Article 5
Principles relating to processing of personal data

Official
Texts
Guidelines Caselaw Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 5 keyboard_arrow_down Hide the recitals of the Regulation related to article 5 keyboard_arrow_up

(30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

(50) The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations.

Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes. In any case, the application of the principles set out in this Regulation and in particular the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured. Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller. However, such transmission in the legitimate interest of the controller or further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or other binding obligation of secrecy.

(157) By coupling information from registries, researchers can obtain new knowledge of great value with regard to widespread medical conditions such as cardiovascular disease, cancer and depression. On the basis of registries, research results can be enhanced, as they draw on a larger population. Within social science, research on the basis of registries enables researchers to obtain essential knowledge about the long-term correlation of a number of social conditions such as unemployment and education with other life conditions. Research results obtained through registries provide solid, high-quality knowledge which can provide the basis for the formulation and implementation of knowledge-based policy, improve the quality of life for a number of people and improve the efficiency of social services. In order to facilitate scientific research, personal data can be processed for scientific research purposes, subject to appropriate conditions and safeguards set out in Union or Member State law.

Show the recitals of the Directive related to article 5 keyboard_arrow_down Hide the recitals of the Directive related to article 5 keyboard_arrow_up

(22) Whereas Member States shall more precisely define in the laws they enact or when bringing into force the measures taken under this Directive the general circumstances in which processing is lawful; whereas in particular Article 5, in conjunction with Articles 7 and 8, allows Member States, independently of general rules, to provide for special processing conditions for specific sectors and for the various categories of data covered by Article 8;

(28) Whereas any processing of personal data must be lawful and fair to the individuals concerned; whereas, in particular, the data must be adequate, relevant and not excessive in relation to the purposes for which they are processed; whereas such purposes must be explicit and legitimate and must be determined at the time of collection of the data; whereas the purposes of processing further to collection shall not be incompatible with the purposes as they were originally specified;

(29) Whereas the further processing of personal data for historical, statistical or scientific purposes is not generally to be considered incompatible with the purposes for which the data have previously been collected provided that Member States furnish suitable safeguards; whereas these safeguards must in particular rule out the use of the data in support of measures or decisions regarding any particular individual;

The GDPR

Article 5 of the Regulation contains and reinforces the principles relating to the personal data processing that are set out in Article 6 of the Directive.

We see first that the principle of fairness and lawfulness of the data processing is supplemented by a principle of transparency.

Transparency requires that any information addressed to the public or the data subject must be easily accessible and easy to understand, and be formulated in simple and clear terms, particularly with regard to the information on the identity of the controller and the purposes of processing (see recital 39 ). The obligations for information of the controller resulting from the principle of transparency are detailed in Article 12 and seq of the Regulation.

A new exception is recognized to the prohibition for pursuing purposes that are incompatible with the initial purpose (Art. 5, paragraph 1,   b): archiving in the public interest as long as - as for historical, statistical and scientific purposes - this processing meets the conditions set by Article 89 of the Regulation. The principle of prohibition is maintained despite an attempt to make it a bit more flexible, given the difficulties it poses in case of changing the purposes (see the commentary on Article 6).

Article 5, paragraph 1,   c) of the Regulation states that data must be ”adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”, while the Directive required the controllers to process only “not excessive data” in view of the processing purposes. So, the Regulation accepts the principle of data minimisation whereby only the personal data which appear necessary for achieving the purpose can be processed (Art. 5, 1, c). A classic application of a proportionality rule is actually found here.

Concerning the principle of limited period of data storage, item e) recalls that the data allowing for the identification of individuals must not be kept beyond the time required for achieving the processing goals. In other words, the data for the identification of the data subjects must be erased as soon as they are no longer needed for processing, except for archiving purposes in the public interest and for scientific research, statistical or historical services, provided that the rights of safeguards (see Article  89 , paragraph 1).

Initially, the first proposed provision of the Regulation required the controller to periodically check the need for further storage. This element was not retained. 

The Regulation also establishes the principle of the obligation of security and confidentiality of processing (integrity and confidentiality), already contained in Articles 16 and 17 of the Directive (Art. 5, paragraph 1,   f), which requires the controller to ensure appropriate security and confidentiality, including to prevent unauthorised access to the data and equipment used in their processing as well as the unauthorised use of such data and such equipment (see recital 39 ).

The Regulation finally establishes a principle of responsibility, pursuant to which the controller is responsible for compliance with processing principles defined in Article 5. It is therefore controller’s responsibility to ensure and demonstrate that the processing is consistent with the principles referred to in Article 5, paragraph 1 for the duration of the processing. Compliance means that the controller shall implement mechanisms and control systems (audit measures, internal policies...) within their entity to ensure compliance of processing throughout its duration and to keep the relevant evidence. This obligation for accountability is further developed by Article  24  of the Regulation (see also, G29, Opinion 3/2010 of 13 July 2010 on the principle of accountability).

The Directive

Article 6 of the Directive determined the terms and conditions under which the processing of data was lawful. Through this provision, the EU legislature had implemented several basic principles that underlie any processing of personal data. These were included into Article 4 of the act of 8 December 1992 and into Article 6 of the Computers and Freedoms Act.

The principle of fairness and lawfulness of the data collection assumes that the data subjects must be in a position to be aware of the existence of a processing operation and, when data is collected from them, must be given accurate and full information on the circumstances of the collection; In addition, the data cannot be obtained by use of unlawful or unfair means (Art. 6, paragraph 1, a).

Pursuant to the principle of purpose, the purpose must be determined, explicit and legitimate. Any purpose that is incompatible with the announced purpose is therefore prohibited, except for historical, statistical or scientific purposes (Article 6, paragraph 1, b).

Pursuant to the principle of proportionality, the processing of personal data to be performed must be adequate, relevant and not excessive for the purpose pursued, which assumes that the means used shall be appropriate and necessary to achieve the objective sought (Article 6, paragraph 1, c)).

According to the principle of data quality, data must be accurate, complete and, if necessary, updated; appropriate measures must be taken to ensure that inaccurate or incomplete data in terms of the purposes for which they are collected or processed are erased or rectified.

Finally, the data can not be stored indefinitely. Data must be erased when their storage exceeds the time necessary for the purposes for which they are collected and processed (see Article 6, paragraph 1, e) of the Directive; (Article 6, 5° of the Computers and Freedoms Act), as well as Article 4, paragraph 1, 5 ° of the Act of 8 December 1992).

Potential issues

The basic principles are not dislocated, just refined.

Strengthening the principles of transparency and accountability will involve a review of current processing processes in the organization of the controller and the implementation of control measures and internal or external audit of the compliance of the processing with the Regulation.

Unfortunately, the principle of compatibility has not been made more flexible given the difficulties in terms of the evolution of purposes (see the comments on Article 6).

Summary

European Union

European Union

European data protection board (EDPB)

Guidelines 3/2019 on processing of personal data through video devices (29 January 2020)

The intensive use of video devices has an impact on citizen’s behaviour. Significant implementation of such tools in many spheres of the individuals’ life will put an additional pressure on the individual to prevent the detection of what might be perceived as anomalies. De facto, these technologies may limit the possibilities of anonymous movement and anonymous use of services and generally limit the possibility of remaining unnoticed. Data protection implications are massive.

While individuals might be comfortable with video surveillance set up for a certain security purpose for example, guarantees must be taken to avoid any misuse for totally different and – to the data subject – unexpected purposes (e.g. marketing purpose, employee performance monitoring etc.). In addition, many tools are now implemented to exploit the images captured and turn traditional cameras into smart cameras. The amount of data generated by the video, combined with these tools and techniques increase the risks of secondary use (whether related or not to the purpose originally assigned to the system) or even the risks of misuse. The general principles in GDPR (Article 5), should always be carefully considered when dealing with video surveillance.

Video surveillance systems in many ways change the way professionals from the private and public sector interact in private or public places for the purpose of enhancing security, obtaining audience analysis, delivering personalized advertising, etc. Video surveillance has become high performing through the growing implementation of intelligent video analysis. These techniques can be more intrusive (e.g. complex biometric technologies) or less intrusive (e.g. simple counting algorithms). Remaining anonymous and preserving one’s privacy is in general increasingly difficult. The data protection issues raised in each situation may differ, so will the legal analysis when using one or the other of these technologies.

In addition to privacy issues, there are also risks related to possible malfunctions of these devices and the biases they may induce. Researchers report that software used for facial identification, recognition, or analysis performs differently based on the age, gender, and ethnicity of the person it’s identifying. Algorithms would perform based on different demographics, thus, bias in facial recognition threatens to reinforce the prejudices of society. That is why, data controllers must also ensure that biometric data processing deriving from video surveillance be subject to regular assessment of its relevance and sufficiency of guarantees provided.

Video surveillance is not by default a necessity when there are other means to achieve the underlying purpose. Otherwise we risk a change in cultural norms leading to the acceptance of lack of privacy as the general outset.

These guidelines aim at giving guidance on how to apply the GDPR in relation to processing personal data through video devices. The examples are not exhaustive, the general reasoning can be applied to all potential areas of use.

Link

Retour au sommaire

Article 29 Working Party

Guidelines on Personal data breach notification under Regulation 2016/679 (6 February 2018)

(Endorsed by the EDPB)

The General Data Protection Regulation (the GDPR) introduces the requirement for a personal data breach (henceforth “breach”) to be notified to the competent national supervisory authority (or in the case of a cross-border breach, to the lead authority) and, in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach.

Obligations to notify in cases of breaches presently exist for certain organisations, such as providers of publicly-available electronic communications services (as specified in Directive 2009/136/EC and Regulation (EU) No 611/2013). There are also some EU Member States that already have their own national breach notification obligation. This may include the obligation to notify breaches involving categories of controllers in addition to providers of publicly available electronic communication services (for example in Germany and Italy), or an obligation to report all breaches involving personal data (such as in the Netherlands). Other Member States may have relevant Codes of Practice (for example, in Ireland). Whilst a number of EU data protection authorities currently encourage controllers to report breaches, the Data Protection Directive 95/46/EC, which the GDPR replaces, does not contain a specific breach notification obligation and therefore such a requirement will be new for many organisations. The GDPR now makes notification mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of individuals. Processors also have an important role to play and they must notify any breach to their controller.

The Article 29 Working Party (WP29) considers that the new notification requirement has a number of benefits. When notifying the supervisory authority, controllers can obtain advice on whether the affected individuals need to be informed. Indeed, the supervisory authority may order the controller to inform those individuals about the breach. Communicating a breach to individuals allows the controller to provide information on the risks presented as a result of the breach and the steps those individuals can take to protect themselves from its potential consequences. The focus of any breach response plan should be on protecting individuals and their personal data. Consequently, breach notification should be seen as a tool enhancing compliance in relation to the protection of personal data. At the same time, it should be noted that failure to report a breach to either an individual or a supervisory authority may mean that under Article 83 a possible sanction is applicable to the controller.

Controllers and processors are therefore encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary. Notification to the supervisory authority should form a part of that incident response plan.

The GDPR contains provisions on when a breach needs to be notified, and to whom, as well as what information should be provided as part of the notification. Information required for the notification can be provided in phases, but in any event controllers should act on any breach in a timely manner.

In its Opinion 03/2014 on personal data breach notification, WP29 provided guidance to controllers in order to help them to decide whether to notify data subjects in case of a breach. The opinion considered the obligation of providers of electronic communications regarding Directive 2002/58/EC and provided examples from multiple sectors, in the context of the then draft GDPR, and presented good practices for all controllers.

The current Guidelines explain the mandatory breach notification and communication requirements of the GDPR and some of the steps controllers and processors can take to meet these new obligations. They also give examples of various types of breaches and who would need to be notified in different scenarios.

Link

Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (6 February 2018)

(Endorsed by the EDPB)

The General Data Protection Regulation (the GDPR), specifically addresses profiling and automated individual decision-making, including profiling.

Profiling and automated decision-making are used in an increasing number of sectors, both private and public. Banking and finance, healthcare, taxation, insurance, marketing and advertising are just a few examples of the fields where profiling is being carried out more regularly to aid decision-making.

Advances in technology and the capabilities of big data analytics, artificial intelligence and machine learning have made it easier to create profiles and make automated decisions with the potential to significantly impact individuals’ rights and freedoms.

The widespread availability of personal data on the internet and from Internet of Things (IoT) devices, and the ability to find correlations and create links, can allow aspects of an individual’s personality or behaviour, interests and habits to be determined, analysed and predicted.

Profiling and automated decision-making can be useful for individuals and organisations, delivering benefits such as:

  • increased efficiencies; and
  • resource savings.

They have many commercial applications, for example, they can be used to better segment markets and tailor services and products to align with individual needs. Medicine, education, healthcare and transportation can also all benefit from these processes.

However, profiling and automated decision-making can pose significant risks for individuals’ rights and freedoms which require appropriate safeguards.

These processes can be opaque. Individuals might not know that they are being profiled or understand what is involved.

Profiling can perpetuate existing stereotypes and social segregation. It can also lock a person into a specific category and restrict them to their suggested preferences. This can undermine their freedom to choose, for example, certain products or services such as books, music or newsfeeds. In some cases, profiling can lead to inaccurate predictions. In other cases it can lead to denial of services and goods and unjustified discrimination.

The GDPR introduces new provisions to address the risks arising from profiling and automated decision-making, notably, but not limited to, privacy. The purpose of these guidelines is to clarify those provisions.

This document covers:

  • Definitions of profiling and automated decision-making and the GDPR approach to these in general – Chapter II
  • General provisions on profiling and automated decision-making – Chapter III
  • Specific provisions on solely automated decision-making defined in Article 22 - Chapter IV
  • Children and profiling – Chapter V
  • Data protection impact assessments and data protection officers– Chapter VI

The Annexes provide best practice recommendations, building on the experience gained in EU Member States.

The Article 29 Data Protection Working Party (WP29) will monitor the implementation of these guidelines and may complement them with further details as appropriate.

Link

Guidelines on transparency under Regulation 2016/679 (11 April 2018)

(Endorsed by the EDPB)

These guidelines provide practical guidance and interpretative assistance from the Article 29 Working Party (WP29) on the new obligation of transparency concerning the processing of personal data under the General Data Protection Regulation1 (the “GDPR”). Transparency is an overarching obligation under the GDPR applying to three central areas: (1) the provision of information to data subjects related to fair processing; (2) how data controllers communicate with data subjects in relation to their rights under the GDPR; and (3) how data controllers facilitate the exercise by data subjects of their rights. Insofar as compliance with transparency is required in relation to data processing under Directive (EU) 2016/680, these guidelines also apply to the interpretation of that principle. These guidelines are, like all WP29 guidelines, intended to be generally applicable and relevant to controllers irrespective of the sectoral, industry or regulatory specifications particular to any given data controller. As such, these guidelines cannot address the nuances and many variables which may arise in the context of the transparency obligations of a specific sector, industry or regulated area. However, these guidelines are intended to enable controllers to understand, at a high level, WP29’s interpretation of what the transparency obligations entail in practice and to indicate the approach which WP29 considers controllers should take to being transparent while embedding fairness and accountability into their transparency measures.

Transparency is a long established feature of the law of the EU. It is about engendering trust in the processes which affect the citizen by enabling them to understand, and if necessary, challenge those processes. It is also an expression of the principle of fairness in relation to the processing of personal data expressed in Article 8 of the Charter of Fundamental Rights of the European Union. Under the GDPR (Article 5(1)(a)), in addition to the requirements that data must be processed lawfully and fairly, transparency is now included as a fundamental aspect of these principles. Transparency is intrinsically linked to fairness and the new principle of accountability under the GDPR. It also follows from Article 5.2 that the controller must always be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject. Connected to this, the accountability principle requires transparency of processing operations in order that data controllers are able to demonstrate compliance with their obligations under the GDPR.

In accordance with Recital 171 of the GDPR, where processing is already under way prior to 25 May 2018, a data controller should ensure that it is compliant with its transparency obligations as of 25 May 2018 (along with all other obligations under the GDPR). This means that prior to 25 May 2018, data controllers should revisit all information provided to data subjects on processing of their personal data (for example in privacy statements/ notices etc.) to ensure that they adhere to the requirements in relation to transparency which are discussed in these guidelines. Where changes or additions are made to such information, controllers should make it clear to data subjects that these changes have been effected in order to comply with the GDPR. WP29 recommends that such changes or additions be actively brought to the attention of data subjects but at a minimum controllers should make this information publically available (e.g. on their website). However, if the changes or additions are material or substantive, then in line with paragraphs 29 to 32 below, such changes should be actively brought to the attention of the data subject.

Transparency, when adhered to by data controllers, empowers data subjects to hold data controllers and processors accountable and to exercise control over their personal data by, for example, providing or withdrawing informed consent and actioning their data subject rights. The concept of transparency in the GDPR is user-centric rather than legalistic and is realised by way of specific practical requirements on data controllers and processors in a number of articles. The practical (information) requirements are outlined in Articles 12 - 14 of the GDPR. However, the quality, accessibility and comprehensibility of the information is as important as the actual content of the transparency information, which must be provided to data subjects.

The transparency requirements in the GDPR apply irrespective of the legal basis for processing and throughout the life cycle of processing. This is clear from Article 12 which provides that transparency applies at the following stages of the data processing cycle:

  • before or at the start of the data processing cycle, i.e. when the personal data is being collected either from the data subject or otherwise obtained;
  • throughout the whole processing period, i.e. when communicating with data subjects about their rights; and
  • at specific points while processing is ongoing, for example when data breaches occur or in the case of material changes to the processing.

Link

Retour au sommaire

Summary

European Union

European Union

CJEU caselaw

C-465/00 ; C-138/01 ; C-139/01 (20 May 2003) - Österreichischer Rundfunk e.a.

1.    Articles 6(1)(c) and 7(c) and (e) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data do not preclude national legislation such as that at issue in the main proceedings, provided that it is shown that the wide disclosure not merely of the amounts of the annual income above a certain threshold of persons employed by the bodies subject to control by the Rechnungshof but also of the names of the recipients of that income is necessary for and appropriate to the objective of proper management of public funds pursued by the legislature, that being for the national courts to ascertain.

2.    Articles 6(1)(c) and 7(c) and (e) of Directive 95/46 are directly applicable, in that they may be relied on by an individual before the national courts to oust the application of rules of national law which are contrary to those provisions.

Opinion of Advocate general

Judgment of the Court

C-342/12 (30 May 2013) - Worten

1.      Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is to be interpreted as meaning that a record of working time, such as that at issue in the main proceedings, which indicates, in relation to each worker, the times when working hours begin and end, as well as the corresponding breaks and intervals, is included within the concept of ‘personal data’, within the meaning of that provision.

2.      Article 6(1)(b) and (c) and Article 7(c) and (e) of Directive 95/46 do not preclude national legislation, such as that at issue in the main proceedings, which requires an employer to make the record of working time available to the national authority responsible for monitoring working conditions so as to allow its immediate consultation, provided that this obligation is necessary for the purposes of the performance by that authority of its task of monitoring the application of the legislation relating to working conditions, in particular as regards working time.

Judgment of the Court

C-683/13 (19 June 2014) - Pharmacontinente - Saúde e Higiene e.a.

1.     Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is to be interpreted as meaning that a record of working time, such as that at issue in the main proceedings, which indicates, in relation to each worker, the times when working hours begin and end, as well as the corresponding breaks and intervals, is covered by the concept of ‘personal data’ as referred to in that provision.

2.    Article 6(1)(b) and (c) and Article 7(c) and (e) of Directive 95/46 must be interpreted as not precluding national legislation, such as that at issue in the main proceedings, which requires an employer to make the record of working time available to the national authority responsible for monitoring working conditions so as to allow its immediate consultation, provided that this obligation is necessary for the purposes of the performance by that authority of its task of monitoring the application of the legislation relating to working conditions, in particular as regards working time.

3.    It is for the referring court to determine whether the employer’s obligation to provide the national authority responsible for monitoring working conditions access to the record of working time so as to allow its immediate consultation may be considered necessary for the purposes of the performance by that authority of its monitoring task, by contributing to the more effective application of the legislation relating to working conditions, in particular as regards working time, and, if so, whether the penalties imposed with a view to ensuring the effective application of the requirements laid down by Directive 2003/88/EC of the European Parliament and of the Council of 4 November 2003, concerning certain aspects of the organisation of working time, are consistent with the principle of proportionality.

Judgment of the Court

C-398/15 (9 March 2017) - Manni

Article 6(1)(e), Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in conjunction with Article 3 of the First Council Directive 68/151/EEC of 9 March 1968 on co-ordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community, as amended by Directive 2003/58/EC of the European Parliament and of the Council of 15 July 2003, must be interpreted as meaning that, as EU law currently stands, it is for the Member States to determine whether the natural persons referred to in Article 2(1)(d) and (j) of that directive may apply to the authority responsible for keeping, respectively, the central register, commercial register or companies register to determine, on the basis of a case-by-case assessment, if it is exceptionally justified, on compelling legitimate grounds relating to their particular situation, to limit, on the expiry of a sufficiently long period after the dissolution of the company concerned, access to personal data relating to them, entered in that register, to third parties who can demonstrate a specific interest in consulting that data.

Opinion of Advocate general

Judgment of the Court

C-496/17 (16 January 2019) - Deutsche Post

The second subparagraph of Article 24(1) of Commission Implementing Regulation (EU) 2015/2447 of 24 November 2015 laying down detailed rules for implementing certain provisions of Regulation (EU) No 952/2013 of the European Parliament and of the Council laying down the Union Customs Code, read in the light of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that the customs authorities may require an applicant for AEO status to send to them the tax identification numbers, allocated for the purposes of collection income tax, concerning solely the natural persons who are in charge of the applicant or who exercise control over its management and those who are in charge of the applicant’s customs matters, and the details of the tax offices responsible for the taxation of all those persons, to the extent that that data enables those authorities to obtain information on serious or repeated infringements of customs legislation or taxation rules or on serious criminal offences, committed by those natural persons and relating to their economic activity.

Opinion of Advocate general

Judgment of the Court

C-708/18 (11 December 2019) - Asociaţia de Proprietari bloc M5A-ScaraA

Article 6(1)(c) and Article 7(f) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, must be interpreted as not precluding national provisions which authorise the installation of a video surveillance system, such as the system at issue in the main proceedings, installed in the common parts of a residential building, for the purposes of pursuing legitimate interests of ensuring the safety and protection of individuals and property, without the consent of the data subjects, if the processing of personal data carried out by means of the video surveillance system at issue fulfils the conditions laid down in Article 7(f), which it is for the referring court to determine.

Judgment of the Court

C-175/20 (24 February 2022) - SIA "SS" v Valsts ieņēmumu dienests

Opinion of Advocate general

C-129/21, (27 october 2022) Proximus (Annuaires électroniques publics)

2)      L’article 17 du règlement 2016/679

doit être interprété en ce sens que :

la demande d’un abonné tendant à la suppression de ses données à caractère personnel des annuaires ainsi que des services de renseignements téléphoniques accessibles au public constitue un recours au « droit à l’effacement », au sens de cet article.

3)      L’article 5, paragraphe 2, et l’article 24 du règlement 2016/679

doivent être interprétés en ce sens que :

une autorité de contrôle nationale peut exiger que le fournisseur d’annuaires et de services de renseignements téléphoniques accessibles au public, en tant que responsable du traitement, prenne les mesures techniques et organisationnelles appropriées pour informer les responsables du traitement tiers, à savoir l’opérateur de services téléphoniques qui lui a communiqué les données à caractère personnel de son abonné ainsi que les autres fournisseurs d’annuaires et de services de renseignements téléphoniques accessibles au public auxquels il a fourni de telles données, du retrait du consentement de cet abonné.

4)      L’article 17, paragraphe 2, du règlement 2016/679

doit être interprété en ce sens que :

il ne s’oppose pas à ce qu’une autorité de contrôle nationale ordonne à un fournisseur d’annuaires et de services de renseignements téléphoniques accessibles au public, auquel l’abonné d’un opérateur de services téléphoniques a demandé de ne plus publier les données à caractère personnel le concernant, de prendre des « mesures raisonnables », au sens de cette disposition, afin d’informer les fournisseurs de moteurs de recherche de cette demande d’effacement des données.

Arret de la cour (fr only)

Conclusions de l'avocat général (fr only)

C-77/21, (20 october 2022), Digi (fr only)

1) L’article 5, paragraphe 1, sous b), du règlement (UE) 2016/679 du Parlement européen et du Conseil, du 27 avril 2016, relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la directive 95/46/CE (règlement général sur la protection des données),

doit être interprété en ce sens que :

le principe de la « limitation des finalités », prévu à cette disposition, ne s’oppose pas à l’enregistrement et à la conservation par le responsable du traitement, dans une base de données créée aux fins de procéder à des tests et de corriger des erreurs, de données à caractère personnel préalablement collectées et conservées dans une autre base de données, lorsqu’un tel traitement ultérieur est compatible avec les finalités spécifiques pour lesquelles les données à caractère personnel ont été initialement collectées, ce qu’il convient de déterminer au regard des critères visés à l’article 6, paragraphe 4, de ce règlement.

 

 

2) L’article 5, paragraphe 1, sous e), du règlement 2016/679

doit être interprété en ce sens que :

le principe de la « limitation de la conservation », prévu à cette disposition, s’oppose à la conservation par le responsable du traitement, dans une base de données créée aux fins de procéder à des tests et de corriger des erreurs, de données à caractère personnel préalablement collectées pour d’autres finalités, pour une durée excédant celle qui est nécessaire à la réalisation de ces tests et à la correction de ces erreurs.

Arrêt de la cour (fr only)

Conclusions de l'avocat général (fr only)

C-268/21 (2 March 2023) - Norra Stockholm Bygg

1.      Article 6(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as meaning that that provision applies, in the context of civil court proceedings, to the production as evidence of a staff register containing personal data of third parties collected principally for the purposes of tax inspection.

2.      Articles 5 and 6 of Regulation 2016/679

must be interpreted as meaning that when assessing whether the production of a document containing personal data must be ordered, the national court is required to have regard to the interests of the data subjects concerned and to balance them according to the circumstances of each case, the type of proceeding at issue and duly taking into account the requirements arising from the principle of proportionality as well as, in particular, those resulting from the principle of data minimisation referred to in Article 5(1)(c) of that regulation.

Décision of the Court

Opinion of Advocate General

C‑26/22 et C‑64/22, UF (C‑26/22), AB (C‑64/22) v. Land Hessen (7 December 2023)

1.      Article 78(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that a decision on a complaint adopted by a supervisory authority is subject to full judicial review.

2.      Article 5(1)(a) of Regulation 2016/679, read in conjunction with point (f) of the first subparagraph of Article 6(1) of that regulation,

must be interpreted as precluding a practice of private credit information agencies consisting in retaining, in their own databases, information from a public register relating to the grant of a discharge from remaining debts in favour of natural persons in order to be able to provide information on the solvency of those persons, for a period extending beyond that during which the data are kept in the public register.

3.      Article 17(1)(c) of Regulation 2016/679

must be interpreted as meaning that the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where he or she objects to the processing pursuant to Article 21(1) of that regulation and there are no overriding legitimate grounds capable of justifying, exceptionally, the processing in question.

4.      Article 17(1)(d) of Regulation 2016/679

must be interpreted as meaning that the controller is required to erase unlawfully processed personal data as soon as possible.

Decision of the court

Opinion of the advocate general

 

C‑231/22, État belge contre Autorité de protection des données (11 janvier 2024​)

1.      Point 7 of Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as meaning that the agency or body responsible for the official journal of a Member State, which is inter alia required, under the law of that State, to publish as they stand official acts and documents that have been prepared by third parties under their own responsibility in compliance with the applicable rules, then lodged with a judicial authority that sends them to it for publication, may, notwithstanding its lack of legal personality, be classified as a ‘controller’ of the personal data contained in those acts and documents, where the national law concerned determines the purposes and means of the processing of personal data performed by that official journal.

2.      Article 5(2) of Regulation 2016/679, read in conjunction with point 7 of Article 4 and Article 26(1) thereof,

must be interpreted as meaning that the agency or body responsible for the official journal of a Member State, classified as a ‘controller’ within the meaning of point 7 of Article 4 of that regulation, is solely responsible for compliance with the principles set out in Article 5(1) thereof as regards the personal data processing operations that it is required to perform under national law, unless joint responsibility with other entities in respect of those operations arises under that law.

Décision of the Court

Opinion of Advocate General

 

Retour au sommaire Retour au sommaire
Regulation
1e 2e

Art. 5

1.   Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2.   The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

1st proposal close

Art. 5

Personal data must be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject;

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;

(c) adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;

(d) accurate and kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Article 83 and if a periodic review is carried out to assess the necessity to continue the storage;

(f) processed under the responsibility and liability of the controller, who shall ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation.

2nd proposal close

Art. 5

1. Personal data must be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject;

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing of personal data for archiving purposes in the public interest or scientific, statistical or historical purposes shall in accordance with Article 83 not be considered incompatible with the initial purposes ;

(c) adequate, relevant and not excessive in relation to the purposes for which they are processed (...);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (...); personal data may be stored for longer periods insofar as the data will be processed for archiving purposes in the public interest or scientific, statistical, or historical purposes in accordance with Article 83 subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and

freedoms of data subject;

(ee) processed in a manner that ensures appropriate security of the personal data.

(f)  (...)

2. The controller shall be responsible for compliance with paragraph 1.

Directive close

Art. 6

1. Member States shall provide that personal data must be:

(a) processed fairly and lawfully;

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;

(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

2. It shall be for the controller to ensure that paragraph 1 is complied with.

4.§ (5) *  A személyes adatok kezelését tisztességesnek és törvényesnek kell tekinteni, ha az érintett véleménynyilvánítási szabadságának biztosítása érdekében az érintett véleményét megismerni kívánó személy az érintett lakóhelyén vagy tartózkodási helyén felkeresi, feltéve, hogy az érintett személyes adatait e törvény rendelkezéseinek megfelelően kezelik és a személyes megkeresés nem üzleti célra irányul. A személyes megkeresésre a munka törvénykönyve szerinti munkaszüneti napon nem kerülhet sor.

 

Old law close

Data Management

Principles

§ 4 Data Protection Act

(1) Personal data may be processed only for specified and explicit purposes, where it is necessary for the implementation of certain rights or obligations. The purpose of processing must be satisfied in all stages of data processing operations; recording of personal data shall be done under the principle of lawfulness and fairness.

(2) The personal data processed must be essential for the purpose for which it was recorded, and it must be suitable to achieve that purpose. Personal data may be processed to the extent and for the duration necessary to achieve its purpose.

(3) In the course of data processing, the data in question shall be treated as personal as long as the data subject remains identifiable through it. The data subject shall - in particular - be considered identifiable if the data controller is in possession of the technical requirements which are necessary for identification.

(4) The accuracy and completeness, and - if deemed necessary in the light of the aim of processing - the up-to-dateness of the data must be provided for throughout the processing operation, and shall be kept in a way to permit identification of the data subject for no longer than is necessary for the purposes for which the data were recorded.

(5) The principle of lawfulness and fairness shall be considered satisfied in connection with the processing of personal data where a person wishing the learn about the data subject’s opinion visits - within the framework of freedom of speech - the data subject at his/her home or residence, provided that the data subject’s personal data is processed in accordance with the provisions of this Act and the poll is taken for reasons other than business purposes. Such visits may not be carried out on days designated as public holidays by the Labor Code.


Data Security Requirement

§ 7 Info act.

(1) Controllers shall make arrangements for and carry out data processing operations in a way so as to ensure full respect for the right to privacy of data subjects in due compliance with the provisions of this Act and other regulations on data protection.

(2) Controllers, and within their sphere of competence, data processors must implement adequate safeguards and appropriate technical and organizational measures to protect personal data, as well as adequate procedural rules to enforce the provisions of this Act and other regulations concerning confidentiality and security of data processing.

(3) Data must be protected by means of suitable measures against unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as damage and accidental loss, and to ensure that stored data cannot be corrupted and rendered inaccessible due to any changes in or modification of the applied technique.

(4) For the protection of data sets stored in different electronic filing systems, suitable technical solutions shall be introduced to prevent - unless this is permitted by law - the interconnection of data stored in these filing systems and the identification of the data subjects.

(5) In respect of automated personal data processing, data controllers and processors shall implement additional measures designed to:

a) prevent the unauthorized input of data;

b) prevent the use of automated data-processing systems by unauthorized persons using data communication equipment;

c) ensure that it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available using data communication equipment;

d) ensure that it is possible to verify and establish which personal data have been input into automated data-processing systems and when and by whom the data were input;

e) ensure that installed systems may, in case of interruption, be restored; and

f) ensure that faults emerging in automated data-processing systems is reported.

(6) In determining the measures to ensure security of processing, data controllers and processors shall proceed taking into account the latest technical development and the state of the art of their implementation. Where alternate data processing solutions are available, the one selected shall ensure the highest level of protection of personal data, except if this would entail unreasonable hardship for the data controller.

Bulgaria close

Personal Data Protection Act

 

Article 2. (Last Amendment - SG No. 81/2011)

[...]

(2) Personal data must be:

1. processed lawfully and fairly;

2. (Last Amendment - SG No. 81/2011) collected for specific, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing of personal data for historical, statistical or scientific purposes is permitted provided that the controller ensures adequate protection, guaranteeing that data is not processed for other purposes, except for the cases expressly provided for by this Act;

3. (Last Amendment, SG No. 91/2006) adequate, relevant and not excessive to the purposes for which they are being processed;

4. accurate, and updated as needed;

5. erased or rectified when found to be inaccurate or disproportional to the purposes for which they are being processed;

6. maintained in a form that enables identification of the data subject for a period no longer than the time necessary for the purposes for which such data are being processed; the personal data which are to be stored for a longer period of time for historical, statistical or scientific purposes are maintained in a form precluding the identification of individuals.

(3) (New - SG No. 81/2011) Any personal data received under Art. 1 Para 6 may be additionally processed for another purpose which is different from the purpose for which they have been collected, provided that the following conditions are cumulatively met:

1. such processing is consistent with the purpose for which the data have been collected;

2. a ground provided by law exists for the processing of data for such other purpose;

3. such processing meets the requirements under Para 2.

(4) (New - SG No. 81/2011) The controller who has received data under Art. 1, Para 6, informs the data subject to which the data refers for the additional processing under Para 3, except in the case of Art. 36e, Para 2 or where a special law provides otherwise.

 

 

close