ASOCIACION NACIONAL DE ESTABLECIMIENTOS FINANCIEROS DE CREDITO (ASNEF) AND FEDERACION DE COMERCIO ELECTRONICO Y MARKETING DIRECTO (FECEMD) V. ADMINISTRACION DEL ESTADO, 24.Nov.2011 (“ASNEF”)

Valid purposes for processing: EU data protection law sets out an exhaustive and restrictive list of cases in which the processing of personal data can be regarded as lawful. Member States cannot add new principles relating to the lawfulness of processing or impose additional requirements. (¶¶ 29-32)

Accordingly, it has been held that the harmonisation of those national laws is not limited to minimal harmonisation but amounts to harmonisation which is generally complete. It is upon that view that Directive 95/46 is intended to ensure free movement of personal data while guaranteeing a high level of protection for the rights and interests of the individuals to whom such data relate (Lindqvist, paragraph 96).

Consequently, it follows from the objective of ensuring an equivalent level of protection in all Member States that Article 7 of Directive 95/46 sets out an exhaustive and restrictive list of cases in which the processing of personal data can be regarded as being lawful.

That interpretation is corroborated by the term ‘may be processed only if’ and its juxtaposition with ‘or’ contained in Article 7 of Directive 95/46, which demonstrate the exhaustive and restrictive nature of the list appearing in that article.

It follows that Member States cannot add new principles relating to the lawfulness of the processing of personal data to Article 7 of Directive 95/46 or impose additional requirements that have the effect of amending the scope of one of the six principles provided for in Article 7.