• 1. This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.

• 2. This Directive shall not apply to the processing of personal data:
  • - in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law,
  • - by a natural person in the course of a purely personal or household activity.

• 1. This Regulation applies to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

• 2. This Regulation does not apply to the processing of personal data:
  • (a) in the course of an activity which falls outside the scope of Union law, in particular concerning national security;
  • (b) by the Union institutions, bodies, offices and agencies;
  • (c) by the Member States when carrying out activities which fall within the scope of Chapter 2 of the Treaty on European Union;
  • (d) by a natural person without any gainful interest in the course of its own exclusively personal or household activity;
  • (e) by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

• 1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:
  • (a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;
  • (b) the controller is not established on the Member State's territory, but in a place where its national law applies by virtue of international public law;
  • (c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.

• 1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union.

• 2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to:
  • (a) the offering of goods or services to such data subjects in the Union; or
  • (b) the monitoring of their behaviour.

• 3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law.

• (a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
• (b) 'processing of personal data' ('processing') shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

• 1. 'data subject' means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

• 2. 'personal data' means any information relating to a data subject;

• (h) 'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

...

Article 7 (Criteria for making data processing legitimate)

• Member States shall provide that personal data may be processed only if:
  • (a) the data subject has unambiguously given his consent; or

• 8. 'the data subject's consent' means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.

...

Article 6 - Lawfulness of processing

• 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
  • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;

...

Article 7 - Conditions for consent

• 1. The controller shall bear the burden of proof for the data subject's consent to the processing of their personal data for specified purposes.

• 2. If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.

• 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

• 4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.

• 8. ‘the data subject's consent’ means any freely given indication that must be specific, informed and as explicit as possible according to the context, of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, explicitly whenever the data referred to in Article 9(1) are to be processed, signifies agreement to personal data relating to them being processed;

• (8) ‘the data subject's consent’ means any freely given specific, informed and explicit unambiguous indication of his or her wishes by which the data subject , either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed. Silence or inactivity does not in itself indicate consent ;

• 4.(a) Consent looses its effectiveness as soon as the processing of personal data is no longer necessary for carrying out the purpose for which they were collected.

...

Article 7 - Conditions for consent

• 4.(b) The execution of a contract or the provision of a service may not be made conditional on the consent to the processing or use of data that is not necessary for the execution of the contract or the provision of the service pursuant to Article 6(1)(b).

• 3.(b) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution, or that such attribution would require a disproportionate amount of time, expense and effort

...

Article 6 - Lawfulness of processing

• 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
  • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
  • ...
  • (fe) only pseudonymous data is processed.

• (2a) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution;

...

Article 6 - Lawfulness of processing

• 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
  • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
  • ...
  • (fa) processing is limited to pseudonymised data, where the data subject is adequately protected and the recipient of the service is given a right to object pursuant to Article 19 (3a).

• (3a) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution;

• 2.(a) 'pseudonym' means a unique identifier which is specific to one given context and which does not permit the direct identification of a natural person, but allows the singling out of a data subject;

...

Article 7 - Conditions for consent

• 2.(a) If the data subject's consent is to be given in the context of the use of information society services where personal data are processed only in the form of pseudonyms, consent may be given by automated means using a technical standard with general validity in the Union in accordance with paragraph 4c, which allows the data subject to clearly express his or her wishes without collecting identification data.

...

• 4.(c) The Commission shall be empowered to adopt, after requesting an opinion from the European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying the requirements and conditions for technical standards referred to in paragraph 2a, and for declaring that a technical standard is in line with this Regulation and has general validity within the Union.

• Member States shall provide that personal data may be processed only if:
  • (a) the data subject has unambiguously given his consent; or
  • ...
  • (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).

• 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
  • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
  • ...
  • (f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.

• 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
  • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
  • ...
  • (f) processing is necessary for the purposes of the legitimate interests pursued by a controller or controllers or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.

• 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
  • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
  • ...
  • (f) processing is necessary for the purposes of the legitimate interests pursued by, or on behalf of a controller or a processor, or by a third party or parties in whose interest the data is processed, including for the security of processing, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This The interest or fundamental rights and freedoms of the data subject shall not apply to over-ride processing carried out by public authorities in the performance of their tasks or enterprises in the exercise of their legal obligations, and in order to safeguard against fraudulent behaviour.

• 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
  • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
  • ...
  • (f) processing is necessary for the purposes of the legitimate interests pursued by a controller or by a third party or third parties to whom the data are communicated, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.

• 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
  • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
  • ...
  • (f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.

• 1. (a) If none of the legal grounds for the processing of personal data referred to in paragraph 1 apply, processing of personal data shall be lawful if and to the extent that it is necessary for the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. The data controller shall in that case inform the data subject about the data processing explicitly and separately. The controller shall also publish the reasons for believing that itsinterests override the interests or fundamental rights and freedoms of the data subject. This paragraph shall not apply to processing carried out by public authorities in the performance of their tasks.

• 1. (b) The legitimate interests of the controller as referred to in paragraph 1a override the interests or fundamental rights and freedoms of the data subject, as a rule, if:
  • (a) processing of personal data takes place as part of the exercise of the right to freedom of expression, the media and the arts, within the limits of Union or national law;
  • (b) processing of personal data is necessary for the enforcement of the legal claims of the data controller or of third parties on behalf of whom the data controller is acting in relation to a specific identified data subject, or for preventing or limiting damage by the data subject to the controller;
  • (c) the data subject has provided personal data to the data controller on the legal ground referred to in point (b) of paragraph 1, and the personal data are used for direct marketing for its own and similar products and services and are not transferred, and the data controller is clearly identified to the data subject;
  • (d) processing of personal data takes place in the context of professional business-to-business relationships and the data were collected from the data subject for that purpose;
  • (e) processing of personal data is necessary for registered non-profit associations, foundations and charities, recognised as acting in the public interest under Union or national law, for the sole purpose of collecting donations.

• 1. (c) The interests or fundamental rights and freedoms of the data subject as referred to in paragraph 1a override the legitimate interest of the controller, as a rule, if:
  • (a) the processing causes a serious risk of damage to the data subject;
  • (b) special categories of data as referred to in paragraph 1 of article 9, location data, or biometric data are processed;
  • (c) the data subject can reasonably expect, on the basis of the context of the processing, that his or her personal data will only be processed for a specific purpose or treated confidentially, unless the data subject concerned has been informed specifically and separately about the use of his or her personal data for purposes other than the performance of the service;
  • (d) personal data are processed in the context of profiling;
  • (e) personal data is made accessible for a large number of persons or large amounts of personal data about the data subject are processed or combined with other data;
  • (f) the processing of personal data may adversely affect the data subject, in particular because it can lead to defamation or discrimination; or
  • (g) the data subject is a child.