Art. 5 of the new General Data Protection Regulation can be considered as the heart of the system. Indeed, it contains the principles that must be followed in data processing. This article is not only for insiders, so it should be read with great attention in order to properly interpret and apply the Regulation. The first principle stated is lawfulness. The Regulation provides that data processing is lawful in the following cases, outlined in art. 6:


The data subject has given consent to the processing of his or her personal data for one or more specific purposes. This is the most frequent case; however, attention must be paid to the relation between consent and purpose of the processing. If data are processed beyond the agreed purposes, the processing is not lawful.


processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract” (in this case the contract makes the processing lawful);


processing is necessary for compliance with a legal obligation to which the controller is subject”. This covers cases where the law clearly requires the processing, such as the submission of data to the INPS (National Institute for Social Security);


processing is necessary in order to protect the vital interests of the data subject or of another natural person”. This covers cases where the protection of vital interests outweighs the necessity for consent - see the judgment no. 11994 of the Court of Cassation of 16 May 2017 (Civil Division);


processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. This is mainly about data processing for public administration matters, which are regulated by law;


processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”. This is certainly the most complex principle. In this regard, the regulation states the following in recital 47: “Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller”.

Then the Regulation draws attention to the need to assess the legitimate expectation of the data subject: “At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place”. However, recital 47 also states that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.

For more in-depth information, see “Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC”, issued by the Article 29 Working Party.