Article 9 GDPR: Difference between revisions
mNo edit summary |
|||
(6 intermediate revisions by 6 users not shown) | |||
Line 185: | Line 185: | ||
== Legal Text == | == Legal Text == | ||
<center>'''Article 9: Processing of special categories of personal data'''</center> | |||
<span id="1"> 1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.</span> | <span id="1"> 1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.</span> | ||
Line 221: | Line 221: | ||
<span id="r1"><span id="r1"><span id="r1"><span id="r1"><span id="r1"><span id="r1"><span id="r1"><span id="r1">Article 9(1) GDPR contains a general prohibition for the processing of special categories of data; that is, data that the legislator has considered to be particularly sensitive for different reasons. Under Article 9(2) GDPR such general prohibition is excluded when certain requirements are met. Article 9(3) GDPR lays down specific indications for processing carried out in the context of professional or institutional activities. Finally, Article 9(4) GDPR allows Member States to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. | <span id="r1"><span id="r1"><span id="r1"><span id="r1"><span id="r1"><span id="r1"><span id="r1"><span id="r1">Article 9(1) GDPR contains a general prohibition for the processing of special categories of data; that is, data that the legislator has considered to be particularly sensitive for different reasons. Under Article 9(2) GDPR such general prohibition is excluded when certain requirements are met. Article 9(3) GDPR lays down specific indications for processing carried out in the context of professional or institutional activities. Finally, Article 9(4) GDPR allows Member States to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. | ||
=== (1) General | === (1) General prohibition of processing of special categories of personal data === | ||
Article 9(1) GDPR provides a list of special categories of personal data whose processing is generally prohibited unless any of the exceptions under Article 9(2) GDPR applies. The list is exhaustive<ref>''Georgieval, Kuner'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 9 GDPR, p. 375 (Oxford University Press 2020). However, other GDPR provisions consider and regulate processing relating to other categories of data such as data relating to criminal convictions under Article 10 GDPR. See, ''Albers, Veit'', in BeckOK DatenschutzR, Article 9 GDPR, margin number 18 (C.H. Beck 2021, 38th Edition). | Article 9(1) GDPR provides a list of special categories of personal data whose processing is generally prohibited unless any of the exceptions under Article 9(2) GDPR applies. The list is exhaustive<ref>''Georgieval, Kuner'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 9 GDPR, p. 375 (Oxford University Press 2020). However, other GDPR provisions consider and regulate processing relating to other categories of data such as data relating to criminal convictions under Article 10 GDPR. See, ''Albers, Veit'', in BeckOK DatenschutzR, Article 9 GDPR, margin number 18 (C.H. Beck 2021, 38th Edition). | ||
Line 251: | Line 251: | ||
===== Health data ===== | ===== Health data ===== | ||
[[Article 4 GDPR|Article 4(15) GDPR]] defines health data as any personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. In this way, for example, the Austrian DPA has held that negative PCR (SARS_CoV-2) tests should be classified as health data.<ref>Datenschutzbehörde, DSB-2021-0.101.211, 15 February 2021, (available [https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=096d50fd-d36d-4a43-bb00-5ff38c3b6f4d&Position=1&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=DSBT_20210215_2021_0_101_211_00 here]).</ref> This category may also include data on special needs of students which qualify as health data too.<ref>Datatilsynet, 20/02191-1 KBK/-, 2 July 2020 (available [https://www.datatilsynet.no/contentassets/9d5792264c884f3a903d3981c38812ac/~-20_02191-1-vedtak-om-overtredelsesgebyr---ralingen-kommune-202444_10_1.pdf here]). </ref> | [[Article 4 GDPR|Article 4(15) GDPR]] defines health data as any personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. In this way, for example, the Austrian DPA has held that negative PCR (SARS_CoV-2) tests should be classified as health data.<ref>Datenschutzbehörde, DSB-2021-0.101.211, 15 February 2021, (available [https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=096d50fd-d36d-4a43-bb00-5ff38c3b6f4d&Position=1&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=DSBT_20210215_2021_0_101_211_00 here]).</ref> This category may also include data on special needs of students which qualify as health data too.<ref>Datatilsynet, 20/02191-1 KBK/-, 2 July 2020 (available [https://www.datatilsynet.no/contentassets/9d5792264c884f3a903d3981c38812ac/~-20_02191-1-vedtak-om-overtredelsesgebyr---ralingen-kommune-202444_10_1.pdf here]). </ref><blockquote><u>EDPB Guidelines:</u> on this provision there are [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032020-processing-data-concerning-health-purpose_en EDPB Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak] | ||
{{Quote-CJEU|"[S]pecial categories of personal data, listed in [...] Article 9(1) of the GDPR, include data concerning health. Those data cover, in accordance with Article 4(15) of that regulation, read in conjunction with recital 35 of that regulation, all personal data which reveal information relating to the past, present or future health status of a natural person, including data relating to the provision of healthcare services to that person. | |||
[...] | |||
Consequently, the information which customers of an operator of a pharmacy enter when ordering online pharmacy-only medicinal products the sale of which does not require a prescription constitutes data concerning health, within the meaning of [...] Article 9(1) of the GDPR, even where it is only with a certain degree of probability, and not with absolute certainty, that those medicinal products are intended for those customers."|CJEU - C‑21/23 - Lindenapotheke|76 and 90.}}</blockquote> | |||
===== Sex life and sexual orientation ===== | ===== Sex life and sexual orientation ===== | ||
The special protection afforded to personal data concerning sex life and sexual orientation essentially reflects the EU’s interest in fighting any sort of discrimination based on these factors as established in Article 21 of the EU Charter of Fundamental Rights. This includes information relating to heterosexuality, bisexuality, homosexuality and transsexuality, such as information about an intended gender change, one that has already taken place, living in a registered civil partnership or in a same-sex marriage. It also protects information related to sexual practices, as well as other acts that may reveal sexual orientation. Even the abstention from sexual practices may be considered sensitive data.<ref>''Petri,'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 9 GDPR, margin number 23 (C.H. Beck 2019).</ref> | The special protection afforded to personal data concerning sex life and sexual orientation essentially reflects the EU’s interest in fighting any sort of discrimination based on these factors as established in Article 21 of the EU Charter of Fundamental Rights. This includes information relating to heterosexuality, bisexuality, homosexuality and transsexuality, such as information about an intended gender change, one that has already taken place, living in a registered civil partnership or in a same-sex marriage. It also protects information related to sexual practices, as well as other acts that may reveal sexual orientation. Even the abstention from sexual practices may be considered sensitive data.<ref>''Petri,'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 9 GDPR, margin number 23 (C.H. Beck 2019).</ref> | ||
====Legal | ====Legal basis – relation to [[Article 6 GDPR]]==== | ||
In accordance to Recital 51 GDPR, when processing data pursuant to Article 9 GDPR, not only do the conditions within this article apply, but so do the general principles and other rules of the GDPR as well. This means that not only do the principles in [[Article 5 GDPR]] apply, but that the conditions for lawful processing also apply. Therefore, the processing of special categories of personal data must not only be based on one of the exceptions and requirements from Article 9(2) and Article 9 (3) GDPR, but will also require an additional concomitant legal basis contained in [[Article 6 GDPR|Article 6(1) GDPR]].<ref>Expert Group Minutes 2016: Commission expert group on the Regulation (EU) 2016/679 and Directive (EU) 2016/680, 'Minutes of the Second Meeting', 10 October 2016, (available [https://ec.europa.eu/transparency/expert-groups-register/core/api/front/expertGroupAddtitionalInfo/27803/download here] and [https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?do=groupDetail.groupDetail&groupID=3461 here]). </ref> | In accordance to Recital 51 GDPR, when processing data pursuant to Article 9 GDPR, not only do the conditions within this article apply, but so do the general principles and other rules of the GDPR as well. This means that not only do the principles in [[Article 5 GDPR]] apply, but that the conditions for lawful processing also apply. Therefore, the processing of special categories of personal data must not only be based on one of the exceptions and requirements from Article 9(2) and Article 9 (3) GDPR, but will also require an additional concomitant legal basis contained in [[Article 6 GDPR|Article 6(1) GDPR]].<ref>Expert Group Minutes 2016: Commission expert group on the Regulation (EU) 2016/679 and Directive (EU) 2016/680, 'Minutes of the Second Meeting', 10 October 2016, (available [https://ec.europa.eu/transparency/expert-groups-register/core/api/front/expertGroupAddtitionalInfo/27803/download here] and [https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?do=groupDetail.groupDetail&groupID=3461 here]). </ref> | ||
Line 262: | Line 267: | ||
=== (2) Exceptions === | === (2) Exceptions === | ||
In accordance with Article 9(2) GDPR, special categories of data can only be processed when meeting one of the exceptions listed. | In accordance with Article 9(2) GDPR, special categories of data can only be processed when meeting one of the exceptions listed. These exceptions are independent of each other and must therefore be assessed independently. If the conditions for one of the exceptions are not met, a controller can therefore rely on another exception listed in Article 9(2).<ref>CJEU, Case C-667/21, ''Krankenversicherung Nordrhein,'' 21 December 2023, margin number 47 (available [[CJEU - C-667/21 - Krankenversicherung Nordrhein|here]]). </ref> The CJEU has emphasized the application of the doctrine ''singularia non sunt extendenda'' to these exceptions, urging a strict interpretation.<ref>[[CJEU - C-252/21 - Meta Platforms and Others v Bundeskartellamt|ECJ, Judgement of 4 July 2023]], Meta Platforms Inc. et al. v. Bundeskartellamt, [https://curia.europa.eu/juris/document/document.jsf?text=&docid=275125&doclang=EN C‑252/21], ECLI:EU:C:2023:537, paragraph 76 and the case law cited.</ref> | ||
==== (a) Explicit | ==== (a) Explicit consent ==== | ||
The first exception, under letter (a), is obtaining the explicit consent of the data subject. As opposed to the simple consent established as a legal basis in [[Article 6 GDPR|Article 6(1)(a) GDPR]], the explicit consent in Article 9(2)(a) GDPR is a qualified type that requires a higher level of precision and will from the data subject. Explicit consent will need a clearly affirmative action separate from other transactions.<ref>''Bygravel, Tosoni'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 4 GDPR, p. 185 (Oxford University Press, Oxford, 2020).</ref> Additionally, the data subject must give an express statement of consent.<ref>EDPB, ‘Guidelines 05/2020 on consent under Regulation 2016/679’, 4 May 2020 (Version 1.1), p. 20 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf here]).</ref> Consent will also need to meet all the other requirements in [[Article 7 GDPR]]. Although they are not equivalent, as we have mentioned before, there is a definite correlation between the consent established in Article 6(1)(a) GDPR and the explicit consent in Article 9(2)(a). For example, in a recent decision, the Norwegian DPA has held that it is not possible to rely on this exception when consent is not valid under [[Article 6 GDPR|Article 6(1)(a) GDPR]].<ref>Datatilsynet, DT-20/02136, 26 January 2021, p. 19 (available [https://www.datatilsynet.no/contentassets/da7652d0c072493c84a4c7af506cf293/advance-notification-of-an-administrative-fine.pdf here]). </ref> | The first exception, under letter (a), is obtaining the explicit consent of the data subject. As opposed to the simple consent established as a legal basis in [[Article 6 GDPR|Article 6(1)(a) GDPR]], the explicit consent in Article 9(2)(a) GDPR is a qualified type that requires a higher level of precision and will from the data subject. Explicit consent will need a clearly affirmative action separate from other transactions.<ref>''Bygravel, Tosoni'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 4 GDPR, p. 185 (Oxford University Press, Oxford, 2020).</ref> Additionally, the data subject must give an express statement of consent.<ref>EDPB, ‘Guidelines 05/2020 on consent under Regulation 2016/679’, 4 May 2020 (Version 1.1), p. 20 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf here]).</ref> Consent will also need to meet all the other requirements in [[Article 7 GDPR]]. Although they are not equivalent, as we have mentioned before, there is a definite correlation between the consent established in Article 6(1)(a) GDPR and the explicit consent in Article 9(2)(a). For example, in a recent decision, the Norwegian DPA has held that it is not possible to rely on this exception when consent is not valid under [[Article 6 GDPR|Article 6(1)(a) GDPR]].<ref>Datatilsynet, DT-20/02136, 26 January 2021, p. 19 (available [https://www.datatilsynet.no/contentassets/da7652d0c072493c84a4c7af506cf293/advance-notification-of-an-administrative-fine.pdf here]). </ref> | ||
==== (b) Necessary for | ==== (b) Necessary for employment and social security purposes ==== | ||
The second exception, under letter (b), is related to processing by employers that is necessary for the purposes of carrying out obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law. These obligations and rights must be provided by law or by a collective agreement, and include appropriate safeguards. Biometric and health data play an important role in this exception, and the necessity principle is key to avoid overuse.<ref>''Shiff'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin numbers 38-39 (C.H. Beck, 2nd Edition 2018). | The second exception, under letter (b), is related to processing by employers that is necessary for the purposes of carrying out obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law. These obligations and rights must be provided by law or by a collective agreement, and include appropriate safeguards. Biometric and health data play an important role in this exception, and the necessity principle is key to avoid overuse.<ref>''Shiff'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin numbers 38-39 (C.H. Beck, 2nd Edition 2018). | ||
</ref> For example, the Dutch DPA has held that the processing of special categories of data – health data in this particular case – must be strictly necessary to achieve what is stated in the law; when the processing of certain categories of health data is not really necessary to comply with the legal obligation, the controller cannot rely on this exception for those categories.<ref>Autoriteit Persoonsgegevens, 24 March 2020 (available [https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boete_cpa_verzuimregistratie.pdf here]). </ref> | </ref> For example, the Dutch DPA has held that the processing of special categories of data – health data in this particular case – must be strictly necessary to achieve what is stated in the law; when the processing of certain categories of health data is not really necessary to comply with the legal obligation, the controller cannot rely on this exception for those categories.<ref>Autoriteit Persoonsgegevens, 24 March 2020 (available [https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boete_cpa_verzuimregistratie.pdf here]). </ref> | ||
==== (c) Protection of the | ==== (c) Protection of the vital interests of the data subject or of another natural person ==== | ||
Thirdly, and similarly to the legal basis from [[Article 6 GDPR|Article 6(d) GDPR]], Article 9(2) GDPR provides, under letter (c), an exception to the processing of special categories of data when the processing is necessary for the protection of the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent. As specified by Recital 46 GDPR, the processing of personal data based on the vital interest of another natural person shall take place only where the processing cannot be manifestly based on another legal basis. | Thirdly, and similarly to the legal basis from [[Article 6 GDPR|Article 6(d) GDPR]], Article 9(2) GDPR provides, under letter (c), an exception to the processing of special categories of data when the processing is necessary for the protection of the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent. As specified by Recital 46 GDPR, the processing of personal data based on the vital interest of another natural person shall take place only where the processing cannot be manifestly based on another legal basis. | ||
==== (d) In the | ==== (d) In the course of legitimate activities by a foundation and similar bodies ==== | ||
The fourth exception, under letter (d), is for the processing carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim. Such bodies shall only carry out the processing internally, and the processing shall relate to members or former members. The rationale behind this exception is that often such bodies are intrinsically related with personal data that fall under the categories of Article 9 GDPR. | The fourth exception, under letter (d), is for the processing carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim. Such bodies shall only carry out the processing internally, and the processing shall relate to members or former members. The rationale behind this exception is that often such bodies are intrinsically related with personal data that fall under the categories of Article 9 GDPR. | ||
==== (e) Related to | ==== (e) Related to personal data which are manifestly made public by the data subject ==== | ||
The fifth exception, under letter (e), makes reference to data that is manifestly made public. The word ''“manifestly”'' implies that the data subject must affirmatively make the data public, and be aware of the result of such publicity. The mere presence of the data in a public space does not necessarily imply that it has been manifestly made public in this sense.<ref>''Shiff'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin numbers 45-46 (C.H. Beck, 2nd Edition 2018).</ref> The Norwegian DPA has considered, for example, that making use of a LGTBQ dating app does not amount to manifestly making public data about sexual orientation, since the data is mainly only visible to other members of the LGTBQ community, as it is necessary to have an account too in order to access that data. Additionally, the app gives you the option of using an anonymous profile, and the app does not provide a clear warning stating the public nature of any information on the data subject’s profile.<ref>Datatilsynet, DT-20/02136, 26 January 2021, pp. 19-20 (available [https://www.datatilsynet.no/contentassets/da7652d0c072493c84a4c7af506cf293/advance-notification-of-an-administrative-fine.pdf here]) referring to EDPB, ‘Guidelines 8/2020 on the targeting of social media users’, 2 September 2020, pp. 34-36 (available [https://edpb.europa.eu/system/files/2021-04/edpb_guidelines_082020_on_the_targeting_of_social_media_users_en.pdf here]).</ref> | The fifth exception, under letter (e), makes reference to data that is manifestly made public. The word ''“manifestly”'' implies that the data subject must affirmatively make the data public, and must be aware of the result of such publicity. The mere presence of the data in a public space does not necessarily imply that it has been manifestly made public in this sense.<ref>''Shiff'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin numbers 45-46 (C.H. Beck, 2nd Edition 2018).</ref> | ||
{{Quote-CJEU|"It follows that, for the purposes of the application of the exception laid down in Article 9(2)(e) of the GDPR, it is important to ascertain whether the data subject had intended, explicitly and by a clear affirmative action, to make the personal data in question accessible to the general public [...]"|CJEU - C-446/21 - Schrems v Facebook Ireland (2021)|77.}} | |||
The Norwegian DPA has considered, for example, that making use of a LGTBQ dating app does not amount to manifestly making public data about sexual orientation, since the data is mainly only visible to other members of the LGTBQ community, as it is necessary to have an account too in order to access that data. Additionally, the app gives you the option of using an anonymous profile, and the app does not provide a clear warning stating the public nature of any information on the data subject’s profile.<ref>Datatilsynet, DT-20/02136, 26 January 2021, pp. 19-20 (available [https://www.datatilsynet.no/contentassets/da7652d0c072493c84a4c7af506cf293/advance-notification-of-an-administrative-fine.pdf here]) referring to EDPB, ‘Guidelines 8/2020 on the targeting of social media users’, 2 September 2020, pp. 34-36 (available [https://edpb.europa.eu/system/files/2021-04/edpb_guidelines_082020_on_the_targeting_of_social_media_users_en.pdf here]).</ref> | |||
Contrary, the CJEU couldn't rule out that a data subject's statement about their sexual orientation during a panel discussion which was subsequently published on YouTube could constitute an act by which the data subject manifestly made his sexual orientation public.<ref>CJEU, Case C-446/21, ''Maximilian Schrems v Meta Platforms Ireland Limited,'' 4 October 2024, margin number 79 (available [[CJEU - C-446/21 - Schrems v Facebook Ireland (2021)|here]]).</ref> | |||
The exception for information manifestly made public has another important limitation. The fact that a data subject manifestly makes public specific information in accordance with Article 9(2) GDPR does not mean that other personal data relating to the special category of data also lose the special protection stipulated in Article 9(1) GDPR. This would be contrary to the restrictive interpretation of the exceptions listed in Article 9(2) GDPR.<ref>CJEU, Case C-446/21, ''Maximilian Schrems v Meta Platforms Ireland Limited,'' 4 October 2024, margin number 80 et seq. (available [[CJEU - C-446/21 - Schrems v Facebook Ireland (2021)|here]]).</ref> Neither can the fact that a data subject published personal data covered by Article 9(1) GDPR be interpreted as a consent within the meaning of Article 9(2)(a) GDPR for the processing of other data relating to special categories of data.<ref>CJEU, Case C-446/21, ''Maximilian Schrems v Meta Platforms Ireland Limited,'' 4 October 2024, margin number 82 (available [[CJEU - C-446/21 - Schrems v Facebook Ireland (2021)|here]]).</ref> | |||
==== (f) Necessary for the | ==== (f) Necessary for the establishment, exercise or defence of legal claims ==== | ||
The sixth exception, under letter (f), relates to legal claims and judicial activities, that in many cases require the processing of certainly sensitive data. While the concept of legal claims and judicial activities is to be interpreted broadly in order to include every type of legal claim, since the term is not further specified. The exception itself, however, should be interpreted restrictively, meaning that it will only be applicable to legal claims or activities, as well as to immediate preparatory acts.<ref>''Georgieval, Kuner'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 9 GDPR, p. 379 (Oxford University Press 2020). </ref> | The sixth exception, under letter (f), relates to legal claims and judicial activities, that in many cases require the processing of certainly sensitive data. While the concept of legal claims and judicial activities is to be interpreted broadly in order to include every type of legal claim, since the term is not further specified. The exception itself, however, should be interpreted restrictively, meaning that it will only be applicable to legal claims or activities, as well as to immediate preparatory acts.<ref>''Georgieval, Kuner'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 9 GDPR, p. 379 (Oxford University Press 2020). </ref> | ||
==== (g) Necessary for | ==== (g) Necessary for reasons of substantial public interest, on the basis of union or Member State law ==== | ||
The seventh exception, under letter (g), allows for the processing of special categories of data when there is a substantial public interest involved. The processing shall be carried out on the basis of Union or Member State law, and shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. The right must be itself enshrined in the law, which satisfy the principle of certainty, and define the necessary safeguards.<ref>CJEU, C-291/12, ''Schwarz'', 17 October 2013, margin number 55 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=143189&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=166148 here]) referring to ECHR, ''S. and Marper'', Applications nos. 30562/04 and 30566/04, 4 December 2008, margin number 103 (available [https://hudoc.echr.coe.int/eng#{%22fulltext%22:[%22S.%20and%20Marper%22],%22documentcollectionid2%22:[%22GRANDCHAMBER%22,%22CHAMBER%22],%22itemid%22:[%22001-90051%22]} here]).</ref> Recital 46 GDPR provides, as an example, "''processing that is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters''." | The seventh exception, under letter (g), allows for the processing of special categories of data when there is a substantial public interest involved. The processing shall be carried out on the basis of Union or Member State law, and shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. The right must be itself enshrined in the law, which satisfy the principle of certainty, and define the necessary safeguards.<ref>CJEU, C-291/12, ''Schwarz'', 17 October 2013, margin number 55 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=143189&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=166148 here]) referring to ECHR, ''S. and Marper'', Applications nos. 30562/04 and 30566/04, 4 December 2008, margin number 103 (available [https://hudoc.echr.coe.int/eng#{%22fulltext%22:[%22S.%20and%20Marper%22],%22documentcollectionid2%22:[%22GRANDCHAMBER%22,%22CHAMBER%22],%22itemid%22:[%22001-90051%22]} here]).</ref> Recital 46 GDPR provides, as an example, "''processing that is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters''." | ||
==== (h) Necessary for | ==== (h) Necessary for medicinal purposes or for the management of health systems and services ==== | ||
The eighth exception, under letter (h), includes the processing of data that is necessary for medicinal purposes and for the provision of health services. Medicinal purposes entail preventive or occupational medicine, the assessment of the working capacity of the employee, or medical diagnosis. The management of health systems and services includes the provision of health or social care or treatment. The processing must be carried out on the basis of Union or Member State law or pursuant to a contract with a health professional. Additionally, Article 9(3) GDPR establishes a supplementary condition: the data shall be processed by or under the responsibility of a professional subject to the obligation of professional secrecy. | The eighth exception, under letter (h), includes the processing of data that is necessary for medicinal purposes and for the provision of health services. Medicinal purposes entail preventive or occupational medicine, the assessment of the working capacity of the employee, or medical diagnosis. The management of health systems and services includes the provision of health or social care or treatment. The processing must be carried out on the basis of Union or Member State law or pursuant to a contract with a health professional. Additionally, Article 9(3) GDPR establishes a supplementary condition: the data shall be processed by or under the responsibility of a professional subject to the obligation of professional secrecy. | ||
==== (i) Necessary for | ==== (i) Necessary for reasons of public interest in the area of public health ==== | ||
The ninth exception, under letter (i), includes data processed for the public interest in the area of the public health. An example of such public interest can be processing of personal data with the aim of protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices. This must be done on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy. | The ninth exception, under letter (i), includes data processed for the public interest in the area of the public health. An example of such public interest can be processing of personal data with the aim of protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices. This must be done on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy. | ||
These measures must be effective and must be provided by law. For example, the French Highest Administrative Court declared that a decree was unlawful due to the absence of sufficient guarantees to ensure that access to the processed health data did not exceed that which is strictly necessary for the exercise of the mission recognised by law.<ref>Conseil d’Etat, N° 428451, 25 November 2020, (available [https://www.legifrance.gouv.fr/ceta/id/CETATEXT000042570046?tab_selection=cetat&searchField=ALL&query=428451&searchType=ALL&juridiction=TRIBUNAL_CONFLIT&juridiction=CONSEIL_ETAT&juridiction=COURS_APPEL&juridiction=TRIBUNAL_ADMINISTATIF&sortValue=DATE_DESC&pageSize=10&page=1&tab_selection=cetat#cetat here]). </ref> | These measures must be effective and must be provided by law. For example, the French Highest Administrative Court declared that a decree was unlawful due to the absence of sufficient guarantees to ensure that access to the processed health data did not exceed that which is strictly necessary for the exercise of the mission recognised by law.<ref>Conseil d’Etat, N° 428451, 25 November 2020, (available [https://www.legifrance.gouv.fr/ceta/id/CETATEXT000042570046?tab_selection=cetat&searchField=ALL&query=428451&searchType=ALL&juridiction=TRIBUNAL_CONFLIT&juridiction=CONSEIL_ETAT&juridiction=COURS_APPEL&juridiction=TRIBUNAL_ADMINISTATIF&sortValue=DATE_DESC&pageSize=10&page=1&tab_selection=cetat#cetat here]). </ref> | ||
==== (j) Necessary for | ==== (j) Necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes ==== | ||
The last exception, under letter (j), includes processing that is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. This shall be based on Union or Member State law and shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. For example, the Austrian DPA has held that labelling a person as "''extreme right-wing''" in a blog for the purpose of scientific research on the history of fascism and National Socialism, political manifestations of right-wing extremism and the resistance to the latter movements, including also the purpose of documentation and archiving (especially when such person has taken a basic political stance and repeatedly expressed this publicly), falls under this exception.<ref>Datenschutzbehörde, DSB-D124.1177/0006-DSB/2019, 22 January 2021 (available [[DSB (Austria) - DSB-D124.1177/0006-DSB/2019|here]]).</ref> | The last exception, under letter (j), includes processing that is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. This shall be based on Union or Member State law and shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. For example, the Austrian DPA has held that labelling a person as "''extreme right-wing''" in a blog for the purpose of scientific research on the history of fascism and National Socialism, political manifestations of right-wing extremism and the resistance to the latter movements, including also the purpose of documentation and archiving (especially when such person has taken a basic political stance and repeatedly expressed this publicly), falls under this exception.<ref>Datenschutzbehörde, DSB-D124.1177/0006-DSB/2019, 22 January 2021 (available [[DSB (Austria) - DSB-D124.1177/0006-DSB/2019|here]]).</ref> | ||
=== (3) Professional | === (3) Professional secrecy === | ||
Data processed necessarily for medicinal purposes or for the management of health systems and services under the exception from Article 9(2)(h) GDPR, shall be processed by or under the responsibility of a professional subject to the obligation of professional secrecy. The obligation of professional secrecy must be provided by national law and must be statutory. For example, the Swedish DPA has established that a confidentially contract cannot replace statutory professional secrecy on the grounds that confidentially obligations are not strict enough.<ref>Integritetsskyddsmyndigheten, DI-2019-3375, 7 June 2021 (available [https://www.imy.se/globalassets/dokument/beslut/2021/2021-06-07-beslut-medhelp.pdf here]). </ref> | Data processed necessarily for medicinal purposes or for the management of health systems and services under the exception from Article 9(2)(h) GDPR, shall be processed by or under the responsibility of a professional subject to the obligation of professional secrecy. The obligation of professional secrecy must be provided by national law and must be statutory. For example, the Swedish DPA has established that a confidentially contract cannot replace statutory professional secrecy on the grounds that confidentially obligations are not strict enough.<ref>Integritetsskyddsmyndigheten, DI-2019-3375, 7 June 2021 (available [https://www.imy.se/globalassets/dokument/beslut/2021/2021-06-07-beslut-medhelp.pdf here]). </ref> | ||
=== (4) Opening | === (4) Opening clause === | ||
According to Article 9(4) GDPR Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. Member States are not allowed to introduce additional legal bases or lower the level of protection for special categories of personal data. For example, Germany has introduced rules regarding consent in a genetic examination or analysis,<ref>[https://www.gesetze-im-internet.de/gendg/__8.html § 8(1) GenDG] (German Genetic Diagnostics Act).</ref> protection for biometric data in passports and identity cards, that must be secured against unauthorized modification, deletion and readout,<ref>[https://www.gesetze-im-internet.de/pauswg/__5.html § 5(6) and (9) PAuswG] (German Passport and Identity Card Act).</ref> the processing of personal data of organ donors,<ref>[https://www.gesetze-im-internet.de/tpg/__7.html § 7] and [https://www.gesetze-im-internet.de/tpg/__14.html § 14 TPG] (German Organ Transplant Law).</ref> and on data protection in the public health insurance and related associations.<ref>[https://www.gesetze-im-internet.de/sgb_5/__284.html § 284] and [https://www.gesetze-im-internet.de/sgb_5/__285.html § 285 SGB V] (German Social Insurance Code V)</ref> | According to Article 9(4) GDPR Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. Member States are not allowed to introduce additional legal bases or lower the level of protection for special categories of personal data. For example, Germany has introduced rules regarding consent in a genetic examination or analysis,<ref>[https://www.gesetze-im-internet.de/gendg/__8.html § 8(1) GenDG] (German Genetic Diagnostics Act).</ref> protection for biometric data in passports and identity cards, that must be secured against unauthorized modification, deletion and readout,<ref>[https://www.gesetze-im-internet.de/pauswg/__5.html § 5(6) and (9) PAuswG] (German Passport and Identity Card Act).</ref> the processing of personal data of organ donors,<ref>[https://www.gesetze-im-internet.de/tpg/__7.html § 7] and [https://www.gesetze-im-internet.de/tpg/__14.html § 14 TPG] (German Organ Transplant Law).</ref> and on data protection in the public health insurance and related associations.<ref>[https://www.gesetze-im-internet.de/sgb_5/__284.html § 284] and [https://www.gesetze-im-internet.de/sgb_5/__285.html § 285 SGB V] (German Social Insurance Code V)</ref> | ||
==Decisions== | ==Decisions== |
Latest revision as of 15:00, 15 October 2024
Legal Text
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies:
- (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
- (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
- (c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
- (d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
- (e) processing relates to personal data which are manifestly made public by the data subject;
- (f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
- (g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
- (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
- (i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
- (j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.
Relevant Recitals
Commentary
Article 9(1) GDPR contains a general prohibition for the processing of special categories of data; that is, data that the legislator has considered to be particularly sensitive for different reasons. Under Article 9(2) GDPR such general prohibition is excluded when certain requirements are met. Article 9(3) GDPR lays down specific indications for processing carried out in the context of professional or institutional activities. Finally, Article 9(4) GDPR allows Member States to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.
(1) General prohibition of processing of special categories of personal data
Article 9(1) GDPR provides a list of special categories of personal data whose processing is generally prohibited unless any of the exceptions under Article 9(2) GDPR applies. The list is exhaustive[1] and includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or a natural person's sex life or sexual orientation.
In general terms, the prohibition of processing shall apply to all data revealing sensitive aspects. These categories are meant to be interpreted broadly[2] and, according to some authors, not only cover data directly containing sensitive information (i.e. a trade union's badge, or a clinical record) but also data from which sensitive information can be inferred. Take, for instance, the online support given to a political demonstration, or a video footage showing the person accessing a certain hospital department. In both cases, it is argued, the information reveals something sensitive about the individual (either their political views, or a health condition) and should be treated accordingly.[3]
Racial or ethnic origin
This category recognises and expresses the intention to protect the principle of non-discrimination and cultural diversity typical of any modern society. While the characteristic of "racial origin" is based on biological ancestry and hereditary characteristics, "ethnic origin" focuses more on the cultural aspects that characterise a group of people. These include language, history, tradition, shared values and a sense of togetherness.[4] However, the use of the term “racial” in no way means that the GDPR or the European Union accepts a definition, or even worse the existence of, any “race”. This assumption has already been made clear by the WP29,[5] and subsequently confirmed by Recital 51 GDPR: “the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races”. Rather, the special protection is intended to counteract such theories.[6]
Political opinions
The GDPR does not provide a definition of the expression "political opinion". It seems clear, however, that any type of clear, unambiguous statement, support or, as the case may be, rejection[7] of a political party or of an ideological organization, any subscription to a politically oriented magazine, or participation in offline and online petitions, meetings or demonstrations, most likely amount to "political opinion".[8] Conversely, opinions that focus on purely commercial facts or exclusively express a private interest, without reference to a public debate or the functioning of a democratic and pluralistic society, are excluded from the definition.[9]
In cases of doubt, a broad understanding of the term "political opinion" is appropriate in order not to jeopardize the foundations of political opinion-forming.[10] For these reasons, a fairly large number of activities are covered by the processing ban with regard to political opinions. They range, for example, from subscriber lists of political party magazines and lists of participants at political events or demonstrations, to expressions of interest or approval for political groups in social networks (such as the "Like" on Facebook) as long as they reflect a reliable conclusion on a political opinion.[11]
Religious and philosophical beliefs
The protection of religious beliefs aims to protect not only "traditional" religious affiliations but also other secular views (e.g. pacifism, socialism). Followers of natural religions or sects, atheists, anthroposophists, or members of ideological organizations, as well as Christians, Muslims and Buddhists all have a right to legal protection which guarantees that information about their convictions may only be processed under special conditions.
Trade union membership
Expression of Article 28 of the EU Charter of Fundamental Rights, this category reflects the importance of trade unions' role in protecting workers' dignity and labour conditions. By restricting the processing of this type of data, this provision reduces the risk of employer retaliations based on trade union membership.[12] This category refers to membership as well as activities activities that reveal a close connection to a trade union. These include, among others, status as a union representative, documents showing a certain union membership, participation in the foundation of a union, as well as daily handling of union affairs. Depending on the individual case’s circumstances, the subscription to a trade union publication, the distribution of trade union documents (publications, advertising material) or even the expression of interest in the activities of a trade union (e.g. reading the notices, talking to a union member at the trade union stand),[13] may also benefit from this special protection under Article 9(1) GDPR.
Genetic data
A definition of genetic data can be found in Article 4(13) GDPR. It includes any personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person, and which result, in particular, from an analysis of a biological sample from the natural person in question.
Biometric data
A definition of biometric data can be found in Article 4(14)GDPR. It refers to personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. With regard to biometric data, it should be noted that Article 9(1) only prohibits their processing "for the purpose of uniquely identifying a natural person". Therefore, the processing of biometric data for other purposes does not fall under the general prohibition of processing. According to Petri, the exact meaning of "uniquely identifying" is to be based on the processing method and the respective state of the art, but above all on the individual case’s circumstances , and in particular, the nature of the data processed.[14]
Health data
Article 4(15) GDPR defines health data as any personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. In this way, for example, the Austrian DPA has held that negative PCR (SARS_CoV-2) tests should be classified as health data.[15] This category may also include data on special needs of students which qualify as health data too.[16]
EDPB Guidelines: on this provision there are EDPB Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak
"[S]pecial categories of personal data, listed in [...] Article 9(1) of the GDPR, include data concerning health. Those data cover, in accordance with Article 4(15) of that regulation, read in conjunction with recital 35 of that regulation, all personal data which reveal information relating to the past, present or future health status of a natural person, including data relating to the provision of healthcare services to that person.
[...]
Consequently, the information which customers of an operator of a pharmacy enter when ordering online pharmacy-only medicinal products the sale of which does not require a prescription constitutes data concerning health, within the meaning of [...] Article 9(1) of the GDPR, even where it is only with a certain degree of probability, and not with absolute certainty, that those medicinal products are intended for those customers."
CJEU - C‑21/23 - Lindenapotheke, margin number 76 and 90..
Sex life and sexual orientation
The special protection afforded to personal data concerning sex life and sexual orientation essentially reflects the EU’s interest in fighting any sort of discrimination based on these factors as established in Article 21 of the EU Charter of Fundamental Rights. This includes information relating to heterosexuality, bisexuality, homosexuality and transsexuality, such as information about an intended gender change, one that has already taken place, living in a registered civil partnership or in a same-sex marriage. It also protects information related to sexual practices, as well as other acts that may reveal sexual orientation. Even the abstention from sexual practices may be considered sensitive data.[17]
Legal basis – relation to Article 6 GDPR
In accordance to Recital 51 GDPR, when processing data pursuant to Article 9 GDPR, not only do the conditions within this article apply, but so do the general principles and other rules of the GDPR as well. This means that not only do the principles in Article 5 GDPR apply, but that the conditions for lawful processing also apply. Therefore, the processing of special categories of personal data must not only be based on one of the exceptions and requirements from Article 9(2) and Article 9 (3) GDPR, but will also require an additional concomitant legal basis contained in Article 6(1) GDPR.[18]
However, four exceptions for processing special categories of data established in Article 9(2)(a) GDPR, Article 9(2)(c) GDPR, Article 9(2)(g) GDPR and Article 9(2)(i) GDPR directly correlate with a specific legal basis laid out in Article 6(1) GDPR, while offering an even stricter and better protection. Therefore, it can be interpreted that these exceptions in Article 9(2) GDPR related to explicit consent, vital interests of a person physically or legally unable to give consent, and public interest, subsume the corresponding legal basis contained in Article 6(1)(a) GDPR, 6(1)(d) GDPR and 6(1)(e) GDPR respectively, and would require no additional correlation. The other six exceptions listed in Article 9(2) GDPR would require an additional legal basis pursuant to Article 6(1) GDPR.
(2) Exceptions
In accordance with Article 9(2) GDPR, special categories of data can only be processed when meeting one of the exceptions listed. These exceptions are independent of each other and must therefore be assessed independently. If the conditions for one of the exceptions are not met, a controller can therefore rely on another exception listed in Article 9(2).[19] The CJEU has emphasized the application of the doctrine singularia non sunt extendenda to these exceptions, urging a strict interpretation.[20]
(a) Explicit consent
The first exception, under letter (a), is obtaining the explicit consent of the data subject. As opposed to the simple consent established as a legal basis in Article 6(1)(a) GDPR, the explicit consent in Article 9(2)(a) GDPR is a qualified type that requires a higher level of precision and will from the data subject. Explicit consent will need a clearly affirmative action separate from other transactions.[21] Additionally, the data subject must give an express statement of consent.[22] Consent will also need to meet all the other requirements in Article 7 GDPR. Although they are not equivalent, as we have mentioned before, there is a definite correlation between the consent established in Article 6(1)(a) GDPR and the explicit consent in Article 9(2)(a). For example, in a recent decision, the Norwegian DPA has held that it is not possible to rely on this exception when consent is not valid under Article 6(1)(a) GDPR.[23]
(b) Necessary for employment and social security purposes
The second exception, under letter (b), is related to processing by employers that is necessary for the purposes of carrying out obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law. These obligations and rights must be provided by law or by a collective agreement, and include appropriate safeguards. Biometric and health data play an important role in this exception, and the necessity principle is key to avoid overuse.[24] For example, the Dutch DPA has held that the processing of special categories of data – health data in this particular case – must be strictly necessary to achieve what is stated in the law; when the processing of certain categories of health data is not really necessary to comply with the legal obligation, the controller cannot rely on this exception for those categories.[25]
(c) Protection of the vital interests of the data subject or of another natural person
Thirdly, and similarly to the legal basis from Article 6(d) GDPR, Article 9(2) GDPR provides, under letter (c), an exception to the processing of special categories of data when the processing is necessary for the protection of the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent. As specified by Recital 46 GDPR, the processing of personal data based on the vital interest of another natural person shall take place only where the processing cannot be manifestly based on another legal basis.
(d) In the course of legitimate activities by a foundation and similar bodies
The fourth exception, under letter (d), is for the processing carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim. Such bodies shall only carry out the processing internally, and the processing shall relate to members or former members. The rationale behind this exception is that often such bodies are intrinsically related with personal data that fall under the categories of Article 9 GDPR.
(e) Related to personal data which are manifestly made public by the data subject
The fifth exception, under letter (e), makes reference to data that is manifestly made public. The word “manifestly” implies that the data subject must affirmatively make the data public, and must be aware of the result of such publicity. The mere presence of the data in a public space does not necessarily imply that it has been manifestly made public in this sense.[26]
"It follows that, for the purposes of the application of the exception laid down in Article 9(2)(e) of the GDPR, it is important to ascertain whether the data subject had intended, explicitly and by a clear affirmative action, to make the personal data in question accessible to the general public [...]"
CJEU - C-446/21 - Schrems v Facebook Ireland (2021), margin number 77..
The Norwegian DPA has considered, for example, that making use of a LGTBQ dating app does not amount to manifestly making public data about sexual orientation, since the data is mainly only visible to other members of the LGTBQ community, as it is necessary to have an account too in order to access that data. Additionally, the app gives you the option of using an anonymous profile, and the app does not provide a clear warning stating the public nature of any information on the data subject’s profile.[27]
Contrary, the CJEU couldn't rule out that a data subject's statement about their sexual orientation during a panel discussion which was subsequently published on YouTube could constitute an act by which the data subject manifestly made his sexual orientation public.[28]
The exception for information manifestly made public has another important limitation. The fact that a data subject manifestly makes public specific information in accordance with Article 9(2) GDPR does not mean that other personal data relating to the special category of data also lose the special protection stipulated in Article 9(1) GDPR. This would be contrary to the restrictive interpretation of the exceptions listed in Article 9(2) GDPR.[29] Neither can the fact that a data subject published personal data covered by Article 9(1) GDPR be interpreted as a consent within the meaning of Article 9(2)(a) GDPR for the processing of other data relating to special categories of data.[30]
(f) Necessary for the establishment, exercise or defence of legal claims
The sixth exception, under letter (f), relates to legal claims and judicial activities, that in many cases require the processing of certainly sensitive data. While the concept of legal claims and judicial activities is to be interpreted broadly in order to include every type of legal claim, since the term is not further specified. The exception itself, however, should be interpreted restrictively, meaning that it will only be applicable to legal claims or activities, as well as to immediate preparatory acts.[31]
(g) Necessary for reasons of substantial public interest, on the basis of union or Member State law
The seventh exception, under letter (g), allows for the processing of special categories of data when there is a substantial public interest involved. The processing shall be carried out on the basis of Union or Member State law, and shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. The right must be itself enshrined in the law, which satisfy the principle of certainty, and define the necessary safeguards.[32] Recital 46 GDPR provides, as an example, "processing that is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters."
(h) Necessary for medicinal purposes or for the management of health systems and services
The eighth exception, under letter (h), includes the processing of data that is necessary for medicinal purposes and for the provision of health services. Medicinal purposes entail preventive or occupational medicine, the assessment of the working capacity of the employee, or medical diagnosis. The management of health systems and services includes the provision of health or social care or treatment. The processing must be carried out on the basis of Union or Member State law or pursuant to a contract with a health professional. Additionally, Article 9(3) GDPR establishes a supplementary condition: the data shall be processed by or under the responsibility of a professional subject to the obligation of professional secrecy.
(i) Necessary for reasons of public interest in the area of public health
The ninth exception, under letter (i), includes data processed for the public interest in the area of the public health. An example of such public interest can be processing of personal data with the aim of protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices. This must be done on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.
These measures must be effective and must be provided by law. For example, the French Highest Administrative Court declared that a decree was unlawful due to the absence of sufficient guarantees to ensure that access to the processed health data did not exceed that which is strictly necessary for the exercise of the mission recognised by law.[33]
(j) Necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
The last exception, under letter (j), includes processing that is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. This shall be based on Union or Member State law and shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. For example, the Austrian DPA has held that labelling a person as "extreme right-wing" in a blog for the purpose of scientific research on the history of fascism and National Socialism, political manifestations of right-wing extremism and the resistance to the latter movements, including also the purpose of documentation and archiving (especially when such person has taken a basic political stance and repeatedly expressed this publicly), falls under this exception.[34]
(3) Professional secrecy
Data processed necessarily for medicinal purposes or for the management of health systems and services under the exception from Article 9(2)(h) GDPR, shall be processed by or under the responsibility of a professional subject to the obligation of professional secrecy. The obligation of professional secrecy must be provided by national law and must be statutory. For example, the Swedish DPA has established that a confidentially contract cannot replace statutory professional secrecy on the grounds that confidentially obligations are not strict enough.[35]
(4) Opening clause
According to Article 9(4) GDPR Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. Member States are not allowed to introduce additional legal bases or lower the level of protection for special categories of personal data. For example, Germany has introduced rules regarding consent in a genetic examination or analysis,[36] protection for biometric data in passports and identity cards, that must be secured against unauthorized modification, deletion and readout,[37] the processing of personal data of organ donors,[38] and on data protection in the public health insurance and related associations.[39]
Decisions
→ You can find all related decisions in Category:Article 9 GDPR
References
- ↑ Georgieval, Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 9 GDPR, p. 375 (Oxford University Press 2020). However, other GDPR provisions consider and regulate processing relating to other categories of data such as data relating to criminal convictions under Article 10 GDPR. See, Albers, Veit, in BeckOK DatenschutzR, Article 9 GDPR, margin number 18 (C.H. Beck 2021, 38th Edition).
- ↑ The CJEU shares the same conclusions: “in the light of the purpose of the directive, the expression 'data concerning health' used in Article 8(1) thereof must be given a wide interpretation so as to include information concerning all aspects, both physical and mental, of the health of an individual”. See, CJEU, 6 November 2003, Bodil Lindqvist, C-101/01, margin number 50 (available here).
- ↑ Petri, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 9 GDPR, margin number 11 (C.H. Beck 2019). See also, WP29, ‘Advice paper on special categories of data (“sensitive data”)’, 20 April 2011, p. 6 (available here).
- ↑ Walker, in Kühling, Buchner, DS-GVO BDSG, Article 9 GDPR, margin number 26 (C.H. Beck 2020, 3rd Edition).
- ↑ WP29, Advice paper on special categories of data (“sensitive data”), 20 April 2011, p. 10.
- ↑ Walker, in Kühling, Buchner, DS-GVO BDSG, Article 9 GDPR, margin number 25 (C.H. Beck 2020, 3rd Edition).
- ↑ Walker, in Kühling, Buchner, DS-GVO BDSG, Article 9 GDPR, margin number 27 (C.H. Beck 2020, 3rd Edition).
- ↑ For example, the Austrian Federal Administrative Court also has held that data on the "affinity for a political party" also qualifies as special categories of personal data, namely as data on political opinions. See, Bundesverwaltungsgericht, 26 November 2020, W258 2217446-1 (available here).
- ↑ Shiff, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin number 19 (C.H. Beck, 2nd Edition 2018).
- ↑ Shiff, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin number 19 (C.H. Beck, 2nd Edition 2018).
- ↑ Data revealing political opinions may include value judgments, statements, views and convictions. See Shiff, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin number 20 (C.H. Beck, 2nd Edition 2018).
- ↑ Mester, in Taeger, Gabel, DSGVO BDSG, Article 9, margin number 12, (C.H. Beck, 3rd Edition 2019).
- ↑ Petri, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 9 GDPR, margin number 22 (C.H. Beck 2019).
- ↑ Petri, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 9 GDPR, margin number 14 (C.H. Beck 2019).
- ↑ Datenschutzbehörde, DSB-2021-0.101.211, 15 February 2021, (available here).
- ↑ Datatilsynet, 20/02191-1 KBK/-, 2 July 2020 (available here).
- ↑ Petri, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 9 GDPR, margin number 23 (C.H. Beck 2019).
- ↑ Expert Group Minutes 2016: Commission expert group on the Regulation (EU) 2016/679 and Directive (EU) 2016/680, 'Minutes of the Second Meeting', 10 October 2016, (available here and here).
- ↑ CJEU, Case C-667/21, Krankenversicherung Nordrhein, 21 December 2023, margin number 47 (available here).
- ↑ ECJ, Judgement of 4 July 2023, Meta Platforms Inc. et al. v. Bundeskartellamt, C‑252/21, ECLI:EU:C:2023:537, paragraph 76 and the case law cited.
- ↑ Bygravel, Tosoni, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 4 GDPR, p. 185 (Oxford University Press, Oxford, 2020).
- ↑ EDPB, ‘Guidelines 05/2020 on consent under Regulation 2016/679’, 4 May 2020 (Version 1.1), p. 20 (available here).
- ↑ Datatilsynet, DT-20/02136, 26 January 2021, p. 19 (available here).
- ↑ Shiff, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin numbers 38-39 (C.H. Beck, 2nd Edition 2018).
- ↑ Autoriteit Persoonsgegevens, 24 March 2020 (available here).
- ↑ Shiff, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin numbers 45-46 (C.H. Beck, 2nd Edition 2018).
- ↑ Datatilsynet, DT-20/02136, 26 January 2021, pp. 19-20 (available here) referring to EDPB, ‘Guidelines 8/2020 on the targeting of social media users’, 2 September 2020, pp. 34-36 (available here).
- ↑ CJEU, Case C-446/21, Maximilian Schrems v Meta Platforms Ireland Limited, 4 October 2024, margin number 79 (available here).
- ↑ CJEU, Case C-446/21, Maximilian Schrems v Meta Platforms Ireland Limited, 4 October 2024, margin number 80 et seq. (available here).
- ↑ CJEU, Case C-446/21, Maximilian Schrems v Meta Platforms Ireland Limited, 4 October 2024, margin number 82 (available here).
- ↑ Georgieval, Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 9 GDPR, p. 379 (Oxford University Press 2020).
- ↑ CJEU, C-291/12, Schwarz, 17 October 2013, margin number 55 (available here) referring to ECHR, S. and Marper, Applications nos. 30562/04 and 30566/04, 4 December 2008, margin number 103 (available here).
- ↑ Conseil d’Etat, N° 428451, 25 November 2020, (available here).
- ↑ Datenschutzbehörde, DSB-D124.1177/0006-DSB/2019, 22 January 2021 (available here).
- ↑ Integritetsskyddsmyndigheten, DI-2019-3375, 7 June 2021 (available here).
- ↑ § 8(1) GenDG (German Genetic Diagnostics Act).
- ↑ § 5(6) and (9) PAuswG (German Passport and Identity Card Act).
- ↑ § 7 and § 14 TPG (German Organ Transplant Law).
- ↑ § 284 and § 285 SGB V (German Social Insurance Code V)