Exercise of Official/ Public Authority
If processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, it is lawful. A public authority can be a controller, processor, recipient, third party or the (affected) supervisory authority. The acting entity, however, remains undefined.
The processing of personal data in the public interest includes, among other things, tasks that correspond to an objective in the general interest recognized by the Union. For example, if such processing improves road safety.
Under this legal basis, only those controllers who have been entrusted with such a task in accordance with Art. 6 Para. 1 lit. e GDPR and not third-party recipients of the data are considered to be norm addressees.
Public authorities are exempt from certain provisions or have exemptions. For example, they may not rely on “processing for the purposes of the legitimate interests pursued” (Art. 6 Para. 1 lit. f GDPR). On the other hand, the right to erasure does not apply to their processing activities if the processing is necessary for the performance of a task carried out in the exercise of official authority.
The determination of necessity is challenging here, as it must be determined which data the addressed body requires as a basis for information in order to fulfill the task.
The legal basis for processing for the performance of a task carried out in the exercise of official authority is determined by Union law or Member State law (of the controller). Separate regulations apply to them as part of the data protection impact assessment (Art. 35 Para. 10).
Related Comments
#6
Based On
Art. 6 Abs. 1 lit. e
Art. 6 Abs. 3
Comm. Art. 6 Para. 1 SubPara. 1 Rn. 53-62
Comm. Art. 6 Para. 1 SubPara. 1 Rn. 65
References
Data Protection Impact Assessment
Art. 6 Para. 1 lit. f
Art. 6 Para. 1 lit. e
Art. 35 Para. 10
Exercise of Official/ Public Authority
If processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, it is lawful. A public authority can be a controller, processor, recipient, third party or the (affected) supervisory authority. The acting entity, however, remains undefined.
The processing of personal data in the public interest includes, among other things, tasks that correspond to an objective in the general interest recognized by the Union. For example, if such processing improves road safety.
Under this legal basis, only those controllers who have been entrusted with such a task in accordance with Art. 6 Para. 1 lit. e GDPR and not third-party recipients of the data are considered to be norm addressees.
Public authorities are exempt from certain provisions or have exemptions. For example, they may not rely on “processing for the purposes of the legitimate interests pursued” (Art. 6 Para. 1 lit. f GDPR). On the other hand, the right to erasure does not apply to their processing activities if the processing is necessary for the performance of a task carried out in the exercise of official authority.
The determination of necessity is challenging here, as it must be determined which data the addressed body requires as a basis for information in order to fulfill the task.
The legal basis for processing for the performance of a task carried out in the exercise of official authority is determined by Union law or Member State law (of the controller). Separate regulations apply to them as part of the data protection impact assessment (Art. 35 Para. 10).
Related Comments
#6
Based On
Art. 6 Abs. 1 lit. e
Art. 6 Abs. 3
Comm. Art. 6 Para. 1 SubPara. 1 Rn. 53-62
Comm. Art. 6 Para. 1 SubPara. 1 Rn. 65
References
Data Protection Impact Assessment
Art. 6 Para. 1 lit. f
Art. 6 Para. 1 lit. e
Art. 35 Para. 10