The principle of ‘lawfulness’ of data processing with this explicit label assigned to it in Article 5(1)(a) of the General Data Protection Regulation (‘GDPR’)1 seems to be one of the least disputed principles in the EU data protection framework.2 It sounds almost like a truism to say that once the processing relies on at least one of six grounds for data processing exhaustively enumerated in Article 6(1) GDPR – titled ‘Lawfulness of Processing’ – such processing shall be regarded lawful. According to Article 8(1) of the Law Enforcement Directive (‘LED’),3 in turn, ‘Member States shall provide for processing to be lawful only if and to the extent that processing is necessary for the performance of a task carried out by a competent authority for the [law enforcement] purposes (…) and that it is based on Union or Member State law.’4
Key Words: Legitimacy | lawfulness | Grounds for Data Processing | Charter of Fundamental Rights (CFR) | Secondary Law
Magdalena Brewczyńska is a PhD researcher at Tilburg Institute for Law, Technology, and Society (TILT) at Tilburg University. For Correspondence: <m.m.brewczynska@tilburguniversity.edu>.