Table of Contents
Article 1
Article 2
Article 3
Article 4
Article 5
Article 6
Article 7
Article 8
Article 9
Article 10
Article 11
Article 12
Article 13
Article 14
Article 15
Article 16
Article 17
Article 18
Article 19
Article 20
Article 21
Article 22
Article 23
Article 24
Article 25
Article 26
Article 27
Article 28
Article 29
Article 30
Article 31
Article 32
Article 33
Article 34
Article 35
Article 36
Article 37
Article 38
Article 39
Article 40
Article 41
Article 42
Article 43
Article 10
The Controller may only collect Personal Data directly from the Data Subject and may only process Personal Data for the purposes for which they have been collected. However, the Controller may collect Personal Data from a source other that the Data Subject and may process Personal Data for purposes other than the ones for which they have been collected in the following situations:
- The Data Subject gives their consent in accordance with the provisions of this Law.
- Personal Data is publicly available or was collected from a publicly available source.
- The Controller is a Public Entity, and the Collection or Processing of the Personal Data is required for public interest or security purposes, or to implement another law, or to fulfill judicial requirements.
- Complying with this may harm the Data Subject or affect their vital interests
- Personal Data Collection or Processing is necessary to protect public health, public safety, or to protect the life or health of specific individuals
- Personal Data is not to be recorded or stored in a form that makes it possible to directly or indirectly identify the Data Subject.
- Personal Data Collection is necessary to achieve legitimate interests of the Controller, without prejudice to the rights and interests of the Data Subject, and provided that no Sensitive Data is to be processed.
The Regulations shall set out the provisions, controls and procedures related to what is stated in paragraphs (2) to (7) of this Article.
FAQs
The default rule is that your personal data must be collected directly from you. However, the law permits a Controller to collect your data from another source under specific circumstances, such as:
- You have given your consent.
- The data was collected from a publicly available source.
- The Controller is a public entity and requires the data for security, legal, or judicial purposes.
- Collecting the data directly from you could cause you harm or affect your vital interests.
- The collection is necessary to protect public health or an individual’s life.
Generally, your personal data may only be processed for the purpose for which it was originally collected. Using it for a new purpose is only allowed under the same set of exceptions that permit collecting it from a source other than you. This includes obtaining your consent, if the processing is required for public safety, or if it is necessary for the Controller’s legitimate interests, among other reasons.
While consent is the primary basis for processing, several exceptions allow for processing without it. These include:
- Public Interest and Safety: Processing is permitted if it is necessary to protect public health or safety, or the life of an individual. Similarly, a public entity can process data for security or legal requirements.
- Legitimate Interests: A Controller may process your data to achieve their legitimate interests. However, this is subject to two important conditions: the processing must not infringe on your rights and interests, and it cannot be used for processing Sensitive Data.
- Publicly Available Data: If your personal data is already publicly available, it can be processed without separate consent.
- Anonymization: Processing is allowed if the data is handled in a way that it can no longer be used to identify you directly or indirectly.