to the processing of personal data and the implementation thereof are not consistent with that regulation, where that finding is necessary to establish the existence of such an abuse.

In view of this duty of sincere cooperation, the national competition authority cannot depart from a decision by the competent national supervisory authority or the competent lead supervisory authority concerning those general terms or similar general terms. Where it has doubts as to the scope of such a decision, where those terms or similar terms are, simultaneously, under examination by those authorities, or where, in the absence of an investigation or decision by those authorities, the competition authority takes the view that the terms in question are not consistent with Regulation 2016/679, it must consult and seek the cooperation of those supervisory authorities in order to dispel its doubts or to determine whether it must wait for them to take a decision before starting its own assessment. In the absence of any objection on their part or of any reply within a reasonable time, the national competition authority may continue its own investigation;

2.      Article 9(1) of Regulation 2016/679

must be interpreted as meaning that, where the user of an online social network visits websites or apps to which one or more of the categories referred to in that provision relate and, as the case may be, enters information into them when registering or when placing online orders, the processing of personal data by the operator of that online social network, which entails the collection – by means of integrated interfaces, cookies or similar storage technologies – of data from visits to those sites and apps and of the information entered by the user, the linking of all those data with the user’s social network account and the use of those data by that operator, must be regarded as ‘processing of special categories of personal data’ within the meaning of that provision, which is in principle prohibited, subject to the derogations provided for in Article 9(2), where that data processing allows information falling within one of those categories to be revealed, irrespective of whether that information concerns a user of that network or any other natural person;

3.      Article 9(2)(e) of Regulation 2016/679

must be interpreted as meaning that, where the user of an online social network visits websites or apps to which one or more of the categories set out in Article 9(1) of that regulation relate, the user does not manifestly make public, within the meaning of the first of those provisions, the data relating to those visits collected by the operator of that online social network via cookies or similar storage technologies;

Where he or she enters information into such websites or apps or where he or she clicks or taps on buttons integrated into those sites and apps, such as the ‘Like’ or ‘Share’ buttons or buttons enabling the user to identify himself or herself on those sites or apps using login credentials linked to his or her social network user account, his or her telephone number or email address, that user manifestly makes public, within the meaning of Article 9(2)(e), the data thus entered or resulting from the clicking or tapping on those buttons only in the circumstance where he or she has explicitly made the choice beforehand, as the case may be on the basis of individual settings selected with full knowledge of the facts, to make the data relating to him or her publicly accessible to an unlimited number of persons;

4.      Point (b) of the first subparagraph of Article 6(1) of Regulation 2016/679

must be interpreted as meaning that the processing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network from other services of the group to which that operator belongs or from visits by those users to third-party websites or apps, the linking of those data with the social network account of those users and the use of those data, can be regarded as necessary for the performance of a contract to which the data subjects are party, within the meaning of that provision, only on condition that the processing is objectively indispensable for a purpose that is integral to the contractual obligation intended for those users, such that the main subject matter of the contract cannot be achieved if that processing does not occur;

5.      Point (f) of the first subparagraph of Article 6(1) of Regulation 2016/679

must be interpreted as meaning that the processing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network from other services of the group to which that operator belongs or from visits by those users to third-party websites or apps, the linking of those data with the social network account of those users and the use of those data, can be regarded as necessary for the purposes of the legitimate interests pursued by the controller or by a third party, within the meaning of that provision, only on condition that the operator has informed the users from whom the data have been collected of a legitimate interest that is pursued by the data processing, that such processing is carried out only in so far as is strictly necessary for the purposes of that legitimate interest and that it is apparent from a balancing of the opposing interests, having regard to all the relevant circumstances, that the interests or fundamental freedoms and rights of those users do not override that legitimate interest of the controller or of a third party;

6.      Point (c) of the first subparagraph of Article 6(1) of Regulation 2016/679

must be interpreted as meaning that the processing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network from other services of the group to which that operator belongs or from visits by those users to third-party websites or apps, the linking of those data with the social network account of those users and the use of those data, is justified, under that provision, where it is actually necessary for compliance with a legal obligation to which the controller is subject, pursuant to a provision of EU law or the law of the Member State concerned, where that legal basis meets an objective of public interest and is proportionate to the legitimate aim pursued and where that processing is carried out only in so far as is strictly necessary;

7.      Points (d) and (e) of the first subparagraph of Article 6(1) of Regulation 2016/679

must be interpreted as meaning that the processing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network from other services of the group to which that operator belongs or from visits by those users to third-party websites or apps, the linking of those data with the social network account of those users and the use of those data, cannot, in principle and subject to verification by the referring court, be regarded as necessary in order to protect the vital interests of the data subject or of another natural person, within the meaning of point (d), or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, within the meaning of point (e);

8.      Point (a) of the first subparagraph of Article 6(1) and Article 9(2)(a) of Regulation 2016/679

must be interpreted as meaning that the fact that the operator of an online social network holds a dominant position on the market for online social networks does not, as such, preclude the users of such a network from being able validly to consent, within the meaning of Article 4(11) of that regulation, to the processing of their personal data by that operator. This is nevertheless an important factor in determining whether the consent was in fact validly and, in particular, freely given, which it is for that operator to prove.

Décision of the Court

Opinion of the advocate general

 

C-26/22 (7 December 2023) - SCHUFA Holding (Libération de reliquat de dette)

1.      Article 78(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that a decision on a complaint adopted by a supervisory authority is subject to full judicial review.

2.      Article 5(1)(a) of Regulation 2016/679, read in conjunction with point (f) of the first subparagraph of Article 6(1) of that regulation,

must be interpreted as precluding a practice of private credit information agencies consisting in retaining, in their own databases, information from a public register relating to the grant of a discharge from remaining debts in favour of natural persons in order to be able to provide information on the solvency of those persons, for a period extending beyond that during which the data are kept in the public register.

3.      Article 17(1)(c) of Regulation 2016/679

must be interpreted as meaning that the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where he or she objects to the processing pursuant to Article 21(1) of that regulation and there are no overriding legitimate grounds capable of justifying, exceptionally, the processing in question.

4.      Article 17(1)(d) of Regulation 2016/679

must be interpreted as meaning that the controller is required to erase unlawfully processed personal data as soon as possible.

Judgment of the Court 
Opinion of Advocate General 
 

C-667/21 (21 December 2023) - Krankenversicherung Nordrhein

1.      Article 9(2)(h) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that the exception provided for in that provision is applicable to situations in which a medical examination body processes data concerning the health of one of its employees acting not in its capacity as employer, but as a medical service, in order to assess the working capacity of that employee, provided that the processing concerned satisfies the conditions and guarantees expressly imposed by that point (h) and by Article 9(3) of that regulation.

2.      Article 9(3) of Regulation 2016/679

must be interpreted as meaning that the controller of data concerning health, based on Article 9(2)(h) of that regulation, is not required, under those provisions, to ensure that no colleague of the data subject can access data relating to his or her state of health. However, such an obligation may be imposed on the controller either under rules adopted by a Member State on the basis of Article 9(4) of that regulation or under the principles of integrity and confidentiality set out in Article 5(1)(f) of that regulation and defined in Article 32(1)(a) and (b) thereof.

3.      Article 9(2)(h) and Article 6(1) of Regulation 2016/679

must be interpreted as meaning that the processing of data concerning health based on the first provision must, in order to be lawful, not only comply with the requirements arising from that provision, but must also satisfy at least one of the conditions of lawfulness set out in Article 6(1) of that regulation.

4.      Article 82(1) of Regulation 2016/679

must be interpreted as meaning that the right to compensation provided for in that provision fulfils a compensatory function, in that financial compensation based on that provision must allow the damage actually suffered as a result of the infringement of that regulation to be compensated in its entirety, and not a dissuasive or punitive function.

5.      Article 82 of Regulation 2016/679

must be interpreted as meaning that first, the establishment of liability on the part of the controller is subject to the existence of a fault committed by the controller, which is presumed unless the controller proves that the event giving rise to the damage is in no way attributable to it and, secondly, Article 82 of that regulation does not require the degree of seriousness of that fault to be taken into account when determining the amount of damages awarded as compensation for non-material damage on the basis of that provision.

Judgment of the Court 
Opinion of Advocate General 

C-740/22 (7 March 2024) - Endemol Shine Finland

1.      Article 2(1) and Article 4(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that the oral disclosure of information on possible ongoing or completed criminal proceedings to which a natural person has been subject constitutes processing of personal data, within the meaning of Article 4(2) of that regulation, and comes within the material scope of that regulation where that information forms part of a filing system or is intended to form part of a filing system.

2.      The provisions of Regulation 2016/679, in particular Article 6(1)(e) and Article 10 thereof,

must be interpreted as precluding data relating to criminal convictions of a natural person contained in a court’s filing system from being disclosed orally to any person for the purpose of ensuring public access to official documents, without the person requesting the disclosure of those data having to establish a specific interest in obtaining those data, it being irrelevant in that regard whether that person is a commercial company or a private individual.


Judgment of the Court 

 

C-17/22 (12 September 2024​) - HTB Neunte Immobilien Portfolio

1.      Point (b) of the first subparagraph of Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as meaning that the processing of personal data which consists in disclosing, at the request of a partner of an investment fund established in the form of a partnership offering shares for public subscription, information on all the partners with indirect shareholdings in that fund, through trust companies, irrespective of the size of their shareholding in the capital of those funds, for the purpose of contacting them and negotiating the purchase of their shares or to coordinate with them for the purpose of reaching a consensus in connection with partners’ resolutions, may be regarded as being necessary, within the meaning of that provision, for the performance of the contract pursuant to which those partners have purchased such shareholdings, only on condition that that processing is objectively indispensable for a purpose that is integral to the contractual obligation intended for those same partners, with the result that the main subject matter of the contract could not be achieved if that processing were not to occur. That is not the case if that contract expressly prohibits the disclosure of those personal data to other shareholders.

2.      Point (f) of the first subparagraph of Article 6(1) of Regulation 2016/679

must be interpreted as meaning that such processing may be regarded as being necessary for the purposes of legitimate interests pursued by a third party, within the meaning of that provision, only on condition that that processing is strictly necessary to achieve such a legitimate interest and that, in the light of all the relevant circumstances, the interests or fundamental rights and freedoms of those partners do not override that legitimate interest.

3.      Point (c) of the first subparagraph of Article 6(1) of Regulation 2016/679

must be interpreted as meaning that that processing of personal data is justified, under that provision, where it is necessary for compliance with a legal obligation to which the controller is subject, under the law of the Member State concerned, as stated by the case-law of that Member State, on condition that that case-law is clear and precise, that its application is foreseeable for those persons subject to it and that it meets an objective of public interest and is proportionate to it.

Judgment of the Court 

C-621/22 (4 October 2024) - Koninklijke Nederlandse Lawn Tennisbond

Point (f) of the first subparagraph of Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that the processing of personal data which consists in the disclosure, for consideration, of personal data of the members of a sports federation, in order to satisfy a commercial interest of the controller, may be regarded as necessary for the purposes of the legitimate interests pursued by that controller, within the meaning of that provision, only on condition that that processing is strictly necessary for the purposes of the legitimate interest in question and that, in the light of all the relevant circumstances, the interests or fundamental rights and freedoms of those members do not override that legitimate interest. While that provision does not require that such an interest be determined by law, it requires that the alleged legitimate interest be lawful.

Judgment of the Court 

C-394/23 (9 January 2025) - Mousse

1.      Points (b) and (f) of the first subparagraph of Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read in conjunction with Article 5(1)(c) of that regulation

must be interpreted as meaning that

–        the processing of personal data relating to the title of the customers of a transport undertaking, the purpose of which is to personalise the commercial communication based on their gender identity, does not appear to be either objectively indispensable or essential to enable the proper performance of a contract and, therefore, cannot be regarded as necessary for the performance of that contract;

–        the processing of personal data relating to the title of the customers of a transport undertaking, the purpose of which is to personalise the commercial communication based on their gender identity, cannot be regarded as necessary for the purposes of the legitimate interests pursued by the controller or by a third party, where:

–        those customers were not informed of the legitimate interest pursued when those data were collected; or

–        that processing is not carried out only in so far as is strictly necessary for the attainment of that legitimate interest; or

–        in the light of all the relevant circumstances, the fundamental freedoms and rights of those customers can prevail over that legitimate interest, in particular because of a risk of discrimination on grounds of gender identity.

2.      Point (f) of the first subparagraph of Article 6(1) of Regulation 2016/679

must be interpreted as meaning that, in order to assess the need for processing of personal data under that provision, it is not necessary to take into consideration the possible existence of a right of the data subject to object, under Article 21 of that regulation.

Judgment of the Court 
Opinion of Advocate General 
Retour au sommaire Retour au sommaire
arrow_back Previous Article Article 6 Next Article arrow_forward
Regulation
1e 2e

Art. 6

1.   Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

2.   Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.

3.   The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

(a) Union law; or

(b) Member State law to which the controller is subject.

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

4.   Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;

(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;

(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;

(d) the possible consequences of the intended further processing for data subjects;

(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.
1st proposal close

Art. 6

1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of their personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.

2. Processing of personal data which is necessary for the purposes of historical, statistical or scientific research shall be lawful subject to the conditions and safeguards referred to in Article 83.

3. The basis of the processing referred to in points (c) and (e) of paragraph 1 must be provided for in:

(a) Union law, or

(b) the law of the Member State to which the controller is subject.

The law of the Member State must meet an objective of public interest or must be necessary to protect the rights and freedoms of others, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued.

4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.

 
2nd proposal close

Art. 6

1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies :

(a) the data subject has given unambiguous consent to the processing of their personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (...)

2. Processing of personal data which is necessary for archiving purposes in the public interest, or for historical, statistical or scientific purposes shall be lawful subject also to the conditions and safeguards referred to in Article 83.

3. The basis for the processing referred to in points (c) and (e) of paragraph 1 must be established in accordance with :

(a) Union law, or

(b) national law of the Member State to which the controller is subject.

The purpose of the processing shall be determined in this legal basis or as regards the processing referred to in point (e) of paragraph 1, be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

This legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia the general conditions governing the lawfulness of data processing by the controller, the type of data which are subject to the processing, the data subjects concerned; the entities to, and the purposes for which the data may be disclosed; the purpose limitation; storage periods and processing operations and processing procedures, including measures to ensure lawful and fair processing, including for other specific processing situations as provided for in Chapter IX.

3a. In order to ascertain whether a purpose of further processing (...) is compatible with the one for which the data are initially collected, the controller shall take into account, unless the data subject has given consent, inter alia:

(a) any link between the purposes for which the data have been collected and the purposes of the intended further processing;

(b) the context in which the data have been collected;

(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9;

(d) the possible consequences of the intended further processing for data subjects;

(e) the existence of appropriate safeguards.

4. Where the purpose of further processing is incompatible with the one for which the personal data have been collected by the same controller, the further processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1.

Further processing by the same controller for incompatible purposes on grounds of legitimate interests of that controller or a third party shall be lawful if these interests override the interests of the data subject.

5. (...)
Directive close

Art. 7

Member States shall provide that personal data may be processed only if:

(a) the data subject has unambiguously given his consent; or

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or

(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or

(d) processing is necessary in order to protect the vital interests of the data subject; or

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).
Turkey
compare_arrows

Kişisel verilerin işlenme şartları

MADDE 5 - (1) Kişisel veriler ilgili kişinin açık rızası olmaksızın işlenemez.

(2) Aşağıdaki şartlardan birinin varlığı hâlinde, ilgili kişinin açık rızası aranmaksızın kişisel verilerinin işlenmesi mümkündür:

a) Kanunlarda açıkça öngörülmesi.

b) Fiili imkânsızlık nedeniyle rızasını açıklayamayacak durumda bulunan veya rızasına hukuki geçerlilik tanınmayan kişinin kendisinin ya da bir başkasının hayatı veya beden bütünlüğünün korunması için zorunlu olması.

c) Bir sözleşmenin kurulması veya ifasıyla doğrudan doğruya ilgili olması kaydıyla, sözleşmenin taraflarına ait kişisel verilerin işlenmesinin gerekli olması.

ç) Veri sorumlusunun hukuki yükümlülüğünü yerine getirebilmesi için zorunlu olması.

ç) İlgili kişinin kendisi tarafından alenileştirilmiş olması.

d) Bir hakkın tesisi, kullanılması veya korunması için veri işlemenin zorunlu olması.

e) İlgili kişinin temel hak ve özgürlüklerine zarar vermemek kaydıyla, veri sorumlusunun meşru menfaatleri için veri işlenmesinin zorunlu olması.
Spain close

Article 6. Consent of the data subject.- Organic Law on the Protection of Personal Data

1. Processing of personal data shall require the unambiguous consent of the data subject, unless laid down otherwise by law.

2. Consent shall not be required where the personal data are collected for the exercise of the functions proper to public administrations within the scope of their responsibilities; where they relate to the parties to a contract or preliminary contract for a business, employment or administrative relationship, and are necessary for its maintenance or fulfilment; where the purpose of processing the data is to protect a vital interest of the data subject under the terms of Article 7(6) of this Law, or where the data are contained in sources accessible to the public and their processing is necessary to satisfy the legitimate interest pursued by the controller or that of the third party to whom the data are communicated, unless the fundamental rights and freedoms of the data subject are jeopardised.

3. The consent to which the Article refers may be revoked when there are justified grounds for doing so and the revocation does not have retroactive effect.

4. In the cases where the consent of the data subject is not required for processing personal data, and unless provided otherwise by law, the data subject may object to such processing when there are compelling and legitimate grounds relating to a particular personal situation. In such an event, the controller shall exclude the data relating to the data subject from the processing.

Article 10. Cases Which legitimise the processing or assignment of data .- Royal Decree 1720/2007 Implementing the Organic Law on the Protection of Personal Data.-

1. Personal data may only undergo processing or assignment if the data subject has previously given his consent.

2. The aforesaid notwithstanding, processing or assignment of personal data shall be possible without the data subject’s consent when:

a) It is authorised by a regulation having the force of Law or under Community Law and, in particular, when one of the following situations applies:

The purpose of the processing or assignment is to satisfy a legitimate interest of the data controller or recipient  guaranteed by these rules, as long as the interest or fundamental rights and liberties of the data subjects as provided in Article 1 of Organic Law 15/1999, of 13 December, do not prevail.

The processing or assignment of data is necessary in order that the data controller fulfils a duty imposed upon him by one of the said laws.

b) The data object of processing or assignment are in sources accessible to the public and the data controller, or the third party to whom data has been communicated, has a legitimate interest in their processing or knowledge, as long as the fundamental rights and liberties of the data subject are not breached.

The aforesaid notwithstanding, the public administrations may only communicate the data collected from sources accessible to the public to the data controllers of privatelyowned files under the aegis of this subsection, when they are so authorised by a regulation having the force of Law.

3. Consent of the data subject shall not be required for the processing of personal data when:

a) They are collected for the functions proper to public administrations within the scope of the powers given to them by a regulation having the force of Law or Community Law.

b) They are collected by the data controller for the purpose of executing a contract or preliminary contract or due to the existence of a business, employment or administrative relationship to which the data subject is party and are necessary for its maintenance or fulfilment.

c) The purpose of the data processing is to protect an essential interest of the data subject under the terms of Article 7(6) of Organic Law 15/1999, of 13 December.

4. Consent of the data subject shall not be required for the disclosure of his personal data when:

a) The assigment is due to the free and legitimate acceptance of a legal relationship that necessarily entails the communication of the data for its life, fulfilment and monitoring. In that case, disclosure shall be legitimate to the extent of the purpose justifying it.

b) The asigment to be effected is destined for the Ombudsman, the Office of the Public Prosecutor, judges, courts or the Spanish Court of Audit or to the institutions of the Autonomous Communities with similar functions to that of the Ombudsman or Spanish Court of Audit and it is done within the scope of the functions expressly assigned to them by law.

c) The assignment between public administrations when one of the following situations applies:

Processing of the data is for historical, statistical or scientific purposes. The personal data has been collected or drawn up by one public administration to be sent to another.

The communication is done in order to exercise identical powers or powers relating to the same matters.

5. Specially protected data may be processed and disclosed under the terms provided in Articles 7 and 8 of Organic Law 15/199, of 13 December.

In particular, consent of the data subject shall not be required for the communication of healthrelated personal data, including via electronic means, between bodies, centres and services of the Spanish National Health Service when it is for the purpose of medical care of the persons, pursuant to the provisions of Chapter V of Act 16/2003, of 28 May, on the cohesion and quality of the Spanish National Health Service.
arrow_back Previous ArticleArticle 6 Next Article arrow_forward
close

2016 - www.itiplaw.eu.