Collecting & processing personal data: what is legal?
Under the Data Protection Directive, collecting and processing the personal data of individuals is only legitimate in one of the following circumstances laid down by Article 7 of the Directive:
- Where the individual concerned, (the 'data subject'), has unambiguously given his or her consent, after being adequately informed; or
- if data processing is needed for a contract, for example, for billing, a job application or a loan request; or
- if processing is required by a legal obligation; or
- if processing is necessary in order to protect the vital interest of the data subject, for example, processing of medical data of a victim of a car accident; or
- if processing is necessary to perform tasks of public interests or tasks carried out by government, tax authorities, the police or other public bodies; or
- if the data controller or a third party has a legitimate interest in doing so, as long as this interest does not affect the interests of the data subject, or infringe on his or her fundamental rights, in particular the right to privacy. This provision establishes the need to strike a reasonable balance between the data controllers' business interests and the privacy of data subjects.
It shall be noted that Article 8 prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life unless one of the exception criteria is met.