Dictionary

Lawful data processing

The General Data Protection Regulation puts forth the conditions under which data processing is lawful. In principle, personal data may not be processed without express legal permission. This principle in data protection is called “prohibition subject to permission”. If one of the following circumstances applies, the processing of personal data is permitted:

  • The consent of the data subject has been obtained.
  • The data processing is necessary for the fulfilment of a contract.
  • Data processing protects the vital interests of those concerned.
  • Data processing is required for public tasks.
  • The data controller is legally obliged to process the data.
  • The data controller can demonstrate a legitimate interest in the processing of personal data, which outweighs the interests of the data subject.

In Germany, the Federal Data Protection Act regulates a number of other cases in which data processing is permitted:

  • Data may be collected and used to establish or carry out an employment relationship.
  • Public authorities may process data of data subjects if this is obviously in the interest of the data subject and a refusal of consent cannot be anticipated.
  • Public sector bodies may also use personal data in law enforcement, in matters of national security or to perform monitoring tasks.
  • Non-public bodies, such as companies, may process data of data subjects if this is necessary for public security or for the exercise of civil law claims.

See also Purpose limitation

Article 6 GDPR (Lawfulness of processing)

1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.

3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:
(a) Union law; or
(b) Member State law to which the controller is subject.

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

4. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
(d) the possible consequences of the intended further processing for data subjects;
(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

Source: Regulation (EU) 2016/679 (see also recitals 40 and 41)

Section 23 BDSG (Processing for other purposes by public bodies)

(1) Public bodies shall be permitted to process personal data for a purpose other than the one for which the data were collected where such processing is necessary for them to perform their duties and if
1. it is obviously in the interest of the data subject and there is no reason to assume that the data subject would refuse consent if he or she were aware of the other purpose;
2. it is necessary to check information provided by the data subject because there is reason to believe that this information is incorrect;
3. processing is necessary to prevent substantial harm to the common good or a threat to public security, defence or national security; to safeguard substantial concerns of the common good; or to ensure tax and customs revenues;
4. processing is necessary to prosecute criminal or administrative offences, to carry out or enforce punishment or measures as referred to in Section 11 (1) no. 8 of the Criminal Code or educational or disciplinary measures as referred to in the Juvenile Court Act or to enforce fines;
5. processing is necessary to prevent serious harm to the rights of another person; or
6. processing is necessary to exercise powers of supervision and monitoring, to conduct audits or organizational analyses of the controller; this shall also apply to processing for training and examination purposes by the controller, as long as it does not conflict with the legitimate interests of the data subject.

(2) The processing of special categories of personal data as referred to in Article 9 (1) of Regulation (EU) 2016/679 for a purpose other than the one for which the data were collected shall be permitted if the conditions of subsection 1 are met and an exception pursuant to Article 9 (2) of Regulation (EU) 2016/679 or pursuant to Section 22 applies.

Source: German Federal Data Protection Act

Section 24 BDSG (Processing for other purposes by private bodies)

(1) Private bodies shall be permitted to process personal data for a purpose other than the one for which the data were collected if
1. processing is necessary to prevent threats to state or public security or to prosecute criminal offences; or
2. processing is necessary for the establishment, exercise or defence of legal claims,

unless the data subject has an overriding interest in not having the data processed.

(2) The processing of special categories of personal data as referred to in Article 9 (1) of Regulation (EU) 2016/679 for a purpose other than the one for which the data were collected shall be permitted if the conditions of subsection 1 are met and an exception pursuant to Article 9 (2) of Regulation (EU) 2016/679 or pursuant to Section 22 applies.

Source: German Federal Data Protection Act

Section 26 BDSG (Data processing for employment-related purposes)

(1) Personal data of employees may be processed for employment-related purposes where necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract or to exercise or satisfy rights and obligations of employees’ representation laid down by law or by collective agreements or other agreements between the employer and staff council. Employees’ personal data may be processed to detect crimes only if there is a documented reason to believe the data subject has committed a crime while employed, the processing of such data is necessary to investigate the crime and is not outweighed by the data subject’s legitimate interest in not processing the data, and in particular the type and extent are not disproportionate to the reason.

(2) If personal data of employees are processed on the basis of consent, then the employee’s level of dependence in the employment relationship and the circumstances under which consent was given shall be taken into account in assessing whether such consent was freely given. Consent may be freely given in particular if it is associated with a legal or economic advantage for the employee, or if the employer and employee are pursuing the same interests. Consent shall be given in written form, unless a different form is appropriate because of special circumstances. The employer shall inform the employee in text form of the purpose of data processing and of the employee’s right to withdraw consent pursuant to Article 7 (3) of Regulation (EU) 2016/679.

(3) By derogation from Article 9 (1) of Regulation (EU) 2016/679, the processing of special categories of personal data as referred to in Article 9 (1) of Regulation (EU) 2016/679 for employment-related purposes shall be permitted if it is necessary to exercise rights or comply with legal obligations derived from labour law, social security and social protection law, and there is no reason to believe that the data subject has an overriding legitimate interest in not processing the data. Subsection 2 shall also apply to consent to the processing of special categories of personal data; consent must explicitly refer to these data. Section 22 (2) shall apply accordingly.

(4) The processing of personal data, including special categories of personal data of employees for employment-related purposes, shall be permitted on the basis of collective agreements. The negotiating partners shall comply with Article 88 (2) of Regulation (EU) 2016/679.

(5) The controller must take appropriate measures to ensure compliance in particular with the principles for processing personal data described in Article 5 of Regulation (EU) 2016/679.

(6) The rights of participation of staff councils shall remain unaffected.

(7) Subsections 1 to 6 shall also apply when personal data, including special categories of personal data, of employees are processed without forming or being intended to form part of a filing system.

(8) For the purposes of this Act, employees are
1. dependently employed workers, including temporary workers contracted to the borrowing employer;
2. persons employed for occupational training purposes;
3. participants in benefits to take part in working life, in assessments of occupational aptitude or work trials (persons undergoing rehabilitation);
4. persons employed in accredited workshops for persons with disabilities;
5. volunteers working pursuant to the Youth Volunteer Service Act or the Federal Volunteer Service Act;
6. persons who should be regarded as equivalent to dependently employed workers because of their economic dependence; these include persons working at home and their equivalents;
7. federal civil servants, federal judges, military personnel and persons in the alternative civilian service.

Applicants for employment and persons whose employment has been terminated shall be regarded as employees.

Source: German Federal Data Protection Act

 

A
B
C