menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Austria) language
Contact our local member in Austria mail_outline
Visit the website of Geistwert account_balance

arrow_backPrevious Article
Article 9
Next Articlearrow_forward

Processing of special categories of personal data

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 9 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 9 keyboard_arrow_up

Articles related to article 9

Key words related to article 9

Show the recitals of the Regulation related to article 9 keyboard_arrow_down Hide the recitals of the Regulation related to article 9 keyboard_arrow_up

(33) It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.

(35) Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

(52) Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

(53) Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.

(54) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council, namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.

(55) Moreover, the processing of personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognised religious associations, is carried out on grounds of public interest.

(75) The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

Show the recitals of the Directive related to article 9 keyboard_arrow_down Hide the recitals of the Directive related to article 9 keyboard_arrow_up

(33) Whereas data which are capable by their nature of infringing fundamental freedoms or privacy should not be processed unless the data subject gives his explicit consent; whereas, however, derogations from this prohibition must be explicitly provided for in respect of specific needs, in particular where the processing of these data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy or in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms;

(34) Whereas Member States must also be authorized, when justified by grounds of important public interest, to derogate from the prohibition on processing sensitive categories of data where important reasons of public interest so justify in areas such as public health and social protection - especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system - scientific research and government statistics; whereas it is incumbent on them, however, to provide specific and suitable safeguards so as to protect the fundamental rights and the privacy of individuals;

(35) Whereas, moreover, the processing of personal data by official authorities for achieving aims, laid down in constitutional law or international public law, of officially recognized religious associations is carried out on important grounds of public interest;

(36) Whereas where, in the course of electoral activities, the operation of the democratic system requires in certain Member States that political parties compile data on people's political opinion, the processing of such data may be permitted for reasons of important public interest, provided that appropriate safeguards are established;

The GDPR

Article 9 of the Regulation is based on Article 8 of the Directive, in that it prohibits the processing of sensitive data on the grounds that they deserve specific protection, given the significant risks to the fundamental rights and freedoms inherent in  their processing.

The prohibition covers in general:

- The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership;

- The processing of genetic data and biometric data  in order to identify an individual uniquely ;

- Processing of data concerning health or data concerning sex life or sexual orientation of an individual.

Recital  51  of the Regulations specifies that in case of derogations to the prohibition to process sensitive data, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing.

The concept of "sensitive data" within the meaning of Article 9 of the Regulation has been subject to new developments, given the significant technological developments. So, the prohibition of processing covers, besides the data revealing racial or ethnic origin, political opinions, religion, philosophical beliefs or trade union membership, health or sexual life:

- genetic data: they are defined in Article 4 (13) as personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

- biometric data: they are defined in Article 4 (14) as personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; .

It should be noted that the data concerning health receive a specific definition in Article 4 (15) as personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

The Regulation includes the exceptions already contained in the Directive by sometimes extending or limiting their scope (explicit consent; employment law and social security law provided that the processing is based on a law of the Union or of a member State or a collective agreement, human life safety, non-profit association, data made public by the data subject, finding, defence, exercise or determination of a legal right, preventive medicine or for substantial reasons of public interest).

The Regulation, however, introduces new derogations:

- for processing necessary for reasons of public interest in the field of public health (see Art. 9,  (2)  i), such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

- for processing necessary for archiving in the public interest or scientific or historical research purposes or statistical purposes  in accordance with Article  89  and based on Union or Member State law (see Art. 9, (2), j)). The final version of the Regulation stipulates that the processing should be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

The "sensitive" data referred to in paragraph 1  can be processed for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care within the meaning of Article 9 (2), h), provided that they are processed by or under the responsibility of a professional or by or under the supervision of another person subject to professional secrecy (see Art. 9, (3 )).

Ultimately, the Member States may maintain or introduce more specific provisions; including restrictions regarding genetic, biometric or health-related data (see Article 9 (4)).

The Directive

The first paragraph of article 8 of the Directive provided a general prohibition to process the so-called “sensitive” data, except with data subject’s explicit consent. The paragraph covers the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and of data concerning health or sex life.

The EU legislature had considered that, insofar as these data, by their nature, infringe fundamental freedoms or privacy, they should not be the subject of processing.

This was, however, a relative prohibition. The second paragraph of article 8 of the Directive provided for various exceptions to the general prohibition to process such data.

The first exception to the principle prohibiting processing, for which the data subject has given his or her explicit consent to processing (Art. 8, paragraph 2 a) (see in this regard G29, Opinion 15/2011 on the definition of consent, WP 187).

In addition, several exceptions have been introduced to meet specific needs such as the processing needed to safety of life (Article 8,  2, c)); processing involving data which are made public by the data subject (Article 8, 2, e)); processing necessary for the  establishment, exercise or defence of legal claims (Article 8, 2 e); processing necessary for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services (Art. 8, 3)).

The processing needed for the purposes of complying with the obligations and the specific rights of the controller in the field of employment law (Art. 8, 2, b)).

There is also an exception from the prohibition for processing carried out by a foundation, an association or any other non-profit organization with a political, philosophical, religious or trade-union aim. The exception applies only to the processing of data relating to the members of such organization or the persons being in regular contact with such organization (Art. 8, 2, f)).

The Directive provided, under certain conditions, an exception to the processing of data relating to offences, criminal convictions or security measures (Art. 8, 5). To the extent that the future Regulations provide a specific provision for these cases of processing, we will examine them in more detail in the commentary on Article 9a. 

In addition to the exceptions expressly contained in the Directive, Article 8, paragraph 4 authorised the Member States to lay down additional exemptions for reasons of substantial public interest, either by national law or by decision of the supervisory authority. These additional exemptions must still be notified to the European Commission (Art. 8, paragraph 4).

Potential issues

For different purposes or types of data, the Member States reserve a substantial degree of flexibility in the determination of exceptions which must be based on specific legislation taken by that state. Significant differences may therefore still occur between the states, which undermines the goal of full harmonization of the law on personal data protection pursued by the Regulation.

arrow_back Previous ArticleArticle 9Next Article arrow_forward
arrow_back Previous ArticleArticle 9 Next Article arrow_forward

Summary

European Union

European Union

European data protection board (EDPB)

Guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak - 3/2020 (21 April 2020)

Link

Retour au sommaire

Article 29 Working Party

Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 - wp251rev.01 (6 february 2018)

(Endorsed by the EDPB)

The General Data Protection Regulation (the GDPR), specifically addresses profiling and automated individual decision-making, including profiling.

Profiling and automated decision-making are used in an increasing number of sectors, both private and public. Banking and finance, healthcare, taxation, insurance, marketing and advertising are just a few examples of the fields where profiling is being carried out more regularly to aid decision-making.

Advances in technology and the capabilities of big data analytics, artificial intelligence and machine learning have made it easier to create profiles and make automated decisions with the potential to significantly impact individuals’ rights and freedoms.

The widespread availability of personal data on the internet and from Internet of Things (IoT) devices, and the ability to find correlations and create links, can allow aspects of an individual’s personality or behaviour, interests and habits to be determined, analysed and predicted.

Profiling and automated decision-making can be useful for individuals and organisations, delivering benefits such as:

  • increased efficiencies; and
  • resource savings.

They have many commercial applications, for example, they can be used to better segment markets and tailor services and products to align with individual needs. Medicine, education, healthcare and transportation can also all benefit from these processes.

However, profiling and automated decision-making can pose significant risks for individuals’ rights and freedoms which require appropriate safeguards.

These processes can be opaque. Individuals might not know that they are being profiled or understand what is involved.

Profiling can perpetuate existing stereotypes and social segregation. It can also lock a person into a specific category and restrict them to their suggested preferences. This can undermine their freedom to choose, for example, certain products or services such as books, music or newsfeeds. In some cases, profiling can lead to inaccurate predictions. In other cases it can lead to denial of services and goods and unjustified discrimination.

The GDPR introduces new provisions to address the risks arising from profiling and automated decision-making, notably, but not limited to, privacy. The purpose of these guidelines is to clarify those provisions.

This document covers:

  • Definitions of profiling and automated decision-making and the GDPR approach to these in general – Chapter II
  • General provisions on profiling and automated decision-making – Chapter III
  • Specific provisions on solely automated decision-making defined in Article 22 - Chapter IV
  • Children and profiling – Chapter V
  • Data protection impact assessments and data protection officers– Chapter VI

The Annexes provide best practice recommendations, building on the experience gained in EU Member States.

The Article 29 Data Protection Working Party (WP29) will monitor the implementation of these guidelines and may complement them with further details as appropriate.

Link

Retour au sommaire
arrow_back Previous Article Article 9 Next Article arrow_forward

Summary

European Union

European Union

CJEU caselaw

C-101/01 (6 November 2003) - Lindqvist

1.    The act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes ‘the processing of personal data wholly or partly by automatic means’ within the meaning of Article 3(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

2.    Such processing of personal data is not covered by any of the exceptions in Article 3(2) of Directive 95/46.

3.    Reference to the fact that an individual has injured her foot and is on half-time on medical grounds constitutes personal data concerning health within the meaning of Article 8(1) of Directive 95/46.

4.    There is no ‘transfer [of data] to a third country’ within the meaning of Article 25 of Directive 95/46 where an individual in a Member State loads personal data onto an internet page which is stored on an internet site on which the page can be consulted and which is hosted by a natural or legal person who is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country.

5.    The provisions of Directive 95/46 do not, in themselves, bring about a restriction which conflicts with the general principles of freedom of expression or other freedoms and rights, which are applicable within the European Union and are enshrined inter alia in Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms signed at Rome on 4 November 1950. It is for the national authorities and courts responsible for applying the national legislation implementing Directive 95/46 to ensure a fair balance between the rights and interests in question, including the fundamental rights protected by the Community legal order.

6.    Measures taken by the Member States to ensure the protection of personal data must be consistent both with the provisions of Directive 95/46 and with its objective of maintaining a balance between freedom of movement of personal data and the protection of private life. However, nothing prevents a Member State from extending the scope of the national legislation implementing the provisions of Directive 95/46 to areas not included in the scope thereof provided that no other provision of Community law precludes it.

Opinion of Advocate general

Judgment of the Court

C-141/12 ; C-372/12 (17 July 2014) - YS e.a.

1.      Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the data relating to an applicant for a residence permit contained in an administrative document, such as the ‘minute’ at issue in the main proceedings, setting out the grounds that the case officer puts forward in support of the draft decision which he is responsible for drawing up in the context of the procedure prior to the adoption of a decision concerning the application for such a permit and, where relevant, the data in the legal analysis contained in that document, are ‘personal data’ within the meaning of that provision, whereas, by contrast, that analysis cannot in itself be so classified.

2.      Article 12(a) of Directive 95/46 and Article 8(2) of the Charter of Fundamental Rights of the European Union must be interpreted as meaning that an applicant for a residence permit has a right of access to all personal data concerning him which are processed by the national administrative authorities within the meaning of Article 2(b) of that directive. For that right to be complied with, it is sufficient that the applicant be in possession of a full summary of those data in an intelligible form, that is to say a form which allows that applicant to become aware of those data and to check that they are accurate and processed in compliance with that directive, so that he may, where relevant, exercise the rights conferred on him by that directive.

3.      Article 41(2)(b) of the Charter of Fundamental Rights of the European Union must be interpreted as meaning that the applicant for a residence permit cannot rely on that provision against the national authorities.

Opinion of Advocate general

Judgment of the Court

C-136/17 (24 September 2019) - GC and Others (De-referencing of sensitive data)

 1.The provisions of Article 8(1) and (5) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the prohibition or restrictions relating to the processing of special categories of personal data, mentioned in those provisions, apply also, subject to the exceptions provided for by the directive, to the operator of a search engine in the context of his responsibilities, powers and capabilities as the controller of the processing carried out in connection with the activity of the search engine, on the occasion of a verification performed by that operator, under the supervision of the competent national authorities, following a request by the data subject.

2.   The provisions of Article 8(1) and (5) of Directive 95/46 must be interpreted as meaning that the operator of a search engine is in principle required by those provisions, subject to the exceptions provided for by the directive, to accede to requests for de-referencing in relation to links to web pages containing personal data falling within the special categories referred to by those provisions.

Article 8(2)(e) of Directive 95/46 must be interpreted as meaning that, pursuant to that article, such an operator may refuse to accede to a request for de-referencing if he establishes that the links at issue lead to content comprising personal data falling within the special categories referred to in Article 8(1) but whose processing is covered by the exception in Article 8(2)(e) of the directive, provided that the processing satisfies all the other conditions of lawfulness laid down by the directive, and unless the data subject has the right under Article 14(a) of the directive to object to that processing on compelling legitimate grounds relating to his particular situation.

The provisions of Directive 95/46 must be interpreted as meaning that, where the operator of a search engine has received a request for de-referencing relating to a link to a web page on which personal data falling within the special categories referred to in Article 8(1) or (5) of Directive 95/46 are published, the operator must, on the basis of all the relevant factors of the particular case and taking into account the seriousness of the interference with the data subject’s fundamental rights to privacy and protection of personal data laid down in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, ascertain, having regard to the reasons of substantial public interest referred to in Article 8(4) of the directive and in compliance with the conditions laid down in that provision, whether the inclusion of that link in the list of results displayed following a search on the basis of the data subject’s name is strictly necessary for protecting the freedom of information of internet users potentially interested in accessing that web page by means of such a search, protected by Article 11 of the Charter.

3.  The provisions of Directive 95/46 must be interpreted as meaning that

  •  first, information relating to legal proceedings brought against an individual and, as the case may be, information relating to an ensuing conviction are data relating to ‘offences’ and ‘criminal convictions’ within the meaning of Article 8(5) of Directive 95/46, and
  •  second, the operator of a search engine is required to accede to a request for de-referencing relating to links to web pages displaying such information, where the information relates to an earlier stage of the legal proceedings in question and, having regard to the progress of the proceedings, no longer corresponds to the current situation, in so far as it is established in the verification of the reasons of substantial public interest referred to in Article 8(4) of Directive 95/46 that, in the light of all the circumstances of the case, the data subject’s fundamental rights guaranteed by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union override the rights of potentially interested internet users protected by Article 11 of the Charter

Opinion of Advocate general 

Judgement of the Court

C-184/20 (1 October 2022), Vyriausioji tarnybinės etikos komisija

1.      Article 7(c) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and point (c) of the first subparagraph of Article 6(1) and Article 6(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read in the light of Articles 7, 8 and 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as precluding national legislation that provides for the publication online of the declaration of private interests that any head of an establishment receiving public funds is required to lodge, in so far as, in particular, that publication concerns name-specific data relating to his or her spouse, cohabitee or partner, or to persons who are close relatives of the declarant, or are known by him or her, liable to give rise to a conflict of interests, or concerns any transaction concluded during the last 12 calendar months the value of which exceeds EUR 3 000.

2.      Article 8(1) of Directive 95/46 and Article 9(1) of Regulation 2016/679 must be interpreted as meaning that the publication, on the website of the public authority responsible for collecting and checking the content of declarations of private interests, of personal data that are liable to disclose indirectly the sexual orientation of a natural person constitutes processing of special categories of personal data, for the purpose of those provisions.

Judgment of the court

Opinion of the advocate general

Retour au sommaire Retour au sommaire
arrow_back Previous Article Article 9 Next Article arrow_forward
Regulation
1e 2e

Art. 9

1.   Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

2.   Paragraph 1 shall not apply if one of the following applies:

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

(e) processing relates to personal data which are manifestly made public by the data subject;

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

3.   Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4.   Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.-
1st proposal close

Art. 9

1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited.

2. Paragraph 1 shall not apply where:

(a) the data subject has given consent to the processing of those personal data, subject to the conditions laid down in Articles 7 and 8, except where Union law or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; or

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law in so far as it is authorised by Union law or Member State law providing for adequate safeguards; or

(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; or

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or

(e) the processing relates to personal data which are manifestly made public by the data subject; or

(f) processing is necessary for the establishment, exercise or defence of legal claims; or

(g) processing is necessary for the performance of a task carried out in the public interest, on the basis of Union law, or Member State law which shall provide for suitable measures to safeguard the data subject's legitimate interests; or

(h) processing of data concerning health is necessary for health purposes and subject to the conditions and safeguards referred to in Article 81; or

(i) processing is necessary for historical, statistical or scientific research purposes subject to the conditions and safeguards referred to in Article 83; or

(j) processing of data relating to criminal convictions or related security measures is carried out either under the control of official authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards. A complete register of criminal convictions shall be kept only under the control of official authority.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria, conditions and appropriate safeguards for the processing of the special categories of personal data referred to in paragraph 1 and the exemptions laid down in paragraph 2.

 
2nd proposal close

Art 9

1. The processing of personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life (…) shall be prohibited.

2. Paragraph 1 shall not apply if one of the following applies (…)
(a) the data subject has given explicit consent to the processing of those personal data (…), except where Union law or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; or

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union law or Member State law or a collective agreement pursuant to Member State law providing for adequate safeguards;  or

(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent ; or

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non- profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or

(e) the processing relates to personal data which are manifestly made public by the data subject (...); or

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity ; or

(g) processing is necessary for (...) reasons of public interest, on the basis of Union law or Member State law which shall provide for suitable and specific measures to safeguard the data subject's legitimate interests; or

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union law or Member State law or pursuant to contract with a health  professional and subject to the conditions and safeguards referred to in paragraph 4 ; or

(ha) (...);

(hb) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality  and safety of health care and of medicinal products or medical devices, on the basis of Union law or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject; or

(i) processing is necessary for archiving purposes in the public interest or

historical, statistical or scientific (...) purposes and subject to the conditions and safeguards laid down in Union or Member State law, including those referred to in Article 83.

(j) (...)

3. (...)

4. Personal data referred to in paragraph 1 may on the basis of Union or Member State law be processed for the purposes referred to in point (h) (...) of paragraph 2 when those data are processed by or under the responsibility of a (...) professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4a. (...).

5. Member States may maintain or introduce more specific provisions with regard to genetic data or health data. This includes the possibility for Member States to (...) introduce further conditions for the processing of these data.
Directive close

Art. 8

1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.

2. Paragraph 1 shall not apply where:

(a) the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject's giving his consent; or

(b) processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorized by national law providing for adequate safeguards; or

(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or

(d) processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; or

(e) the processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims.

3. Paragraph 1 shall not apply where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.

4. Subject to the provision of suitable safeguards, Member States may, for reasons of substantial public interest, lay down exemptions in addition to those laid down in paragraph 2 either by national law or by decision of the supervisory authority.

5. Processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of official authority, or if suitable specific safeguards are provided under national law, subject to derogations which may be granted by the Member State under national provisions providing suitable specific safeguards. However, a complete register of criminal convictions may be kept only under the control of official authority.

Member States may provide that data relating to administrative sanctions or judgements in civil cases shall also be processed under the control of official authority.

6. Derogations from paragraph 1 provided for in paragraphs 4 and 5 shall be notified to the Commission.

7. Member States shall determine the conditions under which a national identification number or any other identifier of general application may be processed.
Austria
compare_arrows

In force until May 25, 2018:

Definitions

§ 4 DSG 2000

[...]

2. “sensitive data” (”data deserving special protection”): data relating to natural persons concerning their racial or ethnic origin, political opinion, trade-union membership, religious or philosophical beliefs, and data concerning health or sex life;

[...]

14. “consent”: the valid declaration of intention of the data subject, given without constraint, that he agrees to the use of data relating to him in a given case, after having been informed about the prevalent circumstances;

[...]

Interests in Secrecy Deserving Protection for the Use of Sensitive Data

§ 9 DSG 2000

(1) The use of sensitive data does not infringe interests in secrecy deserving protection only and exclusively if

1. the data subject has obviously made public the data himself or

2. the data are used only in indirectly personal form or

3. the obligation or authorisation to use the data is stipulated by laws, insofar as these serve an important public interest, or

4. the use is made by a controller of the public sector in fulfilment of his obligation to give inter-authority assistance or

5. data are used that concern solely the exercise of a public office by the data subject or

6. the data subject has unambiguously given his consent, which can be revoked at any time, the revocation making any further use of the data illegal, or

7. the processing or transmission is in the vital interest of the data subject and his consent cannot be obtained in time or

8. the use is in the vital interest of a third party or

9. the use is necessary for establishment, exercise or defence of legal claims of the controller before a public authority and the data were collected legitimately or

10. data are used for private purposes pursuant to § 45 or for scientific research or statistics pursuant to § 46 for information or interviewing of the data subject pursuant to § 47 or in case of emergency according to § 48a or

11. the use is required according to the rights and duties of the controller in the field of employment law and civil service regulations and, and is legitimate according to specific legal provisions; the rights of the labour councils according to the Labour-Constitution Act with regard to the use of data remain unaffected, or

12. the data are required for the purposes of preventive medicine, medical diagnosis, the provision of health care or treatment or the management of health-care services, and the use of data is performed by medical personnel or other persons subject to an equivalent duty of secrecy, or

13. non-profit-organisations with a political, philosophical, religious or trade-union aim process data revealing the political opinion or philosophical beliefs of natural persons in the course of their legitimate activities, as long as these are data of members, sponsors or other persons who display an interest in the aim of the organisation on a regular basis; these data shall not be disclosed to a third party without the consent of the data subjects unless otherwise provided for by law.
Netherlands close

UIT DE CONCEPT-UITVOERINGSWET AVG (GDPR):

Artikel 23

1. Het verbod om gegevens over gezondheid te verwerken is om redenen van zwaarwegend algemeen belang als bedoeld in artikel 9, tweede lid, onderdeel g, van de verordening dan wel om de redenen, bedoeld in artikel 9, tweede lid, onderdelen b en h, van de verordening, niet van toepassing indien de verwerking geschiedt door:

a. hulpverleners, instellingen of voorzieningen voor gezondheidszorg of maatschappelijke dienstverlening voor zover dat met het oog op een goede behandeling of verzorging van de betrokkene, dan wel het beheer van de betreffende instelling of beroepspraktijk noodzakelijk is;

b. verzekeraars als bedoeld in artikel 1:1 van de Wet op het financieel toezicht en financiële dienstverleners die bemiddelen in verzekeringen als bedoeld in artikel 1:1 van die wet, voorzover dat noodzakelijk is voor:

1°. de beoordeling van het door de verzekeraar te verzekeren risico en de betrokkene geen bezwaar heeft gemaakt; of

2°. de uitvoering van de overeenkomst van verzekering;

c. scholen voor zover dat met het oog op de speciale begeleiding van leerlingen of het treffen van bijzondere voorzieningen in verband met hun gezondheidstoestand noodzakelijk is;

d. een reclasseringsinstelling, een bijzondere reclasseringsambtenaar, de raad voor de kinderbescherming of de gecertificeerde instelling, bedoeld in artikel 1.1 van de Jeugdwet en de rechtspersoon, bedoeld in artikel 256, eerste lid, of artikel 302, tweede lid, van Boek 1 van het Burgerlijk Wetboek, voor zover dat noodzakelijk is voor de uitvoering van de hun wettelijk opgedragen taken;

e. Onze Minister voor zover dat in verband met de tenuitvoerlegging van vrijheidsstraffen of vrijheidsbenemende maatregelen noodzakelijk is;

f. bestuursorganen, pensioenfondsen, werkgevers of instellingen die te hunnen behoeve werkzaam zijn voor zover dat noodzakelijk is voor:

1°. een goede uitvoering van wettelijke voorschriften, pensioenregelingen of collectieve arbeidsovereenkomsten die voorzien in aanspraken die afhankelijk zijn van de gezondheidstoestand van de betrokkene of

2°. de re-integratie of begeleiding van werknemers of uitkeringsgerechtigden in verband met ziekte of arbeidsongeschiktheid.

2. Indien toepassing wordt gegeven aan het eerste lid worden de gegevens alleen verwerkt door personen die uit hoofde van ambt, beroep of wettelijk voorschrift, dan wel krachtens een overeenkomst tot geheimhouding zijn verplicht. Indien de verwerkingsverantwoordelijke gegevens persoonlijk verwerkt en op hem niet reeds uit hoofde van ambt, beroep of wettelijk voorschrift een geheimhoudingsplicht rust, is hij verplicht tot geheimhouding van de gegevens, behoudens voor zover de wet hem tot mededeling verplicht of uit zijn taak de noodzaak voortvloeit dat de gegevens worden meegedeeld aan anderen die krachtens het eerste lid bevoegd zijn tot verwerking daarvan.

3. Het verbod om andere bijzondere persoonsgegevens te verwerken, is niet van toepassing voor zover dit noodzakelijk is in aanvulling op de verwerking van gegevens over gezondheid als bedoeld in het eerste lid, onder a, met het oog op een goede behandeling of verzorging van de betrokkene.

4. Bij algemene maatregel van bestuur kunnen omtrent de toepassing van het eerste lid, onder b en f nadere regels worden gesteld.

Artikel 24

Het verbod om genetische gegevens te verwerken is niet van toepassing voor zover deze verwerking plaatsvindt met betrekking tot de betrokkene bij wie de betreffende gegevens zijn verkregen, tenzij:

a. een zwaarwegend geneeskundig belang prevaleert; of

b. de verwerking noodzakelijk is ten behoeve van wetenschappelijk onderzoek of statistiek en de betrokkene uitdrukkelijke toestemming heeft gegeven.

Artikel 25

1. Het verbod om bijzondere persoonsgegevens te verwerken is niet van toepassing voor zover dit noodzakelijk is met het oog op redenen van algemeen belang op het gebied van de volksgezondheid, zoals bescherming tegen ernstige grensoverschrijdende gevaren voor de gezondheid of het waarborgen van hoge normen inzake kwaliteit en veiligheid van de gezondheidszorg en van geneesmiddelen of medische hulpmiddelen.

2. Indien toepassing wordt gegeven aan het eerste lid worden de gegevens alleen verwerkt door personen die uit hoofde van ambt, beroep of wettelijk voorschrift, dan wel krachtens een overeenkomst tot geheimhouding zijn verplicht. Indien de verwerkingsverantwoordelijke gegevens persoonlijk verwerkt en op hem niet reeds uit hoofde van ambt, beroep of wettelijk voorschrift een geheimhoudingsplicht rust, is hij verplicht tot geheimhouding van de gegevens, behoudens voor zover de wet hem tot mededeling verplicht of uit zijn taak de noodzaak voortvloeit dat de gegevens worden meegedeeld aan anderen die krachtens het eerste lid bevoegd zijn tot verwerking daarvan.

Artikel 26

Het verbod om biometrische gegevens te verwerken met het oog op de unieke identificatie van een persoon is niet van toepassing indien de verwerking geschiedt met het oog op de identificatie van de betrokkene en slechts voor zover dit voor dit doel noodzakelijk en proportioneel is voor behartiging van de gerechtvaardigde belangen van de verwerkingsverantwoordelijke of een derde.

Artikel 27

Het verbod om bijzondere persoonsgegevens te verwerken, is niet van toepassing voor zover dit noodzakelijk is met het oog op wetenschappelijk of historisch onderzoek of statistische doeleinden als bedoeld in artikel 9, tweede lid, onderdeel j, van de verordening, voor zover:

a. de verwerking een algemeen belang dient;

b. het vragen van uitdrukkelijke toestemming onmogelijk blijkt of een onevenredige inspanning kost; en

c. bij de uitvoering is voorzien in zodanige waarborgen dat de persoonlijke levenssfeer van de betrokkene niet onevenredig wordt geschaad.

Artikel 28

1. Het verbod om bijzondere persoonsgegevens te verwerken, is niet van toepassing indien:

a. dit noodzakelijk is ter voldoening aan een volkenrechtelijke verplichting;

b. de gegevens worden verwerkt door de Autoriteit of een ombudsman als bedoeld in artikel 9:17 van de Algemene wet bestuursrecht en dit noodzakelijk is met het oog op een zwaarwegend algemeen belang, voor de uitvoering van de hun wettelijk opgedragen taken en bij die uitvoering is voorzien in zodanige waarborgen dat de persoonlijke levenssfeer van de betrokkene niet onevenredig wordt geschaad; of

c. dit noodzakelijk is met het oog op een zwaarwegend algemeen belang, passende waarborgen worden geboden ter bescherming van de persoonlijke levenssfeer en de Autoriteit ontheffing heeft verleend. De Autoriteit kan bij de verlening van ontheffing beperkingen en voorschriften opleggen.

2. Bij verwerkingen op grond van het eerste lid, onderdeel c, wordt de evenredigheid met het nagestreefde doel gewaarborgd, de wezenlijke inhoud van het recht op bescherming van persoonsgegevens geëerbiedigd, en worden passende en specifieke maatregelen getroffen ter bescherming van de grondrechten en de fundamentele belangen van de betrokkene.

Artikel 29

1. Het verbod om persoonsgegevens te verwerken waaruit religieuze of levensbeschouwelijke overtuigingen blijken, is niet van toepassing indien de verwerking geschiedt door instellingen, voor zover dit noodzakelijk is met het oog op de geestelijke verzorging van de betrokkene, tenzij deze daartegen schriftelijk bezwaar heeft gemaakt.

2. In de gevallen als bedoeld in het eerste lid worden geen persoonsgegevens aan derden verstrekt zonder toestemming van de betrokkene.

Artikel 30

Het verbod om persoonsgegevens te verwerken waaruit politieke opvattingen blijken, is niet van toepassing indien de verwerking geschiedt met het oog op de eisen die met betrekking tot politieke opvattingen in redelijkheid kunnen worden gesteld in verband met de vervulling van functies in bestuursorganen en adviescolleges.
arrow_back Previous ArticleArticle 9 Next Article arrow_forward
close

2016 - www.itiplaw.eu.