Legitimacy and lawfulness of processing personal data

Before data may be processed by the controller, a number of conditions of lawfulness must be met to ensure an adequate protection of privacy.


The controller must have legitimate reasons for carrying out the planned processing.
The processing must therefore correspond to one or more of the cases provided for in Article 5 of the amended Act of 2 August 2002.

Exceptions to this are the processing of sensitive data (Articles 6 and 7) and surveillance (Article 10 of the Amended Act of 2 August 2002 (general scheme), and Article L.261-1 of the Code du Travail (place of work).


The use of your personal data must be rigorously confined to a purpose.

This purpose has to be determined before the processing begins. In addition, they have to be defined precisely and refer to one or more specific purposes (specified and explicit purposes). At the same time, they must correspond to one or more of the legitimate cases provided by law (legitimate purposes).

In principle, data should not be processed subsequently in a manner incompatible with the original purposes. Exceptions may be made with the express and prior consent of the National Commission. 

Necessity and Proportionality

The collected and processed data must be necessary (not just useful) to achieve the defined purposes. It also has to be appropriate, pertinent and not excessive in relation to the purpose for which it has been collected.

The collected data also have to be accurate and updated if necessary. The data processing can't be based on outdated or erroneous data.

Data Retention

The data should only be held for the period of time necessary for the purposes of the processing for which it was collected.

Once the purpose has been fulfilled, the data should be removed. If the data is made "anonymous" (in this case, it's not possible to identifiy a person anymore - directly or indirectly), it can be held for a longer period of time.

Last update