Permitted processing of electronic communications data
Providers of electronic communications networks and services shall be permitted to process electronic communications data only if: (a) it is necessary to achieve the transmission of the communication, for the duration necessary for that purpose; or (b) it is necessary to maintain or restore the security of electronic communications networks and services, or detect technical faults and/or errors and/or attacks in the transmission of electronic communications, for the duration necessary for that purpose.
Without prejudice to paragraph 1, providers of electronic communications networks and services shall be permitted to process electronic communications metadata only if: (a) it is necessary to meet mandatory quality of service requirements pursuant to [Directive establishing the European Electronic Communications Code] or Regulation (EU) 2015/212012 for the duration necessary for that purpose; or (b) it is necessary for performance of the contract to which the end-user is party, including billing, calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communications services; or (c) the end-user concerned has given consent to the processing of communications metadata for one or more purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous; or (d) it is necessary to protect the vital interest of a natural person where the end-user who is a natural person is physically or legally incapable of giving consent; or (e) it is necessary for scientific research or statistical purposes provided it is based on Union or Member State law which shall be proportionate to the aim pursued and provide for specific measures, including encryption and pseudonymisation, to safeguard fundamental rights and the interest of the end-users. Processing of electronic communications metadata under this point shall be done in accordance with paragraph 6 of Article 21 and paragraphs 1, 2 and 4 of Article 89 of Regulation (EU) 2016/679.
Without prejudice to paragraph 1, providers of the electronic communications networks and services shall be permitted to process electronic communications content only: (a) for the sole purpose of the provision of a service to an end-user, if the end-user or end-users concerned have given their consent to the processing of electronic communications content and the provision of that service cannot be fulfilled without the processing of such content; or (b) if all end-users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes that cannot be fulfilled by processing information that is made anonymous, and the provider has prior to the processing carried out an assessment of the impact of the envisaged processing operations on the protection of electronic communications data and consulted the supervisory authority. Article 36(2) and (3) of Regulation (EU) 2016/679 shall apply to the consultation of the supervisory authority.
A third party on behalf of a provider of electronic communications network or services shall be permitted to process electronic communications data in accordance with paragraphs 1 to 3 provided that conditions laid down in Article 28 of Regulation (EU) 2016/679 are met.
Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015 laying down measures concerning open internet access and amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the Union (OJ L 310, 26.11.2015, p. 1–18).