CHAPTER II - Principles

Edited by

Corrigendum to Regulation (EU) 2016/679 OJEU L127 2 of 05/23/2018

---

Article 5 - Principles relating to the processing of personal data

1. Personal data must be:

a) processed in a lawful, fair and transparent manner with regard to the data subject (lawfulness, loyalty, transparency);

b) collected for specific, explicit and legitimate purposes, and not subsequently processed in a manner incompatible with those purposes; further processing for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes is not considered, in accordance with Article 89(1), to be incompatible with the original purposes (limitation purposes);

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization);

(d) accurate and, where necessary, kept up to date; all reasonable measures must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy);

(e) kept in a form allowing the identification of the data subjects for a period not exceeding that necessary for the purposes for which they are processed; personal data may be retained for longer periods to the extent that they will be processed exclusively for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 , paragraph 1, provided that the appropriate technical and organizational measures required by this Regulation are implemented in order to guarantee the rights and freedoms of the data subject (retention limitation);

(f) processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using technical measures or appropriate organizational (integrity and confidentiality);

2. The controller is responsible for compliance with paragraph 1 and is able to demonstrate that it is complied with (responsibility) .

---

Article 6 - Lawfulness of processing

1. The processing is only lawful if and to the extent that at least one of the following conditions is met:

(a) the data subject has consented to the processing of his or her personal data for one or more specific purposes;

(b) the processing is necessary for the performance of a contract to which the data subject is party or for the execution of pre-contractual measures taken at the request of the data subject;

c) the processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary to safeguard the vital interests of the data subject or of another natural person;

(e) the processing is necessary for the performance of a task in the public interest or in the exercise of public authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular when the person concerned is a child.

Point f) of the first paragraph does not apply to processing carried out by public authorities in the execution of their missions.

2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing with the aim of complying with paragraph 1(c) and (e), by determining more precisely the specific requirements applicable to the processing as well as other measures aimed at ensuring lawful and fair processing, including in other specific processing situations as provided for in Chapter IX.
3. The basis for the processing referred to in points (c) and (e) of paragraph 1 is defined as:

(a) Union law; Or

(b) the law of the Member State to which the controller is subject.

The purposes of the processing are defined in this legal basis or, with regard to the processing referred to in paragraph 1(e), are necessary for the performance of a task carried out in the public interest or relating to the exercise of the public authority responsible for the processing. This legal basis may contain specific provisions to adapt the application of the rules of this Regulation, among others: the general conditions governing the lawfulness of the processing by the controller; the types of data that are subject to processing; the people concerned; the entities to which personal data may be communicated and the purposes for which they may be communicated; limitation of purposes; retention periods; and processing operations and procedures, including measures to ensure lawful and fair processing, such as those provided for in other particular processing situations as provided for in Chapter IX. Union law or the law of the Member States meets an objective of public interest and is proportionate to the legitimate objective pursued.

4. Where the processing for a purpose other than that for which the data were collected is not based on the consent of the data subject or on Union law or the law of a Member State which constitutes a necessary measure and proportionate in a democratic society to ensure the objectives referred to in Article 23(1), the controller, in order to determine whether processing for another purpose is compatible with the purpose for which the personal data were initially collected , takes into account, among other things:

a) the possible existence of a link between the purposes for which the personal data were collected and the purposes of the envisaged further processing;

(b) the context in which the personal data were collected, in particular as regards the relationship between the data subjects and the controller;

(c) the nature of the personal data, in particular whether the processing relates to special categories of personal data, pursuant to Article 9, or whether personal data relating to criminal convictions and offenses are dealt with, under Article 10;

(d) the possible consequences of the envisaged further processing for the data subjects;

e) the existence of appropriate safeguards, which may include encryption or pseudonymization.

---

Article 7 - Conditions applicable to consent

1. In cases where processing is based on consent, the controller is able to demonstrate that the data subject has given consent to the processing of personal data concerning him or her.
2. If the consent of the data subject is given within the framework of a written declaration which also concerns other matters, the request for consent shall be presented in a form which clearly distinguishes it from these other matters, in an understandable and easily accessible form , and formulated in clear and simple terms. No part of this statement which constitutes a violation of these regulations is binding.
3. The data subject has the right to withdraw consent at any time. Withdrawal of consent does not compromise the lawfulness of processing based on consent given before such withdrawal. The person concerned is informed of this before giving consent. It is as easy to withdraw as to give consent.
4. When determining whether consent is given freely, due regard should be given to, inter alia, whether the performance of a contract, including the provision of a service, is subject to consent to the processing of personal data which is not necessary for the execution of said contract.

---

Article 8 - Conditions applicable to children's consent with regard to information society services

1. Where Article 6(1)(a) applies, in relation to the direct provision of information society services to children, the processing of personal data relating to a child is lawful when the child is at least 16 years old. When the child is under 16 years of age, this processing is only lawful if, and to the extent that, consent is given or authorized by the holder of parental responsibility for the child.

Member States may provide by law for a lower age for these purposes provided that this lower age is not below 13 years.

2. The data controller shall make reasonable efforts to verify, in such cases, that consent is given or authorized by the holder of parental responsibility for the child, taking into account the technological means available.
3. Paragraph 1 does not affect the general contract law of the Member States, in particular the rules concerning the validity, formation or effects of a contract with regard to a child.

---

Article 9 - Processing of special categories of personal data

1. The processing of personal data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purposes of identifying a natural person uniquely, data concerning health or data concerning the sex life or sexual orientation of a natural person are prohibited.
2. Paragraph 1 does not apply if any of the following conditions are met:

(a) the data subject has given explicit consent to the processing of those personal data for one or more specific purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 cannot be waived by the data subject;

b) the processing is necessary for the purposes of the performance of the obligations and the exercise of the rights specific to the controller or the data subject in matters of labor law, social security and social protection, in the to the extent that such processing is authorized by Union law, by the law of a Member State or by a collective agreement concluded under the law of a Member State which provides for appropriate guarantees for the fundamental rights and interests of the person concerned;

(c) processing is necessary to safeguard the vital interests of the data subject or of another natural person, where the data subject is physically or legally incapable of giving consent;

d) the processing is carried out, within the framework of their legitimate activities and subject to appropriate guarantees, by a foundation, an association or any other non-profit organization and pursuing a political, philosophical, religious or trade union purpose, provided that said processing relates exclusively to members or former members of the said body or to persons maintaining regular contact with it in connection with its purposes and that personal data are not communicated outside of this body without the consent of the persons concerned ;

(e) the processing concerns personal data which are clearly made public by the data subject;

f) the processing is necessary for the establishment, exercise or defense of a legal right or whenever courts act within the framework of their judicial function;

(g) the processing is necessary for reasons of important public interest, on the basis of Union law or the law of a Member State which must be proportionate to the objective pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject;

h) the treatment is necessary for the purposes of preventive medicine or occupational medicine, the assessment of the worker's working capacity, medical diagnoses, health or social care, or systems management and health care or social protection services on the basis of Union law, the law of a Member State or under a contract concluded with a health professional and subject to the conditions and guarantees referred to in paragraph 3;

(i) the processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health, or for the purposes of ensuring high standards of quality and safety of care health and medicinal products or medical devices, on the basis of Union or Member State law which provides for appropriate and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy ;

(j) the processing is necessary for archival purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89(1), on the basis of Union law or of the law of a Member State which must be proportionate to the objective pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject.

3. The personal data referred to in paragraph 1 may be processed for the purposes provided for in paragraph 2(h), if those data are processed by a healthcare professional subject to an obligation of professional secrecy in accordance with the law. of the Union, the law of a Member State or the rules adopted by the competent national bodies, or under its responsibility, or by another person also subject to an obligation of secrecy in accordance with Union law or the law of a Member State or the rules adopted by the competent national bodies.
4. Member States may maintain or introduce additional conditions, including limitations, with regard to the processing of genetic data, biometric data or health data. .

---

Article 10 - Processing of personal data relating to criminal convictions and offenses

The processing of personal data relating to criminal convictions and related offenses or security measures based on Article 6(1) may only be carried out under the control of a public authority, or if the processing is authorized by Union law or by the law of a Member State which provides appropriate guarantees for the rights and freedoms of the data subjects. Any complete register of criminal convictions can only be kept under the control of the public authority.

---

Article 11 - Processing not requiring identification

1. If the purposes for which personal data are processed do not or no longer require the controller to identify a data subject, the controller is not obliged to store, obtain or process personal data. additional information to identify the person concerned for the sole purpose of complying with this Regulation.
2. Where, in the cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that he is unable to identify the data subject, he shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 are not applicable, except where the data subject provides, for the purposes of exercising the rights conferred on them by these articles, additional information which allows them to be identified.