LEGALITY OF PERSONAL DATA PROCESSING
Extract from Regulation (EU) no. 679/2016 on the protection of natural persons in terms of processing
personal data and on the free movement of such data and repealing Directive 95/46/EC
(General Data Protection Regulation)
Art. 6: Legality of processing
(1) Processing is legal only if and to the extent that at least one of the following conditions applies:
- a)the data subject has given his consent for the processing of his personal data for one or more specific purposes;
- b) the processing is necessary for the execution of a contract to which the data subject is a party or to take steps at the request of the data subject before concluding a contract;
- c)the processing is necessary in order to fulfill a legal obligation incumbent on the operator;
- d)the processing is necessary to protect the vital interests of the data subject or another natural person;
- e)the processing is necessary for the performance of a task that serves a public interest or that results from the exercise of the public authority with which the operator is vested;
- f)the processing is necessary for the purposes of the legitimate interests pursued by the operator or a third party, unless the interests or fundamental rights and freedoms of the data subject prevail, which require the protection of personal data, especially when the data subject is a child.
letter (f) of the first paragraph does not apply in the case of processing carried out by public authorities in the performance of their duties.
(2) Member States may maintain or introduce more specific provisions adapting the application of the rules of this regulation with regard to processing in order to comply with paragraph (1) letters (c) and (e) by defining more precise specific requirements regarding processing and other measures to ensure a legal and fair processing, including for other specific processing situations, as provided in chapter IX.
(3) The basis for the processing referred to in paragraph (1) letters (c) and (e) must be provided in:
- a)Union law; or
- b)the domestic law that applies to the operator.
The purpose of the processing is established on the basis of the respective legal basis or, as regards the processing referred to in paragraph (1) letter (e), it is necessary for the performance of a task carried out in the public interest or in the exercise of a public function assigned to the operator. The respective legal basis may contain specific provisions regarding the adaptation of the application of the rules of this regulation, among others: the general conditions that regulate the legality of processing by the operator; the types of data that are the subject of processing; the persons concerned; the entities to which the data may be disclosed and the purpose for which the respective personal data may be disclosed; purpose limitations; storage periods;
and processing operations and procedures, including measures to ensure legal and fair processing such as those for other specific processing situations as provided in Chapter IX. Union law or domestic law pursues an objective of public interest and is proportionate to the legitimate objective pursued.
(4) If the processing for a purpose other than that for which the personal data were collected is not based on the consent of the data subject or on Union law or internal law, which constitutes a necessary and proportionate measure in a democratic society for to protect the objectives referred to in Article 23(1), the operator, in order to determine whether the processing for another purpose is compatible with the purpose for which the personal data were originally collected, shall consider, among others:
- a)any connection between the purposes for which the personal data were collected and the purposes of the intended subsequent processing;
- b)the context in which the personal data were collected, especially regarding the relationship between the data subjects and the operator;
- c)the nature of the personal data, in particular in the case of the processing of special categories of personal data, in accordance with Article 9, or in the case of the processing of personal data relating to criminal convictions and offences, in accordance with Article 10;
- d)the possible consequences for the data subjects of the expected subsequent processing;
- e) the existence of adequate guarantees, which may include encryption or pseudonymization.
*automatically translated text, we recommend using your own means to translate into the desired language from the Romanian version (the original version)