Where a controller uses a user’s email address to send an unsolicited communication in accordance with Article 13(2) of Directive 2002/58, read with Article 95 of Regulation 2016/679, the conditions for lawful processing in Article 6(1) of Regulation 2016/679 do not apply.

Article 6(1)(c) and (e) of Regulation 2016/679, read in conjunction with Article 86 of that regulation, does not preclude national case-law requiring a controller that is a public authority, and that is responsible for reconciling public access to official documents with the right to personal-data protection, to inform and consult the natural person concerned before disclosing official documents containing such data. Such a requirement is permissible only if it is not impossible to implement, does not require disproportionate effort, and therefore does not result in a disproportionate restriction on public access to those documents.

Processing customers' title data by a transport undertaking in order to personalise commercial communications based on gender identity does not appear to be objectively indispensable or essential to the proper performance of a contract and therefore cannot be regarded as necessary for performing that contract. The same processing cannot be regarded as necessary for the legitimate interests pursued by the controller or by a third party where those customers were not informed of the legitimate interest pursued when the data were collected. The same processing cannot be so regarded where it is not carried out only in so far as is strictly necessary to attain that legitimate interest. The same processing cannot be so regarded where, in the light of all the relevant circumstances, those customers' fundamental freedoms and rights prevail over that legitimate interest, in particular because of a risk of discrimination on grounds of gender identity.

When assessing whether processing is necessary under point (f) of the first subparagraph of Article 6(1) of Regulation 2016/679, it is not necessary to take into account the possible existence of the data subject's right to object under Article 21 of that regulation.

Under Article 88(1) and (2) of Regulation 2016/679, a national-law provision on the processing of personal data for the purposes of employment relationships that was adopted pursuant to Article 88(1) must require its addressees to comply not only with Article 88(2), but also with Article 5, Article 6(1), and Article 9(1) and (2).

Where a collective agreement falls within Article 88(1) of Regulation 2016/679, the parties' discretion to decide whether processing is 'necessary' under Articles 5, 6(1) and 9(1) and (2) does not prevent the national court from carrying out a full judicial review of that question.

Disclosing sports federation members' personal data for payment to serve the controller's commercial interest can count as processing necessary for the controller's legitimate interests under Article 6(1)(f) only if the disclosure is strictly necessary for that interest and, in light of all the relevant circumstances, the members' interests or fundamental rights and freedoms do not override it. Article 6(1)(f) does not require that the legitimate interest be laid down by law, but it does require the claimed interest to be lawful.

Disclosing, at the request of a partner in a partnership-form investment fund offering shares for public subscription, information on all partners with indirect shareholdings through trust companies - regardless of the size of their holdings - so they can be contacted to negotiate the purchase of their shares or coordinate on partners' resolutions, is necessary for performance of the contract under Article 6(1), first subparagraph, point (b), only if the disclosure is objectively indispensable for a purpose integral to the contractual obligation owed to those partners, so that the contract's main subject matter could not be achieved without it. That is not the case if the contract expressly prohibits disclosing those personal data to other shareholders.

Disclosing that information may be treated as necessary for the legitimate interests of a third party under Article 6(1), first subparagraph, point (f), only if the disclosure is strictly necessary to achieve that interest and, in light of all the relevant circumstances, the partners' interests or fundamental rights and freedoms do not override it.

Processing of personal data is justified where it is necessary to comply with a legal obligation under the law of the Member State concerned, even if that obligation is defined by that Member State's case-law - provided that the case-law is clear and precise, its application is foreseeable for those subject to it, and it pursues and is proportionate to an objective of public interest.

The GDPR, in particular Article 6(1)(e) and Article 10, precludes orally disclosing data on a natural person's criminal convictions contained in a court's filing system to any person for the purpose of public access to official documents, where the requester need not show a specific interest in obtaining those data. It is irrelevant whether the requester is a commercial company or a private individual.

Processing health data under Article 9(2)(h) is lawful only if it meets the requirements of that provision and also satisfies at least one condition in Article 6(1).

A private credit information agency may not keep, in its own database, information taken from a public register about a natural person's discharge from remaining debts for longer than that information remains in the public register, even if it does so to provide information on that person's solvency.

Article 61(1) of Regulation 2018/858, read with Article 61(4) and point 6.1 of Annex X to that regulation, imposes a 'legal obligation' under Article 6(1)(c) of Regulation 2016/679 on car manufacturers to make the VINs of the vehicles they manufacture available to independent operators acting as 'controllers' within Article 4(7) of Regulation 2016/679.

Collecting users' data from the operator's other group services or from third-party websites or apps, linking those data to the users' social-network accounts, and using those data counts as necessary for performing the contract under point (b) of the first subparagraph of Article 6(1) of Regulation 2016/679 only if that processing is objectively indispensable for a purpose integral to the contractual obligation to those users, so that the contract's main subject matter cannot be achieved without it.

Collecting users' data from the operator's other group services or from third-party websites or apps, linking those data to the users' social-network accounts, and using those data counts as necessary for legitimate interests under point (f) of the first subparagraph of Article 6(1) of Regulation 2016/679 only if: the operator informed the users of the legitimate interest pursued; the processing is carried out only in so far as is strictly necessary for that interest; and a balancing of all relevant circumstances shows that the users' interests or fundamental freedoms and rights do not override that interest.

Collecting users' data from the operator's other group services or from third-party websites or apps, linking those data to the users' social-network accounts, and using those data is justified under point (c) of the first subparagraph of Article 6(1) of Regulation 2016/679 where it is actually necessary to comply with a legal obligation imposed on the controller by EU law or the law of the Member State concerned, provided that the legal basis serves an objective of public interest, is proportionate to the legitimate aim pursued, and the processing is carried out only in so far as is strictly necessary.

Collecting users' data from the operator's other group services or from third-party websites or apps, linking those data to the users' social-network accounts, and using those data cannot, in principle and subject to verification by the referring court, be regarded as necessary either to protect the vital interests of the data subject or another natural person under point (d) of the first subparagraph of Article 6(1) of Regulation 2016/679, or for a task carried out in the public interest or in the exercise of official authority vested in the controller under point (e).

A dominant position in the market for online social networks does not by itself prevent users from validly consenting, within the meaning of Article 4(11) of Regulation 2016/679, under point (a) of the first subparagraph of Article 6(1) and Article 9(2)(a) of that regulation, to the operator's processing of their personal data. But dominance is an important factor in deciding whether that consent was in fact valid, in particular freely given, and the operator must prove that it was.

A controller's failure to comply with Articles 26 or 30 of Regulation 2016/679 does not by itself make the processing unlawful or give the data subject a right to erasure under Article 17(1)(d) or restriction under Article 18(1)(b). That remains so provided that the failure does not, as such, amount to an infringement of the principle of accountability in Article 5(2), read with Article 5(1)(a) and the first subparagraph of Article 6(1).

National provisions adopted to protect employees' rights and freedoms in employment-related personal-data processing must be disregarded if they do not comply with Article 88(1) and (2). They may still be applied if they constitute a legal basis referred to in Article 6(3) and comply with the GDPR's requirements.

Article 6(3) and (4) applies when, in civil proceedings, a staff register containing third-party personal data that was collected principally for tax inspections is produced as evidence.

Where an action for damages against the State is based on alleged misconduct by the public prosecutor's office in carrying out its criminal-law tasks, that office's processing of personal data may be lawful if it is necessary for a task carried out in the public interest, within the meaning of point (e) of the first subparagraph of Article 6(1) of Regulation 2016/679, for the purpose of defending the State's legal and financial interests in those proceedings - provided that the processing complies with all applicable requirements of that regulation.

The purpose-limitation principle does not prevent a controller from recording and storing, in a database created for testing and error correction, personal data previously collected and stored in another database, where that further processing is compatible with the specific purposes for which the data were initially collected. That compatibility must be determined in the light of the criteria in Article 6(4).

Article 6(1)(e) and Article 58 do not prevent the competent authorities of a Member State from adopting a generally applicable administrative measure that limits, or where appropriate prohibits, video recording during vote counting at polling stations in elections in that Member State.

Article 7(c) of Directive 95/46 and point (c) of the first subparagraph of Article 6(1) and Article 6(3) of Regulation 2016/679, read in the light of Articles 7, 8 and 52(1) of the Charter of Fundamental Rights of the European Union, preclude national legislation requiring the online publication of the private interests declaration lodged by any head of an establishment receiving public funds, in so far as that publication concerns name-specific data relating to the declarant's spouse, cohabitee or partner, or to persons who are close relatives of the declarant, or persons known by him or her, liable to give rise to a conflict of interests. They also preclude such publication in so far as it concerns any transaction concluded during the last 12 calendar months whose value exceeds EUR 3000.

Regulation (EU) 2016/679, in particular Article 5(1), Article 6(1)(e) and Article 10, precludes national legislation that requires the public body responsible for the register of penalty points imposed on drivers of vehicles for road traffic offences to make those data accessible to the public, where the person requesting access does not have to establish a specific interest in obtaining them.

Regulation (EU) 2016/679, in particular Article 5(1), Article 6(1)(e) and Article 10, precludes national legislation that authorises the public body responsible for the register of penalty points imposed on drivers of vehicles for road traffic offences to disclose those data to economic operators for re-use.

It is for the data controller to show that the data subject gave consent to the processing of personal data by active behaviour and that, beforehand, the data subject received information about all the circumstances of that processing in an intelligible and easily accessible form, using clear and plain language, so that the consequences of consent could be easily understood and the consent was given with full knowledge of the facts. A telecommunications contract clause stating that the data subject was informed of, and consented to, the collection and storage of a copy of the identity document for identification purposes does not prove valid consent where the box for that clause was ticked by the controller before signature, or where the contract terms are capable of misleading the data subject into thinking the contract cannot be concluded without that consent, or where the controller unduly affects the freedom to refuse by requiring the data subject to fill out an additional form recording that refusal.

Consent to the storage of information, or access to information already stored, on a website user's device by cookies is not valid if it is given through a pre-checked box that the user must deselect to refuse consent.

The rules on consent to cookies do not differ according to whether the information stored or accessed on a website user's device is personal data.