When does a (semi)governmental organization process your personal data to comply with a legal obligation, and when is it to fulfill a task in the public interest? This was a conversation I had twice in two weeks with two colleagues. After the second time, I promised myself to look into this issue in more depth and write something about it: here it is!
The question may sound abstract, but it is important for those whose data is being processed. Depending on the basis—as you will read later—they may or may not have certain rights.
The General Data Protection Regulation (GDPR) tells us that for every instance of personal data processing, you must be able to invoke a valid justification: the basis.[1] The GDPR lists six exhaustive grounds[2], two of which are central here: the sub c ground ('compliance with a legal obligation') and the sub e ground ('task carried out in the public interest/exercise of official authority vested in the controller').
Many of our clients are active in the public sector and often perform tasks in the public interest. But is that enough to validly invoke that basis? And when should you invoke the basis under c instead? You can read the answers to these questions in this blog.
The relevant text from the GDPR reads as follows:
Article 6 – Lawfulness of processing
Processing is lawful only if and to the extent that at least one of the following conditions is met:
(…)
c) processing is necessary to comply with a legal obligation to which the controller is subject;
(…)
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(…)
At first glance, the text of the law does not provide much clarity; after all, aren't most legal obligations in the public interest?
Further reading also reveals more similarities than differences: further on in Article 6 of the GDPR, it states that processing based on both the sub c basis and the sub e basis must be established by EU or national law that must meet an objective of general interest.[3] And for both bases, it is not mandatory that specific legislation is required for each individual processing operation, and a single article of law can therefore serve as the basis for multiple processing operations.[4] The boundary between the two bases has not yet become much clearer – time for further investigation!
Subparagraph (e) applies if it is necessary for the organization (in GDPR terms: "the controller") to process personal data in the context of its public task or authority.
You have just read that subparagraphs (c) and (e) must be established by EU or national law. Sub e therefore requires a legal rule that assigns a task in the public interest to a controller or grants it a certain degree of public authority. This legal rule does not necessarily have to derive from a law in the formal sense, but may also derive from other forms of law, including established case law.[5]
If the controller is a public body and cannot rely on the fact that the processing is necessary in the context of its task carried out in the public interest or in the exercise of its official authority, it cannot rely on the basis of "legitimate interest" in the context of the exercise of its public tasks.[6] After all, it is up to the legislator to create the legal basis for the processing of personal data by public authorities and to determine the purpose of the processing.[7]
Please note: although the (semi-)public organization may be obliged to perform its task in the public interest or exercise its public authority, this does not mean that there is a "legal obligation" within the meaning of the sub c ground. More on this later!
Examples of sub e processing include the processing for statistical purposes carried out by Statistics Netherlands (CBS) within the framework of the Statistics Netherlands Act (Wet CBS). All these processing operations are carried out in the context of the CBS's task of general interest, namely "conducting statistical research on behalf of the government for the benefit of practice, policy, and science, and publishing the statistics compiled on the basis of such research."[8]
Private legal entities may also invoke the sub e basis in certain cases.[9] as long as they can identify the section of the law that assigns them their task of general interest or public authority. An example of this is Nidos, the foundation responsible for the (family) guardianship, reception, and guidance of young refugees residing in the Netherlands without their parents.[10]
NB: in the case of processing on the basis of the sub e-grounds, data subjects have the right to object under Article 21 of the GDPR. This means that they can do so if they believe that it negatively affects their specific situation. This right is not absolute; the right to object to the processing in question does not require the controller to cease processing if it can demonstrate that there are compelling legitimate grounds for the processing.[11] Please note: the data subject must be informed of the existence of this right during the first contact with the controller when their personal data is collected in the context of the task carried out in the public interest.[12]
Unlike the sub-basis, the controller can only invoke this basis if the processing of personal data is necessary to comply with a specific legalobligation.[13] In other words, the controller does not choose to process certain personal data, butmustdo so on the basis of a specific legal rule.
However, according to Dutch law, invoking the sub c basis does not require the law to explicitly impose an obligation to process certain personal data. The threshold is lower: the legal obligation must be such that it is not reasonably possible for the controller to comply with the legal obligation without processing personal data.[14]
Unlike sub e processing, individuals have little scope to refuse sub c processing. Because the processing is required by law, the GDPR does not give you, as a data subject, the right to object (as described in Article 21 GDPR).
An example of processing on this basis is the provision of personal data in the context of the disclosure of government information under the Open Government Act (Woo) and its legal predecessor, the Government Information (Public Access) Act (Wob), according to the national legislator. The latter reasoned in the Explanatory Memorandum to the Woo Amendment Act:
“If respect for privacy does not prevent the provision of information, such provision constitutes processing of personal data that is permitted under Article 6(1)(c) of the GDPR. This processing is necessary in order to comply with the Woo and the obligations for the administrative body arising therefrom.”[15]
It is striking that you can apparently also reason in the opposite direction. Last year, the Court of Justice of the European Union ruled on the Czech equivalent of the Woo that processing in that context could take place on both the c basis and the e basis. Sub e was a possibility because the sharing of personal data took place in the context of a task in the public interest – access to government information – sub c was a possibility because the lawrequiredgovernment agencies to share certain information upon request.[16] Apparently, there are therefore processing operations that can be based on both sub c and sub e; it is therefore important that you clearly justify your choice of a particular basis.
In summary:
Finally, the distinction between the basis under sub c and the basis under sub e is not just something for lecture halls, blogs, and LinkedIn discussions. The chosen basis has a direct impact on the legal position of the data subject: in the case of sub e processing, the data subject has the right to object under Article 21 of the GDPR, whereas in the case of sub c processing, they do not. That is precisely why this distinction deserves careful consideration.
[1]Art. 5(1)(a) in conjunction with 5(2) in conjunction with 6(1) preamble GDPR.
[2]Art. 6(1)(a)-(f) GDPR.
[3]Art. 6(3) GDPR.
[4]Recital 45 GDPR.
[5] CJEU 12 September 2024, joined cases C-17/22 and C-18/22, ECLI:EU:C:2024:738, paras. 68-73.
[6]Art. 6(1) GDPR, last sentence.
[7]Recitals 45 and 47 GDPR.
[8]Art. 3(1) CBS Act. Art. 37(1) CBS Act states that the data received by the Director-General in the context of the performance of the tasks for the implementation of this Act shall be used exclusively for statistical purposes.
[9]Recital 45 GDPR.
[10]Art. 1:256(1) in conjunction with 1:302(2) BW in conjunction with Art. 1 Decree on the Acceptance of Legal Persons Civil Code Book 1.
[11]Art. 21(1) GDPR.
[12]Art. 21(4) GDPR.
[13]The Autoriteit Persoonsgegevens 'legal obligation' as 'any obligation to process personal data imposed by a generally binding regulation'. Letter of August 30, 2017, reference z2017-05375, p. 2.
[14]Parliamentary Papers II2017/18, 34851, no. 3, p. 35.
[15]Parliamentary Papers II2018/19, 35112, no. 3 REPRINT, p. 21. However, this reasoning does not apply in full since the CJEU judgmentin Digi(CJEU October 20, 2022, C-77/21, ECLI:EU:C:2022:805 (Digi)), in which the Court ruled that any processing that follows the initial processing – the initial collection – of the personal data in question constitutes 'further processing' of that data (Digi, para. 31). Further processing must be assessed in accordance with Article 5(1)(b) in conjunction with Article 6(1)(a) and Article 6(4) of the GDPR (seeDigi, paragraphs 32-37).
[16]CJEU 3 April 2025, C-710/23, ECLI:EU:C:2025:231, para. 42.
