Article 6. Lawfulness of processing | GDPR made searchable by Algolia. Chapters, articles and recitals easily readable

<html lang="en"> <head> <title> Article 6. Lawfulness of processing | GDPR made searchable by Algolia. Chapters, articles and recitals easily readable </title> <meta charset="utf-8" /> <meta name="google-site-verification" content="WhLt6CT_9M5ZmBN9aLyEQ6d0BWJvO8HDV5py9WFoMCc" /> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0" /> <link href="/static/img/favicon/favicon-64x64.32c6b9aff161.png" rel=icon sizes=64x64 type="image/png"> <link href="/static/img/favicon/favicon-48x48.d6a52ad61940.png" rel=icon sizes=48x48 type="image/png"> <link href="/static/img/favicon/favicon-32x32.275b262cc764.png" rel=icon sizes=32x32 type="image/png"> <link href="/static/img/favicon/favicon-16x16.a798eca57863.png" rel=icon sizes=16x16 type="image/png"> <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.0.10/css/all.css" integrity="sha384-+d0P83n9kaQMCwj8F4RJB66tzIwOKmrdb46+porD/OvrJ+37WqIM7UoBtwHO6Nlg" crossOrigin="anonymous" /> <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/instantsearch.css@7.0.0/themes/algolia-min.css" /> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/mark.js/8.11.1/jquery.mark.js"></script> <script src="/static/js/bootstrap.bundle.min.98d2c1da1c0a.js"></script> <link rel="stylesheet" href="/static/CACHE/css/dfbe1cbc128e.css" type="text/css" /> <link rel="canonical" href="https://gdpr.algolia.com/gdpr-article-6" /> <meta name="theme-color" content="#2050e0"> <meta property="og:locale" content="en" /> <meta property="og:type" content="article" /> <meta property="og:title" content="Article 6 | GDPR made searchable by Algolia. Chapters, articles and recitals easily readable"/> <meta property="og:description" content="Official text of GDPR–General Data Protection Regulation–made searchable by Algolia. Search Easily in chapters, articles and recitals to read faster and become GDPR compliant."/> <meta property='og:image' content='https://gdpr.algolia.com/static/img/GDPR-social-network-preview.jpg'> <meta property="og:url" content="https://gdpr.algolia.com/gdpr-article-6" /> <meta property="og:site_name" content="General Data Protection Regulation (GDPR)" /> <meta name="twitter:card" content="summary" /> <meta name='twitter:image:src' content='https://gdpr.algolia.com/static/img/GDPR-social-network-preview.jpg'> <meta name="twitter:description" content="Official text of GDPR–General Data Protection Regulation–made searchable by Algolia. Search Easily in chapters, articles and recitals to read faster and become GDPR compliant."/> <meta name="twitter:title" content="Article 6 | GDPR made searchable by Algolia. Chapters, articles and recitals easily readable" /> <link rel="alternate" hreflang="et" href="https://gdpr.algolia.com/et/gdpr-article-6"> <link rel="alternate" hreflang="fr" href="https://gdpr.algolia.com/fr/gdpr-article-6"> <link rel="alternate" hreflang="el" href="https://gdpr.algolia.com/el/gdpr-article-6"> <link rel="alternate" hreflang="en" href="https://gdpr.algolia.com/gdpr-article-6"> <link rel="alternate" hreflang="cs" href="https://gdpr.algolia.com/cs/gdpr-article-6"> <link rel="alternate" hreflang="mt" href="https://gdpr.algolia.com/mt/gdpr-article-6"> <link rel="alternate" hreflang="hr" href="https://gdpr.algolia.com/hr/gdpr-article-6"> <link rel="alternate" hreflang="pt" href="https://gdpr.algolia.com/pt/gdpr-article-6"> <link rel="alternate" hreflang="pl" href="https://gdpr.algolia.com/pl/gdpr-article-6"> <link rel="alternate" hreflang="it" href="https://gdpr.algolia.com/it/gdpr-article-6"> <link rel="alternate" hreflang="sk" href="https://gdpr.algolia.com/sk/gdpr-article-6"> <link rel="alternate" hreflang="fi" href="https://gdpr.algolia.com/fi/gdpr-article-6"> <link rel="alternate" hreflang="sl" href="https://gdpr.algolia.com/sl/gdpr-article-6"> <link rel="alternate" hreflang="sv" href="https://gdpr.algolia.com/sv/gdpr-article-6"> <link rel="alternate" hreflang="da" href="https://gdpr.algolia.com/da/gdpr-article-6"> <link rel="alternate" hreflang="es" href="https://gdpr.algolia.com/es/gdpr-article-6"> <link rel="alternate" hreflang="de" href="https://gdpr.algolia.com/de/gdpr-article-6"> <link rel="alternate" hreflang="bg" href="https://gdpr.algolia.com/bg/gdpr-article-6"> <link rel="alternate" hreflang="lv" href="https://gdpr.algolia.com/lv/gdpr-article-6"> <link rel="alternate" hreflang="ga" href="https://gdpr.algolia.com/ga/gdpr-article-6"> <link rel="alternate" hreflang="nl" href="https://gdpr.algolia.com/nl/gdpr-article-6"> <link rel="alternate" hreflang="lt" href="https://gdpr.algolia.com/lt/gdpr-article-6"> <link rel="alternate" hreflang="hu" href="https://gdpr.algolia.com/hu/gdpr-article-6"> <link rel="alternate" hreflang="ro" href="https://gdpr.algolia.com/ro/gdpr-article-6">  <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-MN3XDGF');</script>  </head> <body> <form action="/i18n/setlang/" method="post" style="display:none;" id="language-form"><input type='hidden' name='csrfmiddlewaretoken' value='RVsh7rG5iZ0gYsRvJ023t87J4Habbte64JnKPKGhyDeutsVP6PJZFJChqHKcJu31' /> <input name="next" type="hidden" value="" id="next-input"/> <input type="text" name="language" id="language-input"/> </form> <script type="text/javascript"> $(document).ready(function(){ var $languageForm = $('#language-form'); var $languageInput = $('#language-input'); var $nextInput = $('#next-input'); $('.dropdown-language .dropdown-item').click(function(){ $languageInput.val($(this).data('value')); $nextInput.val('/'); $languageForm.submit(); }); }); </script> <div class="row no-gutters"> <div class="menu-container d-lg-none d-xs-block"> <div class="d-block d-lg-none d-xs-block d-lg-none" id="mobile-menu"> <div class="dropdown dropdown-language dropup"> <button class="btn btn-secondary dropdown-toggle" type="button" id="dropdownMenuButton_mobile" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <img src="/static/img/en.png" srcset="/static/img/en@2x.png 2x, /static/img/en@3x.png 3x" alt="" /> </button> <div class="dropdown-menu dropdown-menu-right" aria-labelledby="dropdownMenuButton_mobile"> <a class="dropdown-item active" data-value="en" href="#"> <img src="/static/img/en.png" srcset="/static/img/en@2x.png 2x, /static/img/en@3x.png 3x" alt="" /> English </a> <a class="dropdown-item" data-value="de" href="#"> <img src="/static/img/de.png" srcset="/static/img/de@2x.png 2x, /static/img/de@3x.png 3x" alt="" /> German </a> <a class="dropdown-item" data-value="fr" href="#"> <img src="/static/img/fr.png" srcset="/static/img/fr@2x.png 2x, /static/img/fr@3x.png 3x" alt="" /> French </a> <a class="dropdown-item" data-value="es" href="#"> <img src="/static/img/es.png" srcset="/static/img/es@2x.png 2x, /static/img/es@3x.png 3x" alt="" /> Spanish </a> <a class="dropdown-item" data-value="it" href="#"> <img src="/static/img/it.png" srcset="/static/img/it@2x.png 2x, /static/img/it@3x.png 3x" alt="" /> Italian </a> <a class="dropdown-item" data-value="pt" href="#"> <img src="/static/img/pt.png" srcset="/static/img/pt@2x.png 2x, /static/img/pt@3x.png 3x" alt="" /> Portuguese </a> <a class="dropdown-item" data-value="nl" href="#"> <img src="/static/img/nl.png" srcset="/static/img/nl@2x.png 2x, /static/img/nl@3x.png 3x" alt="" /> Dutch </a> <a class="dropdown-item" data-value="hr" href="#"> <img src="/static/img/hr.png" srcset="/static/img/hr@2x.png 2x, /static/img/hr@3x.png 3x" alt="" /> Croatian </a> <a class="dropdown-item" data-value="hu" href="#"> <img src="/static/img/hu.png" srcset="/static/img/hu@2x.png 2x, /static/img/hu@3x.png 3x" alt="" /> Hungarian </a> <a class="dropdown-item" data-value="ro" href="#"> <img src="/static/img/ro.png" srcset="/static/img/ro@2x.png 2x, /static/img/ro@3x.png 3x" alt="" /> Romanian </a> <a class="dropdown-item" data-value="et" href="#"> <img src="/static/img/et.png" srcset="/static/img/et@2x.png 2x, /static/img/et@3x.png 3x" alt="" /> Estonian </a> <a class="dropdown-item" data-value="cs" href="#"> <img src="/static/img/cs.png" srcset="/static/img/cs@2x.png 2x, /static/img/cs@3x.png 3x" alt="" /> Czech </a> <a class="dropdown-item" data-value="el" href="#"> <img src="/static/img/el.png" srcset="/static/img/el@2x.png 2x, /static/img/el@3x.png 3x" alt="" /> Greek </a> <a class="dropdown-item" data-value="pl" href="#"> <img src="/static/img/pl.png" srcset="/static/img/pl@2x.png 2x, /static/img/pl@3x.png 3x" alt="" /> Polish </a> <a class="dropdown-item" data-value="sk" href="#"> <img src="/static/img/sk.png" srcset="/static/img/sk@2x.png 2x, /static/img/sk@3x.png 3x" alt="" /> Slovak </a> <a class="dropdown-item" data-value="ga" href="#"> <img src="/static/img/ga.png" srcset="/static/img/ga@2x.png 2x, /static/img/ga@3x.png 3x" alt="" /> Irish </a> <a class="dropdown-item" data-value="fi" href="#"> <img src="/static/img/fi.png" srcset="/static/img/fi@2x.png 2x, /static/img/fi@3x.png 3x" alt="" /> Finnish </a> <a class="dropdown-item" data-value="sl" href="#"> <img src="/static/img/sl.png" srcset="/static/img/sl@2x.png 2x, /static/img/sl@3x.png 3x" alt="" /> Slovenian </a> <a class="dropdown-item" data-value="sv" href="#"> <img src="/static/img/sv.png" srcset="/static/img/sv@2x.png 2x, /static/img/sv@3x.png 3x" alt="" /> Swedish </a> <a class="dropdown-item" data-value="mt" href="#"> <img src="/static/img/mt.png" srcset="/static/img/mt@2x.png 2x, /static/img/mt@3x.png 3x" alt="" /> Maltese </a> <a class="dropdown-item" data-value="da" href="#"> <img src="/static/img/da.png" srcset="/static/img/da@2x.png 2x, /static/img/da@3x.png 3x" alt="" /> Danish </a> <a class="dropdown-item" data-value="bg" href="#"> <img src="/static/img/bg.png" srcset="/static/img/bg@2x.png 2x, /static/img/bg@3x.png 3x" alt="" /> Bulgarian </a> <a class="dropdown-item" data-value="lv" href="#"> <img src="/static/img/lv.png" srcset="/static/img/lv@2x.png 2x, /static/img/lv@3x.png 3x" alt="" /> Latvian </a> <a class="dropdown-item" data-value="lt" href="#"> <img src="/static/img/lt.png" srcset="/static/img/lt@2x.png 2x, /static/img/lt@3x.png 3x" alt="" /> Lithuanian </a> </div> </div> </div> </div> <div class="col-sm-12 col-lg-4 col-xl-3 d-none d-lg-block"> <div class="left-container"> <div class="logo__container"> <a href="/"> <img src="/static/img/logo.ab423c61241b.svg" class="logo" /> </a> <h1 class="title__container"> <a href="/"> <span class="title">GDPR</span> </a> <span class="subtitle">Made searchable by <a href="https://www.algolia.com/?utm_medium=social-owned&utm_source=gdpr_search&utm_campaign=gdpr_search" target="_blank"> <img src="/static/img/algolia_logo.23c0fd3413de.svg" alt="Algolia logo"> </a> </span> </h1> </div> <div class="mainMenu"> <p class="mainMenu__title">Table of content</p> <ul> <li class="mainMenu__chapter "> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER I</span> <span class="mainMenu__chapter__title"> General provisions  <i class="fa fa-chevron-up"></i> </span> <span class="mainMenu__chapter__articles"> Art 1 - 4 </span> </a> <ul style="display: none;"> <li class="mainMenu__article"> <a href="/gdpr-article-1"> Article 1. Subject-matter and objectives </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-2"> Article 2. Material scope </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-3"> Article 3. Territorial scope </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-4"> Article 4. Definitions </a> </li> </ul> </li> <li class="mainMenu__chapter open"> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER II</span> <span class="mainMenu__chapter__title"> Principles  <i class="fa fa-chevron-down"></i> </span> <span class="mainMenu__chapter__articles"> Art 5 - 11 </span> </a> <ul style=""> <li class="mainMenu__article"> <a href="/gdpr-article-5"> Article 5. Principles relating to processing of personal data </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-6"> Article 6. Lawfulness of processing </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-7"> Article 7. Conditions for consent </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-8"> Article 8. Conditions applicable to child's consent in relation to information society services </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-9"> Article 9. Processing of special categories of personal data </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-10"> Article 10. Processing of personal data relating to criminal convictions and offences </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-11"> Article 11. Processing which does not require identification </a> </li> </ul> </li> <li class="mainMenu__chapter "> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER III</span> <span class="mainMenu__chapter__title"> Rights of the data subject  <i class="fa fa-chevron-up"></i> </span> <span class="mainMenu__chapter__articles"> Art 12 - 23 </span> </a> <ul style="display: none;"> <li class="mainMenu__article"> <a href="/gdpr-article-12"> Article 12. Transparent information, communication and modalities for the exercise of the rights of the data subject </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-13"> Article 13. Information to be provided where personal data are collected from the data subject </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-14"> Article 14. Information to be provided where personal data have not been obtained from the data subject </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-15"> Article 15. Right of access by the data subject </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-16"> Article 16. Right to rectification </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-17"> Article 17. Right to erasure (‘right to be forgotten’) </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-18"> Article 18. Right to restriction of processing </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-19"> Article 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-20"> Article 20. Right to data portability </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-21"> Article 21. Right to object </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-22"> Article 22. Automated individual decision-making, including profiling </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-23"> Article 23. Restrictions </a> </li> </ul> </li> <li class="mainMenu__chapter "> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER IV</span> <span class="mainMenu__chapter__title"> Controller and processor  <i class="fa fa-chevron-up"></i> </span> <span class="mainMenu__chapter__articles"> Art 24 - 43 </span> </a> <ul style="display: none;"> <li class="mainMenu__article"> <a href="/gdpr-article-24"> Article 24. Responsibility of the controller </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-25"> Article 25. Data protection by design and by default </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-26"> Article 26. Joint controllers </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-27"> Article 27. Representatives of controllers or processors not established in the Union </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-28"> Article 28. Processor </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-29"> Article 29. Processing under the authority of the controller or processor </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-30"> Article 30. Records of processing activities </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-31"> Article 31. Cooperation with the supervisory authority </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-32"> Article 32. Security of processing </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-33"> Article 33. Notification of a personal data breach to the supervisory authority </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-34"> Article 34. Communication of a personal data breach to the data subject </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-35"> Article 35. Data protection impact assessment </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-36"> Article 36. Prior consultation </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-37"> Article 37. Designation of the data protection officer </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-38"> Article 38. Position of the data protection officer </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-39"> Article 39. Tasks of the data protection officer </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-40"> Article 40. Codes of conduct </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-41"> Article 41. Monitoring of approved codes of conduct </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-42"> Article 42. Certification </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-43"> Article 43. Certification bodies </a> </li> </ul> </li> <li class="mainMenu__chapter "> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER V</span> <span class="mainMenu__chapter__title"> Transfers of personal data to third countries or international organisations  <i class="fa fa-chevron-up"></i> </span> <span class="mainMenu__chapter__articles"> Art 44 - 50 </span> </a> <ul style="display: none;"> <li class="mainMenu__article"> <a href="/gdpr-article-44"> Article 44. General principle for transfers </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-45"> Article 45. Transfers on the basis of an adequacy decision </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-46"> Article 46. Transfers subject to appropriate safeguards </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-47"> Article 47. Binding corporate rules </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-48"> Article 48. Transfers or disclosures not authorised by Union law </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-49"> Article 49. Derogations for specific situations </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-50"> Article 50. International cooperation for the protection of personal data </a> </li> </ul> </li> <li class="mainMenu__chapter "> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER VI</span> <span class="mainMenu__chapter__title"> Independent supervisory authorities  <i class="fa fa-chevron-up"></i> </span> <span class="mainMenu__chapter__articles"> Art 51 - 59 </span> </a> <ul style="display: none;"> <li class="mainMenu__article"> <a href="/gdpr-article-51"> Article 51. Supervisory authority </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-52"> Article 52. Independence </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-53"> Article 53. General conditions for the members of the supervisory authority </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-54"> Article 54. Rules on the establishment of the supervisory authority </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-55"> Article 55. Competence </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-56"> Article 56. Competence of the lead supervisory authority </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-57"> Article 57. Tasks </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-58"> Article 58. Powers </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-59"> Article 59. Activity reports </a> </li> </ul> </li> <li class="mainMenu__chapter "> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER VII</span> <span class="mainMenu__chapter__title"> Cooperation and consistency  <i class="fa fa-chevron-up"></i> </span> <span class="mainMenu__chapter__articles"> Art 60 - 76 </span> </a> <ul style="display: none;"> <li class="mainMenu__article"> <a href="/gdpr-article-60"> Article 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-61"> Article 61. Mutual assistance </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-62"> Article 62. Joint operations of supervisory authorities </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-63"> Article 63. Consistency mechanism </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-64"> Article 64. Opinion of the Board </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-65"> Article 65. Dispute resolution by the Board </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-66"> Article 66. Urgency procedure </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-67"> Article 67. Exchange of information </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-68"> Article 68. European Data Protection Board </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-69"> Article 69. Independence </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-70"> Article 70. Tasks of the Board </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-71"> Article 71. Reports </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-72"> Article 72. Procedure </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-73"> Article 73. Chair </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-74"> Article 74. Tasks of the Chair </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-75"> Article 75. Secretariat </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-76"> Article 76. Confidentiality </a> </li> </ul> </li> <li class="mainMenu__chapter "> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER VIII</span> <span class="mainMenu__chapter__title"> Remedies, liability and penalties  <i class="fa fa-chevron-up"></i> </span> <span class="mainMenu__chapter__articles"> Art 77 - 84 </span> </a> <ul style="display: none;"> <li class="mainMenu__article"> <a href="/gdpr-article-77"> Article 77. Right to lodge a complaint with a supervisory authority </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-78"> Article 78. Right to an effective judicial remedy against a supervisory authority </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-79"> Article 79. Right to an effective judicial remedy against a controller or processor </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-80"> Article 80. Representation of data subjects </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-81"> Article 81. Suspension of proceedings </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-82"> Article 82. Right to compensation and liability </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-83"> Article 83. General conditions for imposing administrative fines </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-84"> Article 84. Penalties </a> </li> </ul> </li> <li class="mainMenu__chapter "> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER IX</span> <span class="mainMenu__chapter__title"> Provisions relating to specific processing situations  <i class="fa fa-chevron-up"></i> </span> <span class="mainMenu__chapter__articles"> Art 85 - 91 </span> </a> <ul style="display: none;"> <li class="mainMenu__article"> <a href="/gdpr-article-85"> Article 85. Processing and freedom of expression and information </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-86"> Article 86. Processing and public access to official documents </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-87"> Article 87. Processing of the national identification number </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-88"> Article 88. Processing in the context of employment </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-89"> Article 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-90"> Article 90. Obligations of secrecy </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-91"> Article 91. Existing data protection rules of churches and religious associations </a> </li> </ul> </li> <li class="mainMenu__chapter "> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER X</span> <span class="mainMenu__chapter__title"> Delegated acts and implementing acts  <i class="fa fa-chevron-up"></i> </span> <span class="mainMenu__chapter__articles"> Art 92 - 93 </span> </a> <ul style="display: none;"> <li class="mainMenu__article"> <a href="/gdpr-article-92"> Article 92. Exercise of the delegation </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-93"> Article 93. Committee procedure </a> </li> </ul> </li> <li class="mainMenu__chapter "> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER XI</span> <span class="mainMenu__chapter__title"> Final provisions  <i class="fa fa-chevron-up"></i> </span> <span class="mainMenu__chapter__articles"> Art 94 - 99 </span> </a> <ul style="display: none;"> <li class="mainMenu__article"> <a href="/gdpr-article-94"> Article 94. Repeal of Directive 95/46/EC </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-95"> Article 95. Relationship with Directive 2002/58/EC </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-96"> Article 96. Relationship with previously concluded Agreements </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-97"> Article 97. Commission reports </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-98"> Article 98. Review of other Union legal acts on data protection </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-99"> Article 99. Entry into force and application </a> </li> </ul> </li> </ul> </div> </div> </div> <div class="col-sm-12 col-lg-8 col-xl-6 main-column-content"> <div class="row header no-gutters"> <div class="mobile__container"> <div class="logo__container"> <a href="/"> <img src="/static/img/logo.ab423c61241b.svg" class="logo" /> </a> <h1 class="title__container"> <a href="/"> <span class="title">GDPR</span> </a> <span class="subtitle">Made searchable by <a href="https://www.algolia.com/?utm_medium=social-owned&utm_source=gdpr_search&utm_campaign=gdpr_search" target="_blank"> <img src="/static/img/algolia_logo.23c0fd3413de.svg" alt="Algolia logo"> </a> </span> </h1> </div> </div> <div class="col-12 search__container"> <a class="menu__btn d-lg-none"> <img src="/static/img/ic-menu.acccaf1de6b5.svg" class="ic-menu"> </a> <div class="algolia-logo-search"> <a href="https://www.algolia.com/?utm_medium=social-owned&utm_source=gdpr_search&utm_campaign=gdpr_search" target="_blank"> <svg xmlns="http://www.w3.org/2000/svg" width="62" height="31" viewBox="0 0 62 31"> <g fill="#81899C" fill-rule="evenodd"> <path fill-rule="nonzero" d="M10.202 7.434c-.497.378-1.18.564-2.057.564-.873 0-1.588-.13-2.145-.39V6.46c.352.159.728.283 1.122.375.398.092.768.137 1.109.137.5 0 .869-.09 1.107-.274a.883.883 0 0 0 .356-.735.901.901 0 0 0-.328-.706c-.219-.193-.67-.421-1.353-.685-.705-.274-1.201-.586-1.49-.94-.29-.35-.435-.774-.435-1.267 0-.62.229-1.106.688-1.462C7.233.547 7.85.37 8.62.37c.74 0 1.476.155 2.21.467l-.401.988c-.687-.276-1.3-.415-1.84-.415-.408 0-.72.085-.93.255a.83.83 0 0 0-.318.678c0 .193.044.36.128.495.085.137.225.267.419.388.193.123.54.283 1.046.482.568.226.984.439 1.248.635.263.196.457.417.58.665.124.245.185.538.185.873 0 .661-.248 1.179-.745 1.554zm2.53-.201c-.512-.509-.768-1.21-.768-2.102 0-.917.236-1.638.712-2.162.477-.525 1.13-.787 1.962-.787.772 0 1.382.225 1.83.675.447.45.67 1.068.67 1.857v.644h-3.895c.017.545.17.964.46 1.257.288.293.696.438 1.22.438.345 0 .667-.03.965-.094.298-.062.618-.166.96-.312v.97c-.305.138-.61.237-.921.293a5.77 5.77 0 0 1-1.063.087c-.908.001-1.62-.254-2.132-.764zm.956-3.787c-.238.24-.38.59-.426 1.049h2.653c-.007-.463-.123-.813-.348-1.052-.227-.239-.537-.359-.932-.359-.393 0-.709.12-.947.362zm8.269 3.669h-.043c-.282.342-.565.574-.85.697-.286.125-.653.186-1.1.186-.575 0-1.024-.148-1.345-.446-.322-.297-.483-.718-.483-1.264 0-.578.224-1.015.67-1.309.448-.294 1.131-.455 2.047-.482l1.01-.03v-.301c0-.36-.09-.627-.262-.803-.175-.18-.445-.268-.812-.268-.3 0-.587.042-.861.126-.276.085-.54.184-.794.3l-.401-.853c.317-.16.664-.28 1.041-.363a4.968 4.968 0 0 1 1.068-.124c.743 0 1.304.156 1.683.466.379.312.568.8.568 1.468v3.78h-.888l-.248-.78zm-.515-.393c.272-.242.409-.581.409-1.018v-.488l-.751.03c-.585.022-1.01.114-1.277.282-.266.168-.398.425-.398.77 0 .25.076.443.232.58.155.137.388.206.699.206.451 0 .813-.12 1.086-.362zm6.97-4.49l-.122 1.112c-.177-.04-.36-.06-.551-.06-.495 0-.899.154-1.207.466-.307.312-.462.715-.462 1.213v2.933h-1.24V2.284h.97l.165.989h.063c.194-.335.447-.601.758-.797.313-.196.65-.294 1.008-.294.249 0 .455.017.619.05zm1.423 5.023c-.459-.496-.69-1.207-.69-2.134 0-.945.242-1.67.722-2.177.483-.507 1.176-.761 2.087-.761.616 0 1.17.11 1.663.33l-.374.958c-.526-.195-.959-.293-1.301-.293-1.01 0-1.516.643-1.516 1.933 0 .63.125 1.103.377 1.419.253.316.622.475 1.108.475.553 0 1.077-.132 1.57-.397V7.65c-.22.125-.458.215-.709.269a4.28 4.28 0 0 1-.918.082c-.887-.003-1.559-.25-2.02-.745zm8.916.641v-3.45c0-.435-.09-.756-.271-.97-.183-.213-.47-.321-.865-.321-.521 0-.905.151-1.151.45-.243.3-.366.8-.366 1.503v2.788h-1.242V0h1.242v2.003c0 .321-.02.666-.063 1.03h.079c.169-.27.403-.48.705-.628a2.362 2.362 0 0 1 1.055-.223c1.417 0 2.126.685 2.126 2.055v3.66h-1.249z"/> <path d="M48.828 3.115c.418.537.628 1.29.628 2.26 0 .974-.213 1.732-.637 2.275-.425.542-1.012.813-1.768.813-.76 0-1.352-.27-1.773-.81h-.087l-.233.703H44V0h1.278v1.987c0 .147-.007.365-.022.655-.014.29-.025.475-.032.553h.054c.405-.59 1.005-.886 1.795-.886.75 0 1.336.27 1.755.806zm-3.201.674c-.225.3-.343.8-.35 1.5v.087c0 .721.117 1.245.349 1.57.233.323.61.485 1.136.485.454 0 .797-.177 1.031-.532.233-.354.352-.866.352-1.535 0-1.35-.466-2.025-1.403-2.025-.518 0-.887.15-1.115.45zm5.792-1.372l1.223 3.366c.186.48.31.93.37 1.354h.044c.034-.196.094-.435.18-.716.088-.28.548-1.615 1.382-4.003H56l-2.573 6.73C52.96 10.381 52.18 11 51.087 11a3.66 3.66 0 0 1-.826-.092V9.91c.192.043.411.065.658.065.618 0 1.05-.353 1.3-1.058l.223-.56-2.415-5.94h1.392z"/> <g fill-rule="nonzero"> <path d="M12.306 15a1.87 1.87 0 0 1 1.865 1.872V27.35a1.87 1.87 0 0 1-1.865 1.872H1.866A1.87 1.87 0 0 1 0 27.35V16.867C0 15.837.834 15 1.866 15h10.44zM7.25 18.593a4.012 4.012 0 0 0-4.003 4.02 4.008 4.008 0 0 0 4.003 4.017 4.012 4.012 0 0 0 4.003-4.02 4.006 4.006 0 0 0-4.003-4.017zm0 6.85a2.827 2.827 0 0 1-2.82-2.83 2.827 2.827 0 0 1 2.82-2.829 2.827 2.827 0 0 1 2.82 2.83c0 1.561-1.26 2.83-2.82 2.83zm0-2.972c0 .06.064.103.12.074l1.867-.97c.042-.021.055-.074.033-.116a2.32 2.32 0 0 0-1.933-1.179c-.043 0-.086.035-.086.083l-.001 2.108zm-2.614-3.658l-.246-.245a.61.61 0 0 0-.868 0l-.292.293a.615.615 0 0 0 0 .87l.24.243c.04.04.095.03.13-.008a4.484 4.484 0 0 1 1.023-1.028c.043-.026.047-.087.013-.125zm3.925-1.126a.616.616 0 0 0-.615-.617H6.513a.617.617 0 0 0-.614.617v.5c0 .056.052.096.107.082a4.5 4.5 0 0 1 2.451-.012.084.084 0 0 0 .104-.081l-.001-.489zM37.018 26.71c0 1.294-.33 2.238-.995 2.838-.664.6-1.68.9-3.047.9-.5 0-1.538-.097-2.368-.28l.305-1.502c.695.146 1.612.185 2.092.185.762 0 1.306-.155 1.63-.465.326-.311.485-.77.485-1.38v-.31a5.712 5.712 0 0 1-.742.28c-.305.092-.66.141-1.057.141-.523 0-1-.082-1.432-.247a2.99 2.99 0 0 1-1.11-.726 3.3 3.3 0 0 1-.718-1.202c-.17-.48-.257-1.336-.257-1.966 0-.59.092-1.33.271-1.824.185-.494.447-.92.801-1.274a3.67 3.67 0 0 1 1.275-.824 4.688 4.688 0 0 1 1.723-.324c.616 0 1.183.078 1.736.169.554.093 1.024.19 1.408.296v7.516zm-5.274-3.738c0 .794.174 1.675.524 2.044.35.367.8.551 1.354.551.3 0 .587-.044.854-.124.265-.084.48-.18.65-.297v-4.702a7.53 7.53 0 0 0-1.252-.16c-.689-.018-1.213.262-1.582.71-.363.452-.549 1.242-.549 1.978h.001zm14.278 0c0 .64-.092 1.123-.281 1.651a3.897 3.897 0 0 1-.8 1.351 3.534 3.534 0 0 1-1.242.867c-.485.203-1.233.32-1.605.32-.374-.006-1.116-.113-1.596-.32a3.626 3.626 0 0 1-1.238-.868 3.993 3.993 0 0 1-.806-1.35 4.477 4.477 0 0 1-.29-1.652c0-.64.086-1.254.281-1.778.195-.523.465-.969.815-1.342a3.646 3.646 0 0 1 1.242-.86c.48-.205 1.01-.301 1.582-.301.573 0 1.102.101 1.587.3.485.203.903.49 1.242.862.345.374.61.818.806 1.343.204.521.304 1.137.304 1.776h-.001zm-1.94.004c0-.818-.18-1.5-.53-1.973-.349-.48-.838-.719-1.465-.719-.625 0-1.116.238-1.465.718-.349.478-.519 1.155-.519 1.973 0 .83.175 1.387.523 1.867.35.483.841.72 1.467.72.625 0 1.116-.242 1.465-.72.349-.486.522-1.038.522-1.867l.002.001zm6.165 4.187c-3.11.013-3.11-2.51-3.11-2.912l-.004-8.95L49.03 15v8.89c0 .23 0 1.672 1.218 1.677v1.596zm3.343 0h-1.906v-8.179l1.907-.3v8.479zm-.956-9.372c.637 0 1.155-.514 1.155-1.148 0-.634-.513-1.147-1.155-1.147-.64 0-1.154.513-1.154 1.147s.52 1.148 1.155 1.148h-.001zm5.696.9c.626 0 1.155.078 1.582.232.428.156.77.373 1.024.649.253.277.432.655.539 1.052.111.396.165.833.165 1.312v4.871c-.29.064-.732.137-1.324.224-.591.087-1.256.13-1.993.13-.49 0-.942-.049-1.344-.141a2.833 2.833 0 0 1-1.043-.45 2.174 2.174 0 0 1-.675-.804c-.16-.329-.243-.794-.243-1.28 0-.464.092-.759.27-1.079.187-.32.433-.58.745-.784a3.163 3.163 0 0 1 1.085-.435 6.131 6.131 0 0 1 2.688.038v-.311c0-.217-.024-.425-.078-.619a1.335 1.335 0 0 0-.27-.517 1.263 1.263 0 0 0-.515-.349 2.25 2.25 0 0 0-.81-.146c-.438 0-.835.054-1.2.116a5.662 5.662 0 0 0-.892.219l-.229-1.556a7.85 7.85 0 0 1 1.048-.245 8.239 8.239 0 0 1 1.47-.126zm.16 6.872c.583 0 1.014-.033 1.315-.092v-1.927a3.627 3.627 0 0 0-.456-.093 4.605 4.605 0 0 0-.66-.048 4.07 4.07 0 0 0-.635.049c-.212.029-.407.087-.577.168-.169.084-.31.2-.412.35-.106.15-.155.237-.155.465 0 .447.155.702.436.873.287.174.665.257 1.146.257l-.002-.002zM21.029 18.74c.626 0 1.155.078 1.582.232.426.155.77.374 1.023.65.257.28.432.653.539 1.05.112.397.165.833.165 1.313v4.871c-.293.062-.733.136-1.324.222-.594.09-1.258.132-1.996.132-.49 0-.94-.048-1.344-.14a2.833 2.833 0 0 1-1.043-.45 2.183 2.183 0 0 1-.673-.806c-.161-.329-.244-.794-.244-1.278 0-.465.092-.76.272-1.08.184-.32.432-.58.742-.784a3.165 3.165 0 0 1 1.087-.436 6.222 6.222 0 0 1 1.95-.091c.228.025.476.068.737.131v-.31c0-.218-.023-.427-.077-.62a1.324 1.324 0 0 0-.272-.518 1.28 1.28 0 0 0-.515-.349 2.25 2.25 0 0 0-.81-.145c-.436 0-.834.054-1.198.116a5.345 5.345 0 0 0-.892.218l-.228-1.555c.239-.082.593-.164 1.048-.246a7.821 7.821 0 0 1 1.469-.127h.002zm.164 6.877c.583 0 1.015-.033 1.316-.092v-1.928a3.683 3.683 0 0 0-.457-.093 4.615 4.615 0 0 0-.66-.048c-.21 0-.423.015-.638.049a1.92 1.92 0 0 0-.576.169c-.17.083-.31.199-.412.35-.107.15-.155.236-.155.464 0 .447.154.702.435.873.281.169.665.258 1.145.258l.002-.002zm7.69 1.547c-3.109.013-3.109-2.51-3.109-2.912l-.007-8.952 1.896-.3v8.89c0 .23 0 1.672 1.218 1.677v1.594l.002.003z"/> </g> </g> </svg> </a> </div> <div id="search"></div> <script type="text/javascript"> window.language_code = "en"; window.react_mount = document.getElementById('search'); </script> <script type="text/javascript" src="/static/bundles/search-32e70e71dfb5db6f91df.c8b207e84e0f.js" ></script> <div class="d-none d-lg-block"> <div class="dropdown dropdown-language "> <button class="btn btn-secondary dropdown-toggle" type="button" id="dropdownMenuButton_desktop" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <img src="/static/img/en.png" srcset="/static/img/en@2x.png 2x, /static/img/en@3x.png 3x" alt="" /> </button> <div class="dropdown-menu dropdown-menu-right" aria-labelledby="dropdownMenuButton_desktop"> <a class="dropdown-item active" data-value="en" href="#"> <img src="/static/img/en.png" srcset="/static/img/en@2x.png 2x, /static/img/en@3x.png 3x" alt="" /> English </a> <a class="dropdown-item" data-value="de" href="#"> <img src="/static/img/de.png" srcset="/static/img/de@2x.png 2x, /static/img/de@3x.png 3x" alt="" /> German </a> <a class="dropdown-item" data-value="fr" href="#"> <img src="/static/img/fr.png" srcset="/static/img/fr@2x.png 2x, /static/img/fr@3x.png 3x" alt="" /> French </a> <a class="dropdown-item" data-value="es" href="#"> <img src="/static/img/es.png" srcset="/static/img/es@2x.png 2x, /static/img/es@3x.png 3x" alt="" /> Spanish </a> <a class="dropdown-item" data-value="it" href="#"> <img src="/static/img/it.png" srcset="/static/img/it@2x.png 2x, /static/img/it@3x.png 3x" alt="" /> Italian </a> <a class="dropdown-item" data-value="pt" href="#"> <img src="/static/img/pt.png" srcset="/static/img/pt@2x.png 2x, /static/img/pt@3x.png 3x" alt="" /> Portuguese </a> <a class="dropdown-item" data-value="nl" href="#"> <img src="/static/img/nl.png" srcset="/static/img/nl@2x.png 2x, /static/img/nl@3x.png 3x" alt="" /> Dutch </a> <a class="dropdown-item" data-value="hr" href="#"> <img src="/static/img/hr.png" srcset="/static/img/hr@2x.png 2x, /static/img/hr@3x.png 3x" alt="" /> Croatian </a> <a class="dropdown-item" data-value="hu" href="#"> <img src="/static/img/hu.png" srcset="/static/img/hu@2x.png 2x, /static/img/hu@3x.png 3x" alt="" /> Hungarian </a> <a class="dropdown-item" data-value="ro" href="#"> <img src="/static/img/ro.png" srcset="/static/img/ro@2x.png 2x, /static/img/ro@3x.png 3x" alt="" /> Romanian </a> <a class="dropdown-item" data-value="et" href="#"> <img src="/static/img/et.png" srcset="/static/img/et@2x.png 2x, /static/img/et@3x.png 3x" alt="" /> Estonian </a> <a class="dropdown-item" data-value="cs" href="#"> <img src="/static/img/cs.png" srcset="/static/img/cs@2x.png 2x, /static/img/cs@3x.png 3x" alt="" /> Czech </a> <a class="dropdown-item" data-value="el" href="#"> <img src="/static/img/el.png" srcset="/static/img/el@2x.png 2x, /static/img/el@3x.png 3x" alt="" /> Greek </a> <a class="dropdown-item" data-value="pl" href="#"> <img src="/static/img/pl.png" srcset="/static/img/pl@2x.png 2x, /static/img/pl@3x.png 3x" alt="" /> Polish </a> <a class="dropdown-item" data-value="sk" href="#"> <img src="/static/img/sk.png" srcset="/static/img/sk@2x.png 2x, /static/img/sk@3x.png 3x" alt="" /> Slovak </a> <a class="dropdown-item" data-value="ga" href="#"> <img src="/static/img/ga.png" srcset="/static/img/ga@2x.png 2x, /static/img/ga@3x.png 3x" alt="" /> Irish </a> <a class="dropdown-item" data-value="fi" href="#"> <img src="/static/img/fi.png" srcset="/static/img/fi@2x.png 2x, /static/img/fi@3x.png 3x" alt="" /> Finnish </a> <a class="dropdown-item" data-value="sl" href="#"> <img src="/static/img/sl.png" srcset="/static/img/sl@2x.png 2x, /static/img/sl@3x.png 3x" alt="" /> Slovenian </a> <a class="dropdown-item" data-value="sv" href="#"> <img src="/static/img/sv.png" srcset="/static/img/sv@2x.png 2x, /static/img/sv@3x.png 3x" alt="" /> Swedish </a> <a class="dropdown-item" data-value="mt" href="#"> <img src="/static/img/mt.png" srcset="/static/img/mt@2x.png 2x, /static/img/mt@3x.png 3x" alt="" /> Maltese </a> <a class="dropdown-item" data-value="da" href="#"> <img src="/static/img/da.png" srcset="/static/img/da@2x.png 2x, /static/img/da@3x.png 3x" alt="" /> Danish </a> <a class="dropdown-item" data-value="bg" href="#"> <img src="/static/img/bg.png" srcset="/static/img/bg@2x.png 2x, /static/img/bg@3x.png 3x" alt="" /> Bulgarian </a> <a class="dropdown-item" data-value="lv" href="#"> <img src="/static/img/lv.png" srcset="/static/img/lv@2x.png 2x, /static/img/lv@3x.png 3x" alt="" /> Latvian </a> <a class="dropdown-item" data-value="lt" href="#"> <img src="/static/img/lt.png" srcset="/static/img/lt@2x.png 2x, /static/img/lt@3x.png 3x" alt="" /> Lithuanian </a> </div> </div> </div> </div> <div class="d-lg-none spacer"></div> <div class="content__container main"> <div class="mainMenu"> <p class="mainMenu__title">Table of content</p> <ul> <li class="mainMenu__chapter "> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER I</span> <span class="mainMenu__chapter__title"> General provisions  <i class="fa fa-chevron-up"></i> </span> <span class="mainMenu__chapter__articles"> Art 1 - 4 </span> </a> <ul style="display: none;"> <li class="mainMenu__article"> <a href="/gdpr-article-1"> Article 1. Subject-matter and objectives </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-2"> Article 2. Material scope </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-3"> Article 3. Territorial scope </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-4"> Article 4. Definitions </a> </li> </ul> </li> <li class="mainMenu__chapter open"> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER II</span> <span class="mainMenu__chapter__title"> Principles  <i class="fa fa-chevron-down"></i> </span> <span class="mainMenu__chapter__articles"> Art 5 - 11 </span> </a> <ul style=""> <li class="mainMenu__article"> <a href="/gdpr-article-5"> Article 5. Principles relating to processing of personal data </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-6"> Article 6. Lawfulness of processing </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-7"> Article 7. Conditions for consent </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-8"> Article 8. Conditions applicable to child's consent in relation to information society services </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-9"> Article 9. Processing of special categories of personal data </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-10"> Article 10. Processing of personal data relating to criminal convictions and offences </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-11"> Article 11. Processing which does not require identification </a> </li> </ul> </li> <li class="mainMenu__chapter "> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER III</span> <span class="mainMenu__chapter__title"> Rights of the data subject  <i class="fa fa-chevron-up"></i> </span> <span class="mainMenu__chapter__articles"> Art 12 - 23 </span> </a> <ul style="display: none;"> <li class="mainMenu__article"> <a href="/gdpr-article-12"> Article 12. Transparent information, communication and modalities for the exercise of the rights of the data subject </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-13"> Article 13. Information to be provided where personal data are collected from the data subject </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-14"> Article 14. Information to be provided where personal data have not been obtained from the data subject </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-15"> Article 15. Right of access by the data subject </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-16"> Article 16. Right to rectification </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-17"> Article 17. Right to erasure (‘right to be forgotten’) </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-18"> Article 18. Right to restriction of processing </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-19"> Article 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-20"> Article 20. Right to data portability </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-21"> Article 21. Right to object </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-22"> Article 22. Automated individual decision-making, including profiling </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-23"> Article 23. Restrictions </a> </li> </ul> </li> <li class="mainMenu__chapter "> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER IV</span> <span class="mainMenu__chapter__title"> Controller and processor  <i class="fa fa-chevron-up"></i> </span> <span class="mainMenu__chapter__articles"> Art 24 - 43 </span> </a> <ul style="display: none;"> <li class="mainMenu__article"> <a href="/gdpr-article-24"> Article 24. Responsibility of the controller </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-25"> Article 25. Data protection by design and by default </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-26"> Article 26. Joint controllers </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-27"> Article 27. Representatives of controllers or processors not established in the Union </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-28"> Article 28. Processor </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-29"> Article 29. Processing under the authority of the controller or processor </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-30"> Article 30. Records of processing activities </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-31"> Article 31. Cooperation with the supervisory authority </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-32"> Article 32. Security of processing </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-33"> Article 33. Notification of a personal data breach to the supervisory authority </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-34"> Article 34. Communication of a personal data breach to the data subject </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-35"> Article 35. Data protection impact assessment </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-36"> Article 36. Prior consultation </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-37"> Article 37. Designation of the data protection officer </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-38"> Article 38. Position of the data protection officer </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-39"> Article 39. Tasks of the data protection officer </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-40"> Article 40. Codes of conduct </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-41"> Article 41. Monitoring of approved codes of conduct </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-42"> Article 42. Certification </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-43"> Article 43. Certification bodies </a> </li> </ul> </li> <li class="mainMenu__chapter "> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER V</span> <span class="mainMenu__chapter__title"> Transfers of personal data to third countries or international organisations  <i class="fa fa-chevron-up"></i> </span> <span class="mainMenu__chapter__articles"> Art 44 - 50 </span> </a> <ul style="display: none;"> <li class="mainMenu__article"> <a href="/gdpr-article-44"> Article 44. General principle for transfers </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-45"> Article 45. Transfers on the basis of an adequacy decision </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-46"> Article 46. Transfers subject to appropriate safeguards </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-47"> Article 47. Binding corporate rules </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-48"> Article 48. Transfers or disclosures not authorised by Union law </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-49"> Article 49. Derogations for specific situations </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-50"> Article 50. International cooperation for the protection of personal data </a> </li> </ul> </li> <li class="mainMenu__chapter "> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER VI</span> <span class="mainMenu__chapter__title"> Independent supervisory authorities  <i class="fa fa-chevron-up"></i> </span> <span class="mainMenu__chapter__articles"> Art 51 - 59 </span> </a> <ul style="display: none;"> <li class="mainMenu__article"> <a href="/gdpr-article-51"> Article 51. Supervisory authority </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-52"> Article 52. Independence </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-53"> Article 53. General conditions for the members of the supervisory authority </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-54"> Article 54. Rules on the establishment of the supervisory authority </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-55"> Article 55. Competence </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-56"> Article 56. Competence of the lead supervisory authority </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-57"> Article 57. Tasks </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-58"> Article 58. Powers </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-59"> Article 59. Activity reports </a> </li> </ul> </li> <li class="mainMenu__chapter "> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER VII</span> <span class="mainMenu__chapter__title"> Cooperation and consistency  <i class="fa fa-chevron-up"></i> </span> <span class="mainMenu__chapter__articles"> Art 60 - 76 </span> </a> <ul style="display: none;"> <li class="mainMenu__article"> <a href="/gdpr-article-60"> Article 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-61"> Article 61. Mutual assistance </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-62"> Article 62. Joint operations of supervisory authorities </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-63"> Article 63. Consistency mechanism </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-64"> Article 64. Opinion of the Board </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-65"> Article 65. Dispute resolution by the Board </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-66"> Article 66. Urgency procedure </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-67"> Article 67. Exchange of information </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-68"> Article 68. European Data Protection Board </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-69"> Article 69. Independence </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-70"> Article 70. Tasks of the Board </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-71"> Article 71. Reports </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-72"> Article 72. Procedure </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-73"> Article 73. Chair </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-74"> Article 74. Tasks of the Chair </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-75"> Article 75. Secretariat </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-76"> Article 76. Confidentiality </a> </li> </ul> </li> <li class="mainMenu__chapter "> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER VIII</span> <span class="mainMenu__chapter__title"> Remedies, liability and penalties  <i class="fa fa-chevron-up"></i> </span> <span class="mainMenu__chapter__articles"> Art 77 - 84 </span> </a> <ul style="display: none;"> <li class="mainMenu__article"> <a href="/gdpr-article-77"> Article 77. Right to lodge a complaint with a supervisory authority </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-78"> Article 78. Right to an effective judicial remedy against a supervisory authority </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-79"> Article 79. Right to an effective judicial remedy against a controller or processor </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-80"> Article 80. Representation of data subjects </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-81"> Article 81. Suspension of proceedings </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-82"> Article 82. Right to compensation and liability </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-83"> Article 83. General conditions for imposing administrative fines </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-84"> Article 84. Penalties </a> </li> </ul> </li> <li class="mainMenu__chapter "> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER IX</span> <span class="mainMenu__chapter__title"> Provisions relating to specific processing situations  <i class="fa fa-chevron-up"></i> </span> <span class="mainMenu__chapter__articles"> Art 85 - 91 </span> </a> <ul style="display: none;"> <li class="mainMenu__article"> <a href="/gdpr-article-85"> Article 85. Processing and freedom of expression and information </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-86"> Article 86. Processing and public access to official documents </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-87"> Article 87. Processing of the national identification number </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-88"> Article 88. Processing in the context of employment </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-89"> Article 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-90"> Article 90. Obligations of secrecy </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-91"> Article 91. Existing data protection rules of churches and religious associations </a> </li> </ul> </li> <li class="mainMenu__chapter "> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER X</span> <span class="mainMenu__chapter__title"> Delegated acts and implementing acts  <i class="fa fa-chevron-up"></i> </span> <span class="mainMenu__chapter__articles"> Art 92 - 93 </span> </a> <ul style="display: none;"> <li class="mainMenu__article"> <a href="/gdpr-article-92"> Article 92. Exercise of the delegation </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-93"> Article 93. Committee procedure </a> </li> </ul> </li> <li class="mainMenu__chapter "> <a class="mainMenu__chapter_link"> <span class="mainMenu__chapter__index">CHAPTER XI</span> <span class="mainMenu__chapter__title"> Final provisions  <i class="fa fa-chevron-up"></i> </span> <span class="mainMenu__chapter__articles"> Art 94 - 99 </span> </a> <ul style="display: none;"> <li class="mainMenu__article"> <a href="/gdpr-article-94"> Article 94. Repeal of Directive 95/46/EC </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-95"> Article 95. Relationship with Directive 2002/58/EC </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-96"> Article 96. Relationship with previously concluded Agreements </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-97"> Article 97. Commission reports </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-98"> Article 98. Review of other Union legal acts on data protection </a> </li> <li class="mainMenu__article"> <a href="/gdpr-article-99"> Article 99. Entry into force and application </a> </li> </ul> </li> </ul> </div> <article class="article-container"> <div id="inner-content"> <div class="article"> <div class="chapter"> <h2 class="chapter__title"> <span class="chapter__title__index">CHAPTER II</span> <span class="chapter__title__label">Principles</span> </h2> </div> <h3 class="article__title"> Article 6. Lawfulness of processing </h3> <ul class="list-unstyled article__list_level0"> <li class="no-label"> <p id="section-0"> 1. Processing shall be lawful only if and to the extent that at least one of the following applies:</p> <ul class="list-unstyled"> </ul> </li> <li class=""> <p id="section-1">(a)    the data subject has given consent to the processing of his or her personal data for one or more specific purposes; </p> <ul class="list-unstyled"> </ul> </li> <li class=""> <p id="section-2">(b)    processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; </p> <ul class="list-unstyled"> </ul> </li> <li class=""> <p id="section-3">(c)    processing is necessary for compliance with a legal obligation to which the controller is subject; </p> <ul class="list-unstyled"> </ul> </li> <li class=""> <p id="section-4">(d)    processing is necessary in order to protect the vital interests of the data subject or of another natural person; </p> <ul class="list-unstyled"> </ul> </li> <li class=""> <p id="section-5">(e)    processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; </p> <ul class="list-unstyled"> </ul> </li> <li class=""> <p id="section-6">(f)    processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. </p> <ul class="list-unstyled"> </ul> </li> <li class="no-label"> <p id="section-7"> Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.</p> <ul class="list-unstyled"> </ul> </li> <li class="no-label"> <p id="section-8"> 2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.</p> <ul class="list-unstyled"> </ul> </li> <li class="no-label"> <p id="section-9"> 3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:</p> <ul class="list-unstyled"> </ul> </li> <li class=""> <p id="section-10">(a)    Union law; or </p> <ul class="list-unstyled"> </ul> </li> <li class=""> <p id="section-11">(b)    Member State law to which the controller is subject. </p> <ul class="list-unstyled"> </ul> </li> <li class="no-label"> <p id="section-12"> The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.</p> <ul class="list-unstyled"> </ul> </li> <li class="no-label"> <p id="section-13"> 4. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:</p> <ul class="list-unstyled"> </ul> </li> <li class=""> <p id="section-14">(a)    any link between the purposes for which the personal data have been collected and the purposes of the intended further processing; </p> <ul class="list-unstyled"> </ul> </li> <li class=""> <p id="section-15">(b)    the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller; </p> <ul class="list-unstyled"> </ul> </li> <li class=""> <p id="section-16">(c)    the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10; </p> <ul class="list-unstyled"> </ul> </li> <li class=""> <p id="section-17">(d)    the possible consequences of the intended further processing for data subjects; </p> <ul class="list-unstyled"> </ul> </li> <li class=""> <p id="section-18">(e)    the existence of appropriate safeguards, which may include encryption or pseudonymisation. </p> <ul class="list-unstyled"> </ul> </li> </ul> </div> <script type="text/javascript"> $(document).ready(function(){ var definitions = {"personal data\u2019 means any information relating to an identified or identifiable natural person (\u2018data subject": "\u2018personal data\u2019 means any information relating to an identified or identifiable natural person (\u2018data subject\u2019); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; \n \n \n \n ", "processing": "\u2018processing\u2019 means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; \n \n \n \n ", "restriction of processing": "\u2018restriction of processing\u2019 means the marking of stored personal data with the aim of limiting their processing in the future; \n \n \n \n ", "profiling\u2019 means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person": "\u2018profiling\u2019 means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; \n \n \n \n ", "pseudonymisation": "\u2018pseudonymisation\u2019 means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; \n \n \n \n ", "filing system": "\u2018filing system\u2019 means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis; \n \n \n \n ", "controller": "\u2018controller\u2019 means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member\u00a0State law; \n \n \n \n ", "processor": "\u2018processor\u2019 means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; \n \n \n \n ", "recipient": "\u2018recipient\u2019 means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law\u00a0shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing; \n \n \n \n ", "third party": "\u2018third party\u2019 means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data; \n \n \n \n ", "consent\u2019 of the data subject means any freely given, specific, informed and unambiguous indication of the data subject": "\u2018consent\u2019 of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; \n \n \n \n ", "personal data breach": "\u2018personal data breach\u2019 means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; \n \n \n \n ", "genetic data": "\u2018genetic data\u2019 means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question; \n \n \n \n ", "biometric data": "\u2018biometric data\u2019 means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; \n \n \n \n ", "data concerning health": "\u2018data concerning health\u2019 means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status; \n \n \n \n ", "main establishment": "\u2018main establishment\u2019 means: \n \n \n \n ", "representative": "\u2018representative\u2019 means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article\u00a027, represents the controller or processor with regard to their respective obligations under this Regulation; \n \n \n \n ", "enterprise": "\u2018enterprise\u2019 means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity; \n \n \n \n ", "group of undertakings": "\u2018group of undertakings\u2019 means a controlling undertaking and its controlled undertakings; \n \n \n \n ", "binding corporate rules": "\u2018binding corporate rules\u2019 means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity; \n \n \n \n ", "supervisory authority": "\u2018supervisory authority\u2019 means an independent public authority which is established by a Member State pursuant to Article\u00a051; \n \n \n \n ", "supervisory authority concerned": "\u2018supervisory authority concerned\u2019 means a supervisory authority which is concerned by the processing of personal data because: \n \n \n \n ", "cross-border processing": "\u2018cross-border processing\u2019 means either: \n \n \n \n ", "relevant and reasoned objection": "\u2018relevant and reasoned objection\u2019 means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union; \n \n \n \n ", "information society service": "\u2018information society service\u2019 means a service as defined in point\u00a0(b) of Article\u00a01(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council ; \n \n \n \n ", "international organisation": "\u2018international organisation\u2019 means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries. \n \n \n \n "}; var terms = Object.keys(definitions); $(".article__list_level0").mark(terms, { separateWordSearch: false, done: function() { $('[data-markjs="true"]').popover({ title: function() { return $(this).text(); }, content: function() { var content = definitions[$(this).text().toLowerCase()]; if (content) { return content; } else { return definitions[$(this).text()]; } }, delay: { "show": 100, "hide": 0 }, trigger: 'hover' }) } }); }); </script> <a class="next-article" href="/gdpr-article-7"> <p>Next</p> <p class="name"> Article 7. Conditions for consent </p> <span class="arrow-down"> <i class="fa fa-arrow-down"></i> </span> </a> </div> </article> </div> </div> </div> <div class="col-sm-12 col-xl-3 d-none d-xl-block"> <div class="right-container"> <div class="recitals__header"> <div class="recitals__header__content"> <span class="share__title"> Share this </br> project </span> <a href="mailto:?body=https%3A%2F%2Fgdpr.algolia.com%2F%20Official%20text%20of%20GDPR%20%E2%80%93%20General%20Data%20Protection%20Regulation%20%E2%80%93%20made%20searchable%20by%20Algolia.%20Easily%20search%20in%20chapters%2C%20articles%20and%20recitals%20to%20read%20faster%20and%20become%20GDPR%20compliant." class="share-link"> <img src="/static/img/ic-mail.9aeca84437fe.svg" alt="Email icon" width="14px"> <span class="share__label">Email</span> </a> <a href="https://www.linkedin.com/shareArticle?url=https://gdpr.algolia.com/gdpr-article-6&mini=true" class="share-link" target="_blank"> <img src="/static/img/ic-linkedin.536efc2cded5.svg" alt="LinkedIn icon" width="14px"> <span class="share__label">LinkedIn</span> </a> <a href="https://twitter.com/intent/tweet?url=https://gdpr.algolia.com/gdpr-article-6" class="share-link" target="_blank"> <img src="/static/img/ic-twitter.28b9fb3ebf51.svg" alt="Twitter icon" width="14px"> <span class="share__label">Twitter</span> </a> </div> </div> <div class="recitals"> <div class="recitals__container"> <h3> <i class="fa fa-link"></i>Suitable Recitals for article 6</h3> <ul class="list-unstyled"> <li> <span class="index">39</span> <a href="#recital-39" class="recital-link" data-recital-content="Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing." data-recital-index="39"> <span>Any processing of personal data should be lawfu...</span> </a> </li> <li> <span class="index">40</span> <a href="#recital-40" class="recital-link" data-recital-content="In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract." data-recital-index="40"> <span>In order for processing to be lawful, personal ...</span> </a> </li> <li> <span class="index">41</span> <a href="#recital-41" class="recital-link" data-recital-content="Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights." data-recital-index="41"> <span>Where this Regulation refers to a legal basis o...</span> </a> </li> <li> <span class="index">42</span> <a href="#recital-42" class="recital-link" data-recital-content="Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC" data-recital-index="42"> <span>Where processing is based on the data subject's...</span> </a> </li> <li> <span class="index">43</span> <a href="#recital-43" class="recital-link" data-recital-content="In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance." data-recital-index="43"> <span>In order to ensure that consent is freely given...</span> </a> </li> <li> <span class="index">44</span> <a href="#recital-44" class="recital-link" data-recital-content="Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract." data-recital-index="44"> <span>Processing should be lawful where it is necessa...</span> </a> </li> <li> <span class="index">45</span> <a href="#recital-45" class="recital-link" data-recital-content="Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing. It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association." data-recital-index="45"> <span>Where processing is carried out in accordance w...</span> </a> </li> <li> <span class="index">46</span> <a href="#recital-46" class="recital-link" data-recital-content="The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters." data-recital-index="46"> <span>The processing of personal data should also be ...</span> </a> </li> <li> <span class="index">47</span> <a href="#recital-47" class="recital-link" data-recital-content="The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." data-recital-index="47"> <span>The legitimate interests of a controller, inclu...</span> </a> </li> <li> <span class="index">48</span> <a href="#recital-48" class="recital-link" data-recital-content="Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected." data-recital-index="48"> <span>Controllers that are part of a group of underta...</span> </a> </li> <li> <span class="index">49</span> <a href="#recital-49" class="recital-link" data-recital-content="The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems." data-recital-index="49"> <span>The processing of personal data to the extent s...</span> </a> </li> <li> <span class="index">50</span> <a href="#recital-50" class="recital-link" data-recital-content="The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations." data-recital-index="50"> <span>The processing of personal data for purposes ot...</span> </a> </li> <li> <span class="index">171</span> <a href="#recital-171" class="recital-link" data-recital-content="Directive 95/46/EC should be repealed by this Regulation. Processing already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force. Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation. Commission decisions adopted and authorisations by supervisory authorities based on Directive 95/46/EC remain in force until amended, replaced or repealed." data-recital-index="171"> <span>Directive 95/46/EC should be repealed by this R...</span> </a> </li> </ul> </div> </div> <div class="recital-content-container d-none d-xl-block"> <div class="inner"> <h2></h2> <p></p> <div class="recital-close"> <span class="cross">X</span> <span>Close this recital</span> </div> </div> </div> </div> </div> </div> <script type="text/javascript"> var $recitalContentContainer = $('.recital-content-container'); var $menuButton = $('.menu__btn'); var $menuContainer = $('.mainMenu'); $(document).ready(function () { $('.recital-link').click(function () { var recitalIndex = $(this).data('recital-index'); var recitalContent = $(this).data('recital-content'); $recitalContentContainer.find('h2').text('# ' + recitalIndex); $recitalContentContainer.find('p').text(recitalContent); $recitalContentContainer.toggleClass('open'); }); $('.recital-close').click(function () { $recitalContentContainer.removeClass('open'); }); $menuButton.click(function(){ $menuContainer.toggleClass('open'); }); $('.mainMenu__chapter_link').click(function(){ $(this).find('i').toggleClass('fa-chevron-up').toggleClass('fa-chevron-down'); $(this).next().slideToggle('fast'); }); if ($('.mainMenu__chapter.open').length) { var offset = $('.mainMenu__chapter.open').offset()['top']; $('.mainMenu').scrollTop(offset - 129); } }); </script>  <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-MN3XDGF" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>  </body> </html>

CINXE.COM

Article 6. Lawfulness of processing | GDPR made searchable by Algolia. Chapters, articles and recitals easily readable