When does an organization process your personal data to comply with a legal obligation, and when is it to fulfill a task in the public interest? This was a conversation I had twice in two weeks with two colleagues. After the second time, I promised myself I would look into this issue in more depth and write something about it; here it is!
The question may sound abstract, but it is very important for our work. The General Data Protection Regulation (GDPR) tells us that you must be able to invoke a valid justification for every instance of personal data processing: the legal basis.[1] The GDPR lists six exhaustive grounds[2], two of which are central here: the sub c basis ("legal obligation") and the sub e basis ("public interest/public authority"). Many of our clients are active in the public sector and often perform tasks in the public interest. But is that enough to validly invoke that basis? And when should you invoke the sub c basis instead? In this blog, you can read the answers to these questions.
The relevant text from the GDPR reads as follows:
Article 6 – Lawfulness of processing
(…)
c) processing is necessary to comply with a legal obligation to which the controller is subject;
(…)
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(…)
At first glance, the text of the law does not provide much clarity; after all, aren't most legal obligations in the public interest?
Further reading also reveals more similarities than differences: further on in Article 6 of the GDPR, it states that processing based on both the sub c basis and the sub e basis must be established by EU or national law that must meet an objective of general interest.[3] The boundary between the two bases has not yet become much clearer – time for further investigation!
On this basis, the organization (in GDPR terms: "the controller") may invoke this if the processing of personal datais necessaryto comply with a specific legal obligation.[4] In other words, the controller does not choose to process the data, butis required todo so.
However, in order to invoke the basis under sub c, it is not necessary for the law to explicitly impose an obligation to process certain personal data. The threshold is lower: the legal obligation must be such that it is not reasonably possible for the controller to comply with the legal obligation without processing personal data.[5]
A side note: the GDPR does not require specific legislation for each individual processing operation. A single article of law can therefore serve as the basis for multiple processing operations.[6]
An example of processing based on this basis is the identification check that takes place when applying for a new identity card. The Passport Decree is very clear on this point: In order to obtain the necessary certainty about Dutch citizenship, use is made of the Dutch travel document submitted by the applicant, the information provided by the applicant in the application, as well as the information contained in the municipal personal records database or the basic register of travel documents and other documents available to the authority competent to issue the document.[7]
The law clearly requires that this personal data be processed, and the basis for this processing can therefore be found in the sub c basis.
It is not only government institutions that can invoke the sub c basis. For example, every employer must report the salary of its employees to the Tax and Customs Administration, and this is also a sub c processing operation.
An important aspect to highlight here is that individuals have little scope to refuse sub c processing. Because the processing is required by law, the GDPR does not give you, as the data subject, the right to object (as described in Article 21 of the GDPR). You can read how this differs from the sub e basis.
The sub e basis applies if an organization processes personal data not because it is required to do so by a specific law, but because the processing is part of its public task or authority. As mentioned earlier, processing based on both the sub c basis and the sub e basis must be established by EU or national law. Sub e therefore requires a legal rule that assigns a controller with a task in the public interest or a certain degree of public authority.[8]
If neither of these is the case and the controller is a public authority, it cannot rely on the 'legitimate interest' basis in the context of the performance of its public tasks.[9] After all, it is up to the legislator to determine when which public authority may process which personal data for what purpose.[10]
The sub e basis also applies in that private legal entities may invoke it in certain cases.[11]as long as they can identify the section of the law in which they are assigned their task of general interest or public authority. Think, for example, of a company such as TenneT. This is a private limited company, but at the same time it has been designated as a network operator on the basis of the Electricity Act 1998 (and has therefore been assigned public authority).
An example of processing on this basis is a municipality that uses camera surveillance in a public place. The Municipalities Act does not require camera surveillance, but only states that the mayor may be given the authority to install cameras: The council may, by ordinance, grant the mayor the authority to decide, if necessary in the interests of maintaining public order, to use cameras for a certain period of time for the purpose of surveillance in a public place (...).[12]
If the municipal council actually grants this authority in the APV and the mayor subsequently decides to exercise this authority, the subsequent processing will take place on the basis of the sub e basis.
In the case of processing on the basis of the sub e basis, data subjects have the right to object under Article 21 of the GDPR. This means that they have the right to object to the processing in question if they believe that it adversely affects their specific situation. This right is not absolute; the controller does not have to cease processing if it can demonstrate that there are overriding interests.[13] Please note: the data subject must be informed of the existence of this right during the first contact with the controller.[14]
As you have read, the distinction between the sub c and sub e bases mainly comes down to the wording of the law. If the processing of personal data is (reasonably) necessary to comply with a specific legal obligation ("Authority X is obliged to perform task Y"), then this processing is sub c processing. However, if the legal rule imposes a task of general interest or public authority on the controller ("Authority X is responsible for task Y"), then you are dealing with sub e.
Footnotes:
1Art. 5(1) in conjunction with 5(2) and 6(1) GDPR.
2Art. 6(1)(a)-(f) GDPR.
3 Art. 6(3) GDPR.
4The Autoriteit Persoonsgegevens 'legal obligation' as 'any obligation to process personal data imposed by a generally binding regulation'. Letter dated August 30, 2017, ref. z2017-05375, p. 2.
5Parliamentary Papers II2017/18, 34851, no. 3, p. 35.
6Recital 45 GDPR.
7 Art. 2.16(1) Passport Decree.
8This legal rule does not always have to derive from a law in the formal sense, but may also derive from other forms of law, including established case law. CJEU 12 September 2024, joined cases C-17/22 and C-18/22 (HTB Neunte Immobilien Portfolio), paragraphs 68-73.
9Art. 6(1) GDPR, last sentence.
10Recitals 45 and 47 GDPR.
11Recital 45 GDPR.
12Art. 151c(1) Municipalities Act.
13Art. 21(1) GDPR.
14Art. 21(4) GDPR.
