Article 9 GDPR: Difference between revisions

Revision as of 15:55, 16 August 2021

← Article 9: Processing of special categories →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 9: Processing of special categories of personal data

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

2. Paragraph 1 shall not apply if one of the following applies:

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

(e) processing relates to personal data which are manifestly made public by the data subject;

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

Relevant Recitals

Recital 10: Equivalent Level of Protection and Homogeneous Application

In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation. In conjunction with the general and horizontal law on data protection implementing Directive 95/46/EC, Member States have several sector-specific laws in areas that need more specific provisions. This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’). To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful.

Recital 46: Vital Interest of a Natural Person

The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.

Recital 51: Protection of Sensitive Personal Data

Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

Recital 52: Derogating from the Prohibition on Special Category Data Processing

Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

Recital 53: Processing Special Category Data for Health-related Purposes

Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.

Recital 54: Processing of Health Data for Reasons of Public Interest

The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council, namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.

Recital 55: Processing by Authorities to Achieve Aims of Religious Associations

Moreover, the processing of personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognised religious associations, is carried out on grounds of public interest.

Recital 56: Processing in the Course of Electoral Activities

Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.

Commentary

Article 9 GDPR contains a prohibition for the processing of special categories of data; that is, data that the legislator has considered to be particularly sensitive for different reasons. This prohibition contains also different exceptions.

(1) Prohibition of the Processing of Special Categories of Personal Data

The GDPR prohibits, in its Article 9(1) GDPR, all processing of special categories of personal data unless it is based on one or more of the ten legal bases under Article 9(2) GDPR. This approach means that by default processing of special categories of data is prohibited – unless one of the exceptions in Article 9(2) GDPR are met.

The list is exhaustive, so no other exceptions can be used.^[1]

Special Categories of Data

The list of special categories of data includes: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

It is to be noted that the WP29 has determined that the term “data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and trade-union membership” is to be understood that not only data which by its nature contains sensitive information is covered by this provision, but also data from which sensitive information with regard to an individual can be concluded.^[2] The WP29 has also remarked that biological race does not exist, so this category is only meant for the protection of certain data due to their reference to a particular ethnic group.^[3]

These categories are therefore meant to be interpreted broadly. This was already stated by the CJEU regarding health data under the Data Protection Directive, saying that “in the light of the purpose of the directive, the expression 'data concerning health' used in Article 8(1) thereof must be given a wide interpretation so as to include information concerning all aspects, both physical and mental, of the health of an individual”.^[4] In this way, for example, the Austrian DPA has held that negative PCR (SARS_CoV-2) test are to be qualified as health data.^[5] This category also may include data on special needs of students, since it qualifies as health data.^[6]

In the same sense, for example, data revealing racial data may include the shape of the face or eyes, and data revealing political opinions may include value judgments, statements, views and convictions.^[7] The Austrian Federal Administrative Court also has held, for example, that data on the "affinity for a political party" also qualifies as special categories of personal data, namely as data on political opinions.^[8]

The definitions for biometric and genetic data and data concerning health are provided by Article 4(13), (14) and (15) GDPR. Additionally, and in the same sense as before, these terms shall be interpreted broadly, so when genetic, biometric or health data can be inferred from other kind of data, it will be included in the protected special categories. For example, photographs can be considered biometric data when processed through a specific technical means allowing the unique identification or authentication of a natural person, as stated by Recital 51 GDPR.

Legal Basis – Relation to Article 6 GDPR

In accordance to Recital 51 GDPR, when processing data pursuant to Article 9 GDPR, not only conditions from such Article apply but the general principles and other rules of the GDPR shall be applied too. In particular, the conditions for lawful processing apply. Therefore, the processing of special categories of personal data cannot only be based on one of the exceptions and requirements from Article 9(2) and (3) GDPR, but also has to be based on a legal basis from Article 6(1) GDPR.^[9] This also means that principles from Article 5 GDPR shall be applied when processing special categories of data.

(2) Exceptions

In accordance with Article 9(2), special categories of data can only be processed when meeting one of the exceptions listed.

a) Explicit consent

The first exception, under letter a), is the obtention of the explicit consent of the data subject. As opposed to consent used as a legal basis from Article 6(1), consent from Article 9 is a qualified type of consent that requires a higher level of precision and will from the data subject. Consent will need a clearly affirmative action separate from other transactions.^[10] Additionally, the data subject must give an express statement of consent.^[11] Also, consent will need to meet all the other requirements from Article 7.

For example, the Norwegian DPA has held that it is not possible to rely on this exception when consent is not valid under Article 6(1)(a).^[12]

b) Necessary for the purposes of carrying out obligations and exercising specific rights in the field of employment and social security law

The second exception, under letter b), is related to processing by employers that is necessary for the purposes of carrying out obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law. Such obligations and exercise of rights must be provided by law or by a collective agreement, and must provide for appropriate safeguards. Biometric and health data play an important role in this exception, and the necessity principle is key to avoid overuse.^[13]

For example, the Dutch DPA has held that the processing of special categories of data – health data in this particular case – must be strictly necessary to achieve what is stated in the law; when the processing of certain categories of health data is not really necessary to comply with the legal obligation, the controller cannot rely on this exception for those categories.^[14]

c) Vital for the protection of the vital interests of the data subject or of another natural person where the data subject is incapable of giving consent

Thirdly, and similarly to one of the legal basis from Article 6, Article 9(2) provides under letter c) an exception to the processing of special categories of data when the processing is vital for the protection of the vital interests of the data subject or of another natural person where the data subject is incapable of giving consent. As specified by recital 46, the processing shall take place only where the processing cannot be manifestly based on another legal basis; therefore, in order to use this exception, the data subject must be in a situation in which they are physically or legally unable to consent.

d) In the course of legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim

The fourth exception, under letter d), is for the processing carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim. Such bodies shall only carry out the processing internally, and the processing shall relate to members or former members. The rationale behind this exception is that often such bodies are intrinsically related with personal data that fall under the categories of Article 9.

e) Related to personal data which are manifestly made public by the data subject

The fifth exception, under letter e), makes reference to data that is manifestly made public. The word “manifestly” implies that the data subject must affirmatively make public the data and be aware of the result of such publicity. The mere existence in public space does not fall under the term of publication in this sense.^[15]

The Norwegian DPA has considered, for example, that making use of a gay dating app does not amount to manifestly making public data about sexual orientation, since the data is mainly only visible to other members of the LGTBQ community, as it is necessary to have an account too, an anonymous profile can be used and there is not a clear warning of the public nature of the information.^[16]

f) Necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity

The sixth exception, under letter f), relates to legal claims and judicial activities, that in many cases require the processing of certainly sensitive data. While the concept of legal claims and judicial activities is to be interpreted broadly in order to include every type of legal claim, since the term is not further specified, the exception itself should be interpreted restrictively, meaning that it will only be applicable to legal claims or activities and to immediate preparatory acts.^[17]

g) Necessary for reasons of substantial public interest, on the basis of Union or Member State law

The seventh exception, under letter g), allows for the processing of special categories of data when there is a substantial public interest involved. The processing shall be carried out on the basis of Union or Member State law, and shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. The law must satisfy the principle of certainty and define the necessary safeguards, and therefore the right must be itself enshrined in the law.^[18] Recital 46 provides, as an example, processing that is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.

h) Necessary for medicinal purposes or for the management of health systems and services

The eighth exception, under letter h), includes the processing of data that is necessary for medicinal purposes and for the provision of health services. Medicinal purposes entail preventive or occupational medicine, the assessment of the working capacity of the employee, or medical diagnosis. The management of health systems includes the provision of health or social care or treatment and the management of health or social care systems and services.

The processing must be carried out on the basis of Union or Member State law or pursuant to contract with a health professional. Additionally, Article 9(3) establishes a supplementary condition: the data shall be processed by or under the responsibility of a professional subject to the obligation of professional secrecy.

i) Necessary for reasons of public interest in the area of public health

The ninth exception, under letter i), includes data processed for the public interest in the area of the public health. An example of such public interest can be processing of personal data with the aim of protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices. This must be done on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.

These measures must be effective and must be provided by law. For example, the French Highest Administrative Court declared that a decree was unlawful due to the absence of sufficient guarantees to ensure that access to the processed health data did not exceed that which is strictly necessary for the exercise of the mission recognised by law.^[19]

j) Necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

The last exception, under letter j), includes processing that is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. This shall be based on Union or Member State law and shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

For example, the Austrian DPA has held that labelling a person as "extreme right-wing" in a blog for the purpose of scientific research on the history of fascism and National Socialism, the resistance to the latter movements and on political manifestations of right-wing extremism, including the purpose of documentation and archiving, especially when such person has taken a basic political stance and repeatedly expressed this publicly, falls under this exception.^[20]

(3) Professional secrecy

Data processed for necessary for medicinal purposes or for the management of health systems and services, under the exception from Article 9(2)(h), shall be processed by or under the responsibility of a professional subject to the obligation of professional secrecy.

The obligation of professional secrecy must be provided by national law and must be statutory. For example, the Swedish DPA has established that a confidentially contract cannot replace statutory professional secrecy, since confidentially obligations are not strong enough.^[21]

(4) Opening Clause

According to Article 9(4) Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. Member States are not allowed to introduce additional legal bases and lower the level of protection for special categories of personal data. For example, Germany has introduced rules regarding consent in a genetic examination or analysis;^[22] protection for biometric data in passports and identity cards, that must be secured against unauthorized modification, deletion and readout;^[23] the processing of personal data of organ donors;^[24] or data protection in the public health insurance and related associations.^[25]

Decisions

→ You can find all related decisions in Category:Article 9 GDPR

References

↑ Georgieval/Kuner, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 9 GDPR, p. 375 (Oxford University Press 2020).
↑ WP29, Advice paper on special categories of data (“sensitive data”), 20 April 2011, p. 6.
↑ WP29, Advice paper on special categories of data (“sensitive data”), 20 April 2011, p. 10.
↑ CJEU, 6 November 2003, Bodil Lindqvist, C-101/01, margin number 50 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=48382&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=157699).
↑ Datenschutzbehörde, 15 February 2021, DSB-2021-0.101.211 (available here https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=096d50fd-d36d-4a43-bb00-5ff38c3b6f4d&Position=1&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=DSBT_20210215_2021_0_101_211_00).
↑ Datatilsynet, 2 July 2020, 20/02191-1 KBK/- (available here https://www.datatilsynet.no/contentassets/9d5792264c884f3a903d3981c38812ac/~-20_02191-1-vedtak-om-overtredelsesgebyr---ralingen-kommune-202444_10_1.pdf).
↑ Schiff, in Ehmann/Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin number 15-22 (Beck, 2nd edition 2018) (accessed 10 July 2021).
↑ Bundesverwaltungsgericht, 26 November 2020, W258 2217446-1 (available here https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=e9b780cb-e5e0-4be8-81e7-7a49b08cc25b&Position=1&SkipToDocumentPage=True&Abfrage=Bvwg&Entscheidungsart=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=DSGVO&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=BVWGT_20201126_W258_2217446_1_00).
↑ Expert Group Minutes 2016: Commission expert group on the Regulation (EU) 2016/679 and Directive (EU) 2016/680, 'Minutes of the Second Meeting' (10 October 2016). Available at: https://ec.europa.eu/transparency/expert-groups-register/core/api/front/expertGroupAddtitionalInfo/27803/download and https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?do=groupDetail.groupDetail&groupID=3461
↑ Bygravel/Tosoni, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 4 GDPR, p. 185 (Oxford University Press, Oxford, 2020)
↑ EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, 4 May 2020, p. 20
↑ Datatilsynet, DT-20/02136, January 26, 2021. Available at: https://www.datatilsynet.no/contentassets/da7652d0c072493c84a4c7af506cf293/advance-notification-of-an-administrative-fine.pdf (accessed 28/07/2021)
↑ Schiff, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin numbers 38-40 (Beck 2018, 2nd ed.) (accessed 10/07/2021)
↑ Autoriteit Persoonsgegevens, Decision from March 24, 2020 regarding CP&A B.V. Available at: https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boete_cpa_verzuimregistratie.pdf (accessed 27/07/2021)
↑ Schiff, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin numbers 45-46 (Beck 2018, 2nd ed.) (accessed 10/07/2021)
↑ Datatilsynet, DT-20/02136, January 26, 2021. Available at: https://www.datatilsynet.no/contentassets/da7652d0c072493c84a4c7af506cf293/advance-notification-of-an-administrative-fine.pdf (accessed 28/07/2021), with references to EDPB, Guidelines 8/2020 on the targeting of social media users, 2 September 2020, Section 8.2
↑ Georgieval/Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 9 GDPR, p. 379 (Oxford University Press, Oxford, 2020)
↑ CJEU, Case C‑291/12, 17 October 2013, paragraph 55; related to Case of S. and Marper v. The United Kingdom, Applications nos. 30562/04 and 30566/04, 4 December 2008
↑ Conseil d’Etat, N° 428451, November 25, 2020. Available at: https://www.legifrance.gouv.fr/ceta/id/CETATEXT000042570046?tab_selection=cetat&searchField=ALL&query=428451&searchType=ALL&juridiction=TRIBUNAL_CONFLIT&juridiction=CONSEIL_ETAT&juridiction=COURS_APPEL&juridiction=TRIBUNAL_ADMINISTATIF&sortValue=DATE_DESC&pageSize=10&page=1&tab_selection=cetat#cetat (accessed 28/07/2020)
↑ Datenschutzbehörde, DSB-D124.1177/0006-DSB/2019, January 22, 2021. Available at: https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=ade5bfc2-3a92-44cc-90b6-36c9132c2332&Position=1&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=DSBT_20210122_DSB_D124_1177_0006_DSB_2019_00 (accessed 29/07/2021)
↑ Integritetsskyddsmyndigheten, DI-2019-3375, June 7, 2021. Available at: https://www.imy.se/globalassets/dokument/beslut/2021/2021-06-07-beslut-medhelp.pdf (accessed 29/07/2021)
↑ § 8(1) GenDG (German Genetic Diagnostics Act)
↑ § 5(6) and (9) PAuswG (German Passport and Identity Card Act)
↑ § 7 and § 14 TPG (German Organ Transplant Law)
↑ § 284 and § 285 SGB V (German Social Insurance Code V)

[1] Georgieval/Kuner, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 9 GDPR, p. 375 (Oxford University Press 2020).

[2] WP29, Advice paper on special categories of data (“sensitive data”), 20 April 2011, p. 6.

[3] WP29, Advice paper on special categories of data (“sensitive data”), 20 April 2011, p. 10.

[4] CJEU, 6 November 2003, Bodil Lindqvist, C-101/01, margin number 50 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=48382&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=157699).

[5] Datenschutzbehörde, 15 February 2021, DSB-2021-0.101.211 (available here https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=096d50fd-d36d-4a43-bb00-5ff38c3b6f4d&Position=1&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=DSBT_20210215_2021_0_101_211_00).

[6] Datatilsynet, 2 July 2020, 20/02191-1 KBK/- (available here https://www.datatilsynet.no/contentassets/9d5792264c884f3a903d3981c38812ac/~-20_02191-1-vedtak-om-overtredelsesgebyr---ralingen-kommune-202444_10_1.pdf).

[7] Schiff, in Ehmann/Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin number 15-22 (Beck, 2nd edition 2018) (accessed 10 July 2021).

[8] Bundesverwaltungsgericht, 26 November 2020, W258 2217446-1 (available here https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=e9b780cb-e5e0-4be8-81e7-7a49b08cc25b&Position=1&SkipToDocumentPage=True&Abfrage=Bvwg&Entscheidungsart=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=DSGVO&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=BVWGT_20201126_W258_2217446_1_00).

[9] Expert Group Minutes 2016: Commission expert group on the Regulation (EU) 2016/679 and Directive (EU) 2016/680, 'Minutes of the Second Meeting' (10 October 2016). Available at: https://ec.europa.eu/transparency/expert-groups-register/core/api/front/expertGroupAddtitionalInfo/27803/download and https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?do=groupDetail.groupDetail&groupID=3461

[10] Bygravel/Tosoni, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 4 GDPR, p. 185 (Oxford University Press, Oxford, 2020)

[11] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, 4 May 2020, p. 20

[12] Datatilsynet, DT-20/02136, January 26, 2021. Available at: https://www.datatilsynet.no/contentassets/da7652d0c072493c84a4c7af506cf293/advance-notification-of-an-administrative-fine.pdf (accessed 28/07/2021)

[13] Schiff, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin numbers 38-40 (Beck 2018, 2nd ed.) (accessed 10/07/2021)

[14] Autoriteit Persoonsgegevens, Decision from March 24, 2020 regarding CP&A B.V. Available at: https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boete_cpa_verzuimregistratie.pdf (accessed 27/07/2021)

[15] Schiff, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin numbers 45-46 (Beck 2018, 2nd ed.) (accessed 10/07/2021)

[16] Datatilsynet, DT-20/02136, January 26, 2021. Available at: https://www.datatilsynet.no/contentassets/da7652d0c072493c84a4c7af506cf293/advance-notification-of-an-administrative-fine.pdf (accessed 28/07/2021), with references to EDPB, Guidelines 8/2020 on the targeting of social media users, 2 September 2020, Section 8.2

[17] Georgieval/Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 9 GDPR, p. 379 (Oxford University Press, Oxford, 2020)

[18] CJEU, Case C‑291/12, 17 October 2013, paragraph 55; related to Case of S. and Marper v. The United Kingdom, Applications nos. 30562/04 and 30566/04, 4 December 2008

[19] Conseil d’Etat, N° 428451, November 25, 2020. Available at: https://www.legifrance.gouv.fr/ceta/id/CETATEXT000042570046?tab_selection=cetat&searchField=ALL&query=428451&searchType=ALL&juridiction=TRIBUNAL_CONFLIT&juridiction=CONSEIL_ETAT&juridiction=COURS_APPEL&juridiction=TRIBUNAL_ADMINISTATIF&sortValue=DATE_DESC&pageSize=10&page=1&tab_selection=cetat#cetat (accessed 28/07/2020)

[20] Datenschutzbehörde, DSB-D124.1177/0006-DSB/2019, January 22, 2021. Available at: https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=ade5bfc2-3a92-44cc-90b6-36c9132c2332&Position=1&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=DSBT_20210122_DSB_D124_1177_0006_DSB_2019_00 (accessed 29/07/2021)

[21] Integritetsskyddsmyndigheten, DI-2019-3375, June 7, 2021. Available at: https://www.imy.se/globalassets/dokument/beslut/2021/2021-06-07-beslut-medhelp.pdf (accessed 29/07/2021)

[22] § 8(1) GenDG (German Genetic Diagnostics Act)

[23] § 5(6) and (9) PAuswG (German Passport and Identity Card Act)

[24] § 7 and § 14 TPG (German Organ Transplant Law)

[25] § 284 and § 285 SGB V (German Social Insurance Code V)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

@@ Line 219: / Line 219: @@
 <span id="r1"><span id="r1"><span id="r1"><span id="r1"><span id="r1"><span id="r1"><span id="r1"><span id="r1">Article 9 GDPR contains a prohibition for the processing of special categories of data; that is, data that the legislator has considered to be particularly sensitive for different reasons. This prohibition contains also different exceptions.
-==== '''(1) Prohibition of the Processing of Special Categories of Personal Data''' ====
+==== (1) Prohibition of the Processing of Special Categories of Personal Data ====
 The GDPR prohibits, in its Article 9(1) GDPR, all processing of special categories of personal data unless it is based on one or more of the ten legal bases under Article 9(2) GDPR. This approach means that by default processing of special categories of data is prohibited – unless one of the exceptions in Article 9(2) GDPR are met.
 The list is exhaustive, so no other exceptions can be used.<ref>''Georgieval/Kuner'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 9 GDPR, p. 375 (Oxford University Press 2020).</ref>
-===== '''Special Categories of Data''' =====
+===== Special Categories of Data =====
 The list of special categories of data includes: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
@@ Line 235: / Line 235: @@
 The definitions for biometric and genetic data and data concerning health are provided by [[Article 4 GDPR|Article 4(13), (14) and (15) GDPR]]. Additionally, and in the same sense as before, these terms shall be interpreted broadly, so when genetic, biometric or health data can be inferred from other kind of data, it will be included in the protected special categories. For example, photographs can be considered biometric data when processed through a specific technical means allowing the unique identification or authentication of a natural person, as stated by Recital 51 GDPR.
-====='''Legal Basis – Relation to [[Article 6 GDPR]]'''=====
+=====Legal Basis – Relation to [[Article 6 GDPR]]=====
 In accordance to Recital 51 GDPR, when processing data pursuant to Article 9 GDPR, not only conditions from such Article apply but the general principles and other rules of the GDPR shall be applied too. In particular, the conditions for lawful processing apply. Therefore, the processing of special categories of personal data cannot only be based on one of the exceptions and requirements from Article 9(2) and (3) GDPR, but also has to be based on a legal basis from [[Article 6 GDPR|Article 6(1) GDPR]].<ref>Expert Group Minutes 2016: Commission expert group on the Regulation (EU) 2016/679 and Directive (EU) 2016/680, 'Minutes of the Second Meeting' (10 October 2016). Available at: <nowiki>https://ec.europa.eu/transparency/expert-groups-register/core/api/front/expertGroupAddtitionalInfo/27803/download</nowiki> and <nowiki>https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?do=groupDetail.groupDetail&groupID=3461</nowiki></ref> This also means that principles from [[Article 5 GDPR]] shall be applied when processing special categories of data.
-==== '''(2) Exceptions''' ====
+==== (2) Exceptions ====
 In accordance with Article 9(2), special categories of data can only be processed when meeting one of the exceptions listed.