Article 7
Criteria for making data processing legitimate
Personal data may be processed only if the data subject has unambiguously given
his consent or if processing is necessary:
a) for the performance of a contract to which the data subject is party or in order to
take steps at the request of the data subject;
b) for compliance with a legal obligation to which the controller is subject;
c) protection of vital interests of the data subject if the latter is physically or legally
incapable of giving his consent;
d) for the performance of a task carried out in the public interest or in the exercise
of official authority vested in the controller or in a third party to whom the data
are disclosed;
e) for pursuing the legitimate interests of the controller or the third party to whom
the data are disclosed, except where such interests should be overridden by the
interests or the fundamental rights, freedoms and guarantees of the data subject.
Article 8
The processing of sensitive data
1. The processing of personal data revealing philosophical, ideological or political
beliefs or penalty, religion, political party or trade union affiliation, racial or
ethnic origin, privacy, health and sex life, including genetic data shall be
prohibited, except:
a) if the data subject expressed consent with the guarantee of non-discrimination
and with adequate measure of assurance;
b) with foreseen legal authorisation with the guarantee of non-discrimination and
with the adequate measure of assurance;
c) when the purpose of data processing are purely statistical, not individually
identifiable with the adequate measure of assurance.
2. In granting authorisation foreseen in 1 b) the law must take into consideration
particularly the indispensability of processing personal data referred to in 1 for
performing legal attributions or statutory authorities for reasons of important
public interest.
3. The processing of data referred to in 1 is also permitted when one of the
following conditions applies:
a) when it is necessary to protect the vital interests of the data subject or of
another person where the data subject is physically or legally incapable of
giving his consent;
b) when it is carried out with the data subject’s consent in the course of its
legitimate activities by a foundation, association or non-profit seeking body
with a political, philosophical, religious or trade union aim and on condition
that the processing relates solely to the members of the body or to persons
who have regular contact with it in connection with its purposes and that the
data are not disclosed to a third party without the consent of the data
subjects;