Article 9 GDPR: Difference between revisions
Line 233: | Line 233: | ||
===== Political opinions ===== | ===== Political opinions ===== | ||
The GDPR does not provide a more detailed definition of the | The GDPR does not provide a more detailed definition of the expression ''"political opinion".'' On the one hand, supporting (or, as the case may be, rejecting support to)<ref>''Walker'', in Kühling/Buchner, DS-GVO BDSG, Article 9 GDPR, margin number 27 (Beck 2020, 3rd ed.) (accessed 29 December 2021).</ref> a political party or an ideological organization, subscribing to a politically oriented magazine, participating in offline and online petitions, meetings or demonstrations most likely amount to "political opinion". On the other end, opinions that focus on purely commercial facts or express private interest without reference to the public debate or the functioning of a democratic and pluralistic society are excluded from the definition.<ref>See ''Ship'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin number 19 (Beck, 2nd edition 2018) (accessed 29 December 2021).</ref> | ||
In cases of doubt, a ''broad understanding'' of the term "political opinion" is appropriate in order not to jeopardize the foundations of political opinion-forming.<ref>''Ship'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin number 19 (Beck, 2nd edition 2018) (accessed 29 December 2021).</ref> Precisely for these reasons, a fairly large number of ''activities'' are covered by the processing ban with regard to political opinions. They range, for example, from subscriber lists of party political magazines to lists of participants at political events or demonstrations to expressions of interest or approval for political groups in social networks, such as the "Like" on Facebook, as long as it allows a reliable conclusion on a political opinion. | In cases of doubt, a ''broad understanding'' of the term "political opinion" is appropriate in order not to jeopardize the foundations of political opinion-forming.<ref>''Ship'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin number 19 (Beck, 2nd edition 2018) (accessed 29 December 2021).</ref> Precisely for these reasons, a fairly large number of ''activities'' are covered by the processing ban with regard to political opinions. They range, for example, from subscriber lists of party political magazines to lists of participants at political events or demonstrations to expressions of interest or approval for political groups in social networks, such as the "Like" on Facebook, as long as it allows a reliable conclusion on a political opinion. | ||
===== Religious and philosophical beliefs ===== | ===== Religious and philosophical beliefs ===== |
Revision as of 14:59, 29 December 2021
Legal Text
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies:
- (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
- (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
- (c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
- (d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
- (e) processing relates to personal data which are manifestly made public by the data subject;
- (f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
- (g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
- (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
- (i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
- (j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.
Relevant Recitals
Commentary
Article 9(1) GDPR contains a general prohibition for the processing of special categories of data; that is, data that the legislator has considered to be particularly sensitive for different reasons. Under Article 9(2) such general prohibition is excluded when certain requirements are met. Paragraph 3 lays down specific indications for processing carried out in the context of professional or institutional activities. Finally, Paragraph 4 allows Member States to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.
(1) General Prohibition of Processing of Special Categories of Personal Data
In Article 9(1) the GDPR prohibits all processing of special categories of personal data unless it is based on one or more of the ten legal bases under Article 9(2) GDPR.
Special Categories of Data
The list of special categories of data is exhaustive[1] and includes: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
The WP29 has determined that the term “data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and trade-union membership” refers not only to data which by its nature contains sensitive information but also data from which sensitive information with regard to an individual can be concluded.[2]
These categories are therefore meant to be interpreted broadly. The CJEU shares the same conclusions: “in the light of the purpose of the directive, the expression 'data concerning health' used in Article 8(1) thereof must be given a wide interpretation so as to include information concerning all aspects, both physical and mental, of the health of an individual”.[3]
Racial or ethnic origin
This category recognises and expresses the intention to protect the principle of non-discrimination and cultural diversity typical of any modern society. While the characteristic of "racial origin" is based on biological ancestry and hereditary characteristics, "ethnic origin" focuses more on the cultural aspect that characterizes a group of people. These include language, history, tradition, shared values and a sense of togetherness.[4] However, the use of the term 'racial' in no way means that the GDPR or the European Union accepts the definition or even worse the existence of a 'race' or 'ethnicity'. This assumption has already been made clear by the WP29[5] and subsequently confirmed by Recital 51 GDPR: “the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races”. Rather, the special protection is intended to counteract such theories.[6]
Political opinions
The GDPR does not provide a more detailed definition of the expression "political opinion". On the one hand, supporting (or, as the case may be, rejecting support to)[7] a political party or an ideological organization, subscribing to a politically oriented magazine, participating in offline and online petitions, meetings or demonstrations most likely amount to "political opinion". On the other end, opinions that focus on purely commercial facts or express private interest without reference to the public debate or the functioning of a democratic and pluralistic society are excluded from the definition.[8]
In cases of doubt, a broad understanding of the term "political opinion" is appropriate in order not to jeopardize the foundations of political opinion-forming.[9] Precisely for these reasons, a fairly large number of activities are covered by the processing ban with regard to political opinions. They range, for example, from subscriber lists of party political magazines to lists of participants at political events or demonstrations to expressions of interest or approval for political groups in social networks, such as the "Like" on Facebook, as long as it allows a reliable conclusion on a political opinion.
Religious and philosophical beliefs
The protection of religious beliefs aims to protect not only "traditional" religious affiliations but also other secular views (e.g. pacifism, socialism). Followers of natural religions and sects, atheists and anthroposophists, as well as Christians, Muslims, Buddhists or members of ideological organizations, have a right to the fact that information about their convictions may only be processed under special conditions.
In this way, for example, the Austrian DPA has held that negative PCR (SARS_CoV-2) test are to be qualified as health data.[10] This category also may include data on special needs of students, since it qualifies as health data.[11]
In the same sense, for example, data revealing racial data may include the shape of the face or eyes, and data revealing political opinions may include value judgments, statements, views and convictions.[12] The Austrian Federal Administrative Court also has held, for example, that data on the "affinity for a political party" also qualifies as special categories of personal data, namely as data on political opinions.[13]
The definitions for biometric and genetic data and data concerning health are provided by Article 4(13), (14) and (15) GDPR. Additionally, and in the same sense as before, these terms shall be interpreted broadly, so when genetic, biometric or health data can be inferred from other kind of data, it will be included in the protected special categories. For example, photographs can be considered biometric data when processed through a specific technical means allowing the unique identification or authentication of a natural person, as stated by Recital 51 GDPR.
Legal Basis – Relation to Article 6 GDPR
In accordance to Recital 51 GDPR, when processing data pursuant to Article 9 GDPR, not only conditions from such Article apply but the general principles and other rules of the GDPR shall be applied too. In particular, the conditions for lawful processing apply. Therefore, the processing of special categories of personal data cannot only be based on one of the exceptions and requirements from Article 9(2) and (3) GDPR, but also has to be based on a legal basis from Article 6(1) GDPR.[14] This also means that principles from Article 5 GDPR shall be applied when processing special categories of data.
(2) Exceptions
In accordance with Article 9(2) GDPR, special categories of data can only be processed when meeting one of the exceptions listed.
(a) Explicit Consent
The first exception, under letter (a), is obtaining the explicit consent of the data subject. As opposed to consent used as a legal basis from Article 6(1)(a) GDPR, consent from Article 9 GDPR is a qualified type of consent that requires a higher level of precision and will from the data subject. Consent will need a clearly affirmative action separate from other transactions.[15] Additionally, the data subject must give an express statement of consent.[16] Also, consent will need to meet all the other requirements from Article 7 GDPR.
For example, the Norwegian DPA has held that it is not possible to rely on this exception when consent is not valid under Article 6(1)(a) GDPR.[17]
(b) Necessary for the Purposes of Carrying Out Obligations and Exercising Specific Rights in the Field of Employment and Social Security Law
The second exception, under letter (b), is related to processing by employers that is necessary for the purposes of carrying out obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law. Such obligations and exercise of rights must be provided by law or by a collective agreement, and must provide for appropriate safeguards. Biometric and health data play an important role in this exception, and the necessity principle is key to avoid overuse.[18]
For example, the Dutch DPA has held that the processing of special categories of data – health data in this particular case – must be strictly necessary to achieve what is stated in the law; when the processing of certain categories of health data is not really necessary to comply with the legal obligation, the controller cannot rely on this exception for those categories.[19]
(c) Vital for the Protection of the Vital Interests of the Data Subject or of Another Natural Person Where the Data Subject is Incapable of Giving Consent
Thirdly, and similarly to the legal basis from Article 6(d) GDPR, Article 9(2) GDPR provides under letter (c) an exception to the processing of special categories of data when the processing is vital for the protection of the vital interests of the data subject or of another natural person where the data subject is incapable of giving consent. As specified by Recital 46 GDPR, the processing shall take place only where the processing cannot be manifestly based on another legal basis; therefore, in order to use this exception, the data subject must be in a situation in which they are physically or legally unable to consent.
(d) In the Course of Legitimate Activities with Appropriate Safeguards by a Foundation, Association or any other Not-for-profit Body with a Political, Philosophical, Religious or Trade Union Aim
The fourth exception, under letter (d), is for the processing carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim. Such bodies shall only carry out the processing internally, and the processing shall relate to members or former members. The rationale behind this exception is that often such bodies are intrinsically related with personal data that fall under the categories of Article 9 GDPR.
(e) Related to Personal Data which are Manifestly Made Public by the Data Subject
The fifth exception, under letter (e), makes reference to data that is manifestly made public. The word “manifestly” implies that the data subject must affirmatively make public the data and be aware of the result of such publicity. The mere existence in public space does not fall under the term of publication in this sense.[20]
The Norwegian DPA has considered, for example, that making use of a gay dating app does not amount to manifestly making public data about sexual orientation, since the data is mainly only visible to other members of the LGTBQ community, as it is necessary to have an account too, an anonymous profile can be used and there is not a clear warning of the public nature of the information.[21]
(f) Necessary for the Establishment, Exercise or Defence of Legal Claims or Whenever Courts are Acting in their Judicial Capacity
The sixth exception, under letter (f), relates to legal claims and judicial activities, that in many cases require the processing of certainly sensitive data. While the concept of legal claims and judicial activities is to be interpreted broadly in order to include every type of legal claim, since the term is not further specified, the exception itself should be interpreted restrictively, meaning that it will only be applicable to legal claims or activities and to immediate preparatory acts.[22]
(g) Necessary for Reasons of Substantial Public Interest, on the Basis of Union or Member State Law
The seventh exception, under letter (g), allows for the processing of special categories of data when there is a substantial public interest involved. The processing shall be carried out on the basis of Union or Member State law, and shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. The law must satisfy the principle of certainty and define the necessary safeguards, and therefore the right must be itself enshrined in the law.[23] Recital 46 GDPR provides, as an example, "processing that is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters."
(h) Necessary for Medicinal Purposes or for the Management of Health Systems and Services
The eighth exception, under letter (h), includes the processing of data that is necessary for medicinal purposes and for the provision of health services. Medicinal purposes entail preventive or occupational medicine, the assessment of the working capacity of the employee, or medical diagnosis. The management of health systems includes the provision of health or social care or treatment and the management of health or social care systems and services.
The processing must be carried out on the basis of Union or Member State law or pursuant to contract with a health professional. Additionally, Article 9(3) GDPR establishes a supplementary condition: the data shall be processed by or under the responsibility of a professional subject to the obligation of professional secrecy.
(i) Necessary for Reasons of Public Interest in the Area of Public Health
The ninth exception, under letter (i), includes data processed for the public interest in the area of the public health. An example of such public interest can be processing of personal data with the aim of protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices. This must be done on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.
These measures must be effective and must be provided by law. For example, the French Highest Administrative Court declared that a decree was unlawful due to the absence of sufficient guarantees to ensure that access to the processed health data did not exceed that which is strictly necessary for the exercise of the mission recognised by law.[24]
(j) Necessary for Archiving Ourposes in the Public Interest, Scientific or Historical Research Purposes or Statistical Purposes
The last exception, under letter (j), includes processing that is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. This shall be based on Union or Member State law and shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
For example, the Austrian DPA has held that labeling a person as "extreme right-wing" in a blog for the purpose of scientific research on the history of fascism and National Socialism, the resistance to the latter movements and on political manifestations of right-wing extremism, including the purpose of documentation and archiving, especially when such person has taken a basic political stance and repeatedly expressed this publicly, falls under this exception.[25]
(3) Professional Secrecy
Data processed for necessary for medicinal purposes or for the management of health systems and services, under the exception from Article 9(2)(h) GDPR, shall be processed by or under the responsibility of a professional subject to the obligation of professional secrecy.
The obligation of professional secrecy must be provided by national law and must be statutory. For example, the Swedish DPA has established that a confidentially contract cannot replace statutory professional secrecy, since confidentially obligations are not strong enough.[26]
(4) Opening Clause
According to Article 9(4) GDPR Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. Member States are not allowed to introduce additional legal bases and lower the level of protection for special categories of personal data.
For example, Germany has introduced rules regarding consent in a genetic examination or analysis,[27] protection for biometric data in passports and identity cards, that must be secured against unauthorized modification, deletion and readout,[28] the processing of personal data of organ donors,[29] and on data protection in the public health insurance and related associations.[30]
Decisions
→ You can find all related decisions in Category:Article 9 GDPR
References
- ↑ Georgieval, Kuner, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 9 GDPR, p. 375 (Oxford University Press 2020). However, other GDPR provisions consider and regulate processing relating to other categories of data such as data relating to criminal convictions under Article 10 GDPR. See, Albers, Veit, in BeckOK DatenschutzR, Article 9 GDPR, margin number 18 (Beck 2021, 38th ed.) (accessed 29 December 2021).
- ↑ WP29, Advice paper on special categories of data (“sensitive data”), 20 April 2011, p. 6.
- ↑ CJEU, 6 November 2003, Bodil Lindqvist, C-101/01, margin number 50 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=48382&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=157699).
- ↑ Walker, in Kühling/Buchner, DS-GVO BDSG, Article 9 GDPR, margin number 26 (Beck 2020, 3rd ed.) (accessed 29 December 2021).
- ↑ WP29, Advice paper on special categories of data (“sensitive data”), 20 April 2011, p. 10.
- ↑ Walker, in Kühling/Buchner, DS-GVO BDSG, Article 9 GDPR, margin number 25 (Beck 2020, 3rd ed.) (accessed 29 December 2021).
- ↑ Walker, in Kühling/Buchner, DS-GVO BDSG, Article 9 GDPR, margin number 27 (Beck 2020, 3rd ed.) (accessed 29 December 2021).
- ↑ See Ship, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin number 19 (Beck, 2nd edition 2018) (accessed 29 December 2021).
- ↑ Ship, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin number 19 (Beck, 2nd edition 2018) (accessed 29 December 2021).
- ↑ Datenschutzbehörde, 15 February 2021, DSB-2021-0.101.211 (available here https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=096d50fd-d36d-4a43-bb00-5ff38c3b6f4d&Position=1&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=DSBT_20210215_2021_0_101_211_00).
- ↑ Datatilsynet, 2 July 2020, 20/02191-1 KBK/- (available here https://www.datatilsynet.no/contentassets/9d5792264c884f3a903d3981c38812ac/~-20_02191-1-vedtak-om-overtredelsesgebyr---ralingen-kommune-202444_10_1.pdf).
- ↑ Schiff, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin number 15-22 (Beck, 2nd edition 2018) (accessed 10 July 2021).
- ↑ Bundesverwaltungsgericht, 26 November 2020, W258 2217446-1 (available here https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=e9b780cb-e5e0-4be8-81e7-7a49b08cc25b&Position=1&SkipToDocumentPage=True&Abfrage=Bvwg&Entscheidungsart=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=DSGVO&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=BVWGT_20201126_W258_2217446_1_00).
- ↑ Expert Group Minutes 2016: Commission expert group on the Regulation (EU) 2016/679 and Directive (EU) 2016/680, 'Minutes of the Second Meeting', 10 October 2016, (available here https://ec.europa.eu/transparency/expert-groups-register/core/api/front/expertGroupAddtitionalInfo/27803/download and https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?do=groupDetail.groupDetail&groupID=3461).
- ↑ Bygravel, Tosoni, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 4 GDPR, p. 185 (Oxford University Press, Oxford, 2020).
- ↑ EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, 4 May 2020, p. 20.
- ↑ Datatilsynet, 26 January 2021, DT-20/02136 (available here https://www.datatilsynet.no/contentassets/da7652d0c072493c84a4c7af506cf293/advance-notification-of-an-administrative-fine.pdf).
- ↑ Schiff, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin number 38-40 (Beck, 2nd edition 2018) (accessed 10 July 2021).
- ↑ Autoriteit Persoonsgegevens, 24 March 2020 (available here https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boete_cpa_verzuimregistratie.pdf).
- ↑ Schiff, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 9 GDPR, margin number 45-46 (Beck, 2nd edition 2018) (accessed 10 July 2021).
- ↑ Datatilsynet, 26 January 2021, DT-20/02136 (available here https://www.datatilsynet.no/contentassets/da7652d0c072493c84a4c7af506cf293/advance-notification-of-an-administrative-fine.pdf) with reference to EDPB, Guidelines 8/2020 on the targeting of social media users, 2 September 2020, p. 34-36.
- ↑ Georgieval, Kuner, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 9 GDPR, p. 379 (Oxford University Press 2020).
- ↑ CJEU, 17 October 2013, Schwarz, C‑291/12, margin number 55 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=143189&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=166148) with reference to ECHR, 4 December 2008, S. and Marper, Applications nos. 30562/04 and 30566/04, § 103 (available here https://hudoc.echr.coe.int/eng#{%22fulltext%22:%5B%22S.%20and%20Marper%22%5D,%22documentcollectionid2%22:%5B%22GRANDCHAMBER%22,%22CHAMBER%22%5D,%22itemid%22:%5B%22001-90051%22%5D}).
- ↑ Conseil d’Etat, 25 November 2020, N° 428451 (available here https://www.legifrance.gouv.fr/ceta/id/CETATEXT000042570046?tab_selection=cetat&searchField=ALL&query=428451&searchType=ALL&juridiction=TRIBUNAL_CONFLIT&juridiction=CONSEIL_ETAT&juridiction=COURS_APPEL&juridiction=TRIBUNAL_ADMINISTATIF&sortValue=DATE_DESC&pageSize=10&page=1&tab_selection=cetat#cetat).
- ↑ Datenschutzbehörde, 22 January 2021, DSB-D124.1177/0006-DSB/2019 (available here https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=ade5bfc2-3a92-44cc-90b6-36c9132c2332&Position=1&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=DSBT_20210122_DSB_D124_1177_0006_DSB_2019_00 ).
- ↑ Integritetsskyddsmyndigheten, 7 June 2021, DI-2019-3375 (available here https://www.imy.se/globalassets/dokument/beslut/2021/2021-06-07-beslut-medhelp.pdf).
- ↑ § 8(1) GenDG (German Genetic Diagnostics Act).
- ↑ § 5(6) and (9) PAuswG (German Passport and Identity Card Act).
- ↑ § 7 and § 14 TPG (German Organ Transplant Law).
- ↑ § 284 and § 285 SGB V (German Social Insurance Code V)