Artikkel 6
Lawfulness of processing

Offisielle tekster Retningslinjer
og beslutninger
Vurderinger
EU-regulering
Vurderinger
nasj. regulering
Vis forordningens fortaletekst relatert til art. 6 keyboard_arrow_down Skjul forordningens fortaletekst relatert til art. 6 keyboard_arrow_up

(40) In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

(41) Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.

(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC (10) a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

(43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

(44) Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.

(45) Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing. It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association.

(46) The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.

(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

(48) Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.

(49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

Vis direktivets fortaletekst relatert til art. 6 keyboard_arrow_down Skjul direktivets fortaletekst relatert til art. 6 keyboard_arrow_up

(30) Whereas, in order to be lawful, the processing of personal data must in addition be carried out with the consent of the data subject or be necessary for the conclusion or performance of a contract binding on the data subject, or as a legal requirement, or for the performance of a task carried out in the public interest or in the exercise of official authority, or in the legitimate interests of a natural or legal person, provided that the interests or the rights and freedoms of the data subject are not overriding; whereas, in particular, in order to maintain a balance between the interests involved while guaranteeing effective competition, Member States may determine the circumstances in which personal data may be used or disclosed to a third party in the context of the legitimate ordinary business activities of companies and other bodies; whereas Member States may similarly specify the conditions under which personal data may be disclosed to a third party for the purposes of marketing whether carried out commercially or by a charitable organization or by any other association or foundation, of a political nature for example, subject to the provisions allowing a data subject to object to the processing of data regarding him, at no cost and without having to state his reasons;

(31) Whereas the processing of personal data must equally be regarded as lawful where it is carried out in order to protect an interest which is essential for the data subject's life;

(32) Whereas it is for national legislation to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public administration or another natural or legal person governed by public law, or by private law such as a professional association;

(33) Whereas data which are capable by their nature of infringing fundamental freedoms or privacy should not be processed unless the data subject gives his explicit consent; whereas, however, derogations from this prohibition must be explicitly provided for in respect of specific needs, in particular where the processing of these data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy or in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms;

(34) Whereas Member States must also be authorized, when justified by grounds of important public interest, to derogate from the prohibition on processing sensitive categories of data where important reasons of public interest so justify in areas such as public health and social protection - especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system - scientific research and government statistics; whereas it is incumbent on them, however, to provide specific and suitable safeguards so as to protect the fundamental rights and the privacy of individuals;

35) Whereas, moreover, the processing of personal data by official authorities for achieving aims, laid down in constitutional law or international public law, of officially recognized religious associations is carried out on important grounds of public interest;

(36) Whereas where, in the course of electoral activities, the operation of the democratic system requires in certain Member States that political parties compile data on people's political opinion, the processing of such data may be permitted for reasons of important public interest, provided that appropriate safeguards are established;

GDPR

The various assumptions of lawfulness of processing provided by the Directive are listed and sometimes specified in Article 6 of the Regulation or some of its recitals.

Thus, the consent must relate to one or more specific purposes, which excludes any purpose expressed in general. It is also necessary to remember that the consent is defined in Article 4, 11) as meaning the expression of will, free, specific and informed.

These characteristics have to be specified and are exemplified in recitals  42  and following, and in Article 7 of the Regulation. In these recitals, special attention is paid to the free nature of the consent that should be excluded if the data subject has no real freedom of choice and is not able to refuse or withdraw without suffering damages. The consent can not either constitute a valid legal basis where there is a clear imbalance between the data subject and the controller and that imbalance gives rise to doubt on whether the consent has been given freely in all cases of this particular situation.

Recital  47  provides details regarding the consideration of the legitimate interest of the controller in its opposition to the rights and freedoms of the data subject. A legitimate interest may exist in particular when there is a relevant and appropriate link between the data subject and the controller, for example if the data subject is a client of or if is at service to the controller. In any case, the data subject must be entitled to expect, when and as part of data collection, that they are subject to processing for this purpose.

It should be noted that the latest version of the Regulation excludes the criterion of the legitimate interests of the data subject (Art. 6, f)) for the processing by public authorities in carrying out their tasks , imposing a return to a strict laufulness of the processing in question.

Still according to recital 47  the data subject should be able to object to the respective processing of data, for reasons relating to his or her personal situation, and it's free to do so. To ensure transparency, the controller should be required to explicitly inform the data subject with respect to their legitimate interests pursued and to justify them as well as on the right of the data subject to object to the processing.

The Regulation also gives an important clarification regarding the processing that is justified by a law imposing proceedings in the cases referred to in Article 6, paragraph 1, c) (processing necessary for compliance with a legal obligation) and Article 6, paragraph 1, , subparagraph e) (processing necessary for the performance of a task carried out in the public interest). In both cases, the legal basis of the processing should be defined in accordance with the Union law or the national law of the Member State to which the controller data is subject (see Art. 6, paragraph 3).

Contrary to the idea of ​​the Regulation unifying the rules on the matter, the 3rd paragraph, b) of Article 6 explicitly states that this legal basis can contain specific provisions to adapt the application of the rules in the Regulation (e.g., the general conditions of lawfulness of the processing, the categories of data that being the subject of the treatment, the entities to which the data can be communicated and the purposes for which they can be communicated, the purpose limitation, etc.). The final version of the Regulation states that the law of the Union or the Member States must meet the objective of public interest and be proportionate to the legitimate interests pursued.

The final provision no longer opens the conditions in which a purpose can be changed, in case that the latter is incompatible with the initial purpose. The evolution of the text shows a real debate: the original text contained no rule while the second version introduced a specific paragraph (§ 4). If the data were collected by the same controller, subsequent processing would have been allowed despite the incompatibility of the purposes, as far as such incompatibility could be justified by any of the general assumptions of legality provided for in paragraph 1 of the provision. In other words, the controller could always find a solution to an incompatibility between the initial purpose and the subsequent purposes of processing by identifying a new basis for lawfulness of the processing.

The latest version of the Regulation has purely and simply removed this paragraph. The Group Article 29 had strongly criticized this provision, which would harm and empty the principle of purpose of its substance (cfr. ). G29, Opinion 03/2013 on purpose limitation, 2 April 2013, p. 36 and 37).

The basic principle is therefore that of the requirement of  compatibility of the new purposes with the initial purposes, except by consent of the data subject or where a specific legal text so allows on the same reasons justifying a limitation of the rights and obligations provided for by the Regulation (see article 23 (1). In case of incompatibility, the pursuit of the incompatible purpose is prescribed.

The text of the Regulation (Art. 6, 4) provides some criteria to assess this compatibility. For example, the existence of a link between the purpose, for which the data were collected and the purposes of the proposed future processing, the nature of the personal data which will be processed, the possible consequences of further processing envisaged for the data subjects, or even the existence of appropriate measures, which may include encryption and pseudonymisation.

Finally, the final version of the Regulation introduces a new paragraph 3 allowing the Member States to adapt the provisions of the Regulation in view of the conformity of processing with Article 6, paragraph 1, under c) (legal obligation) and e) (task of public interest), by determining more precisely the obligations for processing and other measures to ensure the legality and lawfulness, also with regard to the special situations of processing referred to in chapter IV.

Direktivet

Article 7 of the Directive provides that data processing can be performed only if one of the hypotheses under the provision is met:

The unambiguous consent of the data subject (consent);

- the need for the performance of the contract with the data subject (contract) or

- the need for compliance with a legal obligation to which the controller is subject (legal obligation) or

- the need for safeguarding the vital interest of the data subject (vital interest) or

- the need for the performance of a task of public interest or in the exercise of public authority (task of public interest) vested in the controller or a third party the data communicated to whom are part of these assumptions.

A final hypothesis, the search for a balance of interests, imposes an evaluation that is more difficult in practice. The processing must be necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject (legitimate interest).

Utfordringer

The clarifications provided by the Regulation often endorse the interpretations of the former texts advocated by the National Commissions and the Group.  Article 29

The possibility left to the states to adapt the rules applicable to the processing imposed by national legislation, however, is more problematic. It is significant of the willingness of states to reserve part of their sovereignty as there is a relationship between the state or one of its entities and the controller/citizen. Being so understandable, this opportunity to continue to regulate a large number of processing cases on a specific and national basis opens a significant breach in the supposed acquis brought by the Regulation: the unification of the rules at European level.

The biggest disappointment comes from the refusal to make the principle of compatibility of the purposes more flexible. The prohibition of processing in case of incompatibility of the purposes is opposed to the evolution of processing that is somehow “frozen” by its actual initial purpose.  If data have been processed for the purposes of performance of a contract, they cannot be communicated to a third party for feeding a big data profiling process, except with the data subject's consent or legal authorization.

Let's be clear: the case could be to admit it without guarantees, but the data subject would have been perfectly protected if we had departed from the principle - as the second version of the text specified - that the second purpose would give rise to new processing, which should be subject to compliance with all the provisions of the law (new information regarding the data subjects, identification of a new lawfulness criterion, etc.).

The solution of the Regulations is different: no purpose can be changed without data subject’s prior consent. In practice - we think for example of Big Data projects – this strict rule may illegalize a large number of projects. Not to count the data provision services, in particular in the area of marketing, which often do not have the data subject’s prior consent.

Forordning
1e 2e

Art. 6

1.   Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

2.   Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.

3.   The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

(a) Union law; or

(b) Member State law to which the controller is subject.

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

4.   Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;

(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;

(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;

(d) the possible consequences of the intended further processing for data subjects;

(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

1. forslag close

Art. 6

1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of their personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.

2. Processing of personal data which is necessary for the purposes of historical, statistical or scientific research shall be lawful subject to the conditions and safeguards referred to in Article 83.

3. The basis of the processing referred to in points (c) and (e) of paragraph 1 must be provided for in:

(a) Union law, or

(b) the law of the Member State to which the controller is subject.

The law of the Member State must meet an objective of public interest or must be necessary to protect the rights and freedoms of others, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued.

4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.

 

2. forslag close

Art. 6

1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies :

(a) the data subject has given unambiguous consent to the processing of their personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (...)

2. Processing of personal data which is necessary for archiving purposes in the public interest, or for historical, statistical or scientific purposes shall be lawful subject also to the conditions and safeguards referred to in Article 83.

3. The basis for the processing referred to in points (c) and (e) of paragraph 1 must be established in accordance with :

(a) Union law, or

(b) national law of the Member State to which the controller is subject.

The purpose of the processing shall be determined in this legal basis or as regards the processing referred to in point (e) of paragraph 1, be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

This legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia the general conditions governing the lawfulness of data processing by the controller, the type of data which are subject to the processing, the data subjects concerned; the entities to, and the purposes for which the data may be disclosed; the purpose limitation; storage periods and processing operations and processing procedures, including measures to ensure lawful and fair processing, including for other specific processing situations as provided for in Chapter IX.

3a. In order to ascertain whether a purpose of further processing (...) is compatible with the one for which the data are initially collected, the controller shall take into account, unless the data subject has given consent, inter alia:

(a) any link between the purposes for which the data have been collected and the purposes of the intended further processing;

(b) the context in which the data have been collected;

(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9;

(d) the possible consequences of the intended further processing for data subjects;

(e) the existence of appropriate safeguards.

4. Where the purpose of further processing is incompatible with the one for which the personal data have been collected by the same controller, the further processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1.

Further processing by the same controller for incompatible purposes on grounds of legitimate interests of that controller or a third party shall be lawful if these interests override the interests of the data subject.

5. (...)

Direktiv close

Art. 7

Member States shall provide that personal data may be processed only if:

(a) the data subject has unambiguously given his consent; or

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or

(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or

(d) processing is necessary in order to protect the vital interests of the data subject; or

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).

Art. 6

Behandlingens lovlighet

1. Behandlingen er bare lovlig dersom og i den grad minst ett av følgende vilkår er oppfylt:

a) den registrerte har samtykket til behandling av sine personopplysninger for ett eller flere spesifikke formål,

b) behandlingen er nødvendig for å oppfylle en avtale som den registrerte er part i, eller for å gjennomføre tiltak på den registrertes anmodning før en avtaleinngåelse,

c) behandlingen er nødvendig for å oppfylle en rettslig forpliktelse som påhviler den behandlingsansvarlige,

d) behandlingen er nødvendig for å verne den registrertes eller en annen fysisk persons vitale interesser,

e) behandlingen er nødvendig for å utføre en oppgave i allmennhetens interesse eller utøve offentlig myndighet som den behandlingsansvarlige er pålagt,

f) behandlingen er nødvendig for formål knyttet til de berettigede interessene som forfølges av den behandlingsansvarlige eller en tredjepart, med mindre den registrertes interesser eller grunnleggende rettigheter og friheter går foran og krever vern av personopplysninger, særlig dersom den registrerte er et barn.

Nr. 1 bokstav f) får ikke anvendelse på behandling som utføres av offentlige myndigheter som ledd i utførelsen av deres oppgaver.

2. Medlemsstatene kan opprettholde eller innføre mer spesifikke bestemmelser for å tilpasse anvendelsen av reglene for behandling i denne forordning med henblikk på å sikre samsvar med nr. 1 bokstav c) og e) ved nærmere å fastsette mer spesifikke krav til behandlingen samt andre tiltak som har som mål å sikre en lovlig og rettferdig behandling, herunder i forbindelse med andre særlige behandlingssituasjoner som nevnt i kapittel IX.

3. Grunnlaget for behandlingen nevnt i nr. 1 bokstav c) og e) skal fastsettes i

Formålet med behandlingen skal være fastsatt i nevnte rettslige grunnlag eller, når det gjelder behandlingen nevnt i nr. 1 bokstav e), være nødvendig for å utføre en oppgave i allmennhetens interesse eller utøve offentlig myndighet som den behandlingsansvarlige er pålagt. Nevnte rettslige grunnlag kan inneholde særlige bestemmelser for å tilpasse anvendelsen av reglene i denne forordning, blant annet de generelle vilkårene som skal gjelde for lovligheten av den behandlingsansvarliges behandling, hvilken type opplysninger som skal behandles, berørte registrerte, enhetene som personopplysningene kan utleveres til, og formålene med dette, formålsbegrensning, lagringsperioder samt behandlingsaktiviteter og framgangsmåter for behandling, herunder tiltak for å sikre lovlig og rettferdig behandling, slik som dem fastsatt med henblikk på andre særlige behandlingssituasjoner som nevnt i kapittel IX. Unionsretten eller medlemsstatenes nasjonale rett skal oppfylle et mål i allmennhetens interesse og stå i et rimelig forhold til det berettigede målet som søkes oppnådd.

a) unionsretten eller

b) medlemsstatens nasjonale rett som den behandlingsansvarlige er underlagt.

4. Dersom behandlingen for et annet formål enn det som personopplysningene er blitt samlet inn for, ikke bygger på den registrertes samtykke eller på unionsretten eller medlemsstatenes nasjonale rett som utgjør et nødvendig og forholdsmessig tiltak i et demokratisk samfunn for å sikre oppnåelse av målene nevnt i artikkel 23 nr. 1, skal den behandlingsansvarlige for å avgjøre om behandlingen for et annet formål er forenlig med formålet som personopplysningene opprinnelig ble samlet inn for, blant annet ta hensyn til følgende:

a) enhver forbindelse mellom formålene som personopplysningene er blitt samlet inn for, og formålene med den tiltenkte viderebehandlingen,

b) i hvilken sammenheng personopplysningene er blitt samlet inn, særlig med hensyn til forholdet mellom de registrerte og den behandlingsansvarlige,

c) personopplysningenes art, især om særlige kategorier av personopplysninger behandles, i henhold til artikkel 9, eller om personopplysninger om straffedommer og lovovertredelser behandles, i henhold til artikkel 10,

d) de mulige konsekvensene av den tiltenkte viderebehandlingen for de registrerte,

e) om det foreligger nødvendige garantier, som kan omfatte kryptering eller pseudonymisering.

Gamle loven close

§ 8 Vilkår for å behandle personopplysninger

Personopplysninger (jf. § 2 nr. 1) kan bare behandles dersom den registrerte har samtykket, eller det er fastsatt i lov at det er adgang til slik behandling, eller behandlingen er nødvendig for

a) å oppfylle en avtale med den registrerte, eller for å utføre gjøremål etter den registrertes ønske før en slik avtale inngås,

b) at den behandlingsansvarlige skal kunne oppfylle en rettslig forpliktelse,

c) å vareta den registrertes vitale interesser,

d) å utføre en oppgave av allmenn interesse,

e) å utøve offentlig myndighet, eller

f) at den behandlingsansvarlige eller tredjepersoner som opplysningene utleveres til kan vareta en berettiget interesse, og hensynet til den registrertes personvern ikke overstiger denne interessen.

close