Explication
ISO 27701
Considérants
(51) 依其本質對基本權及自由特別敏感之個人資料,因其處理過程 中可能對於基本權及自由造成顯著風險,故值得受到特別保護。該等 個人資料應包括顯示出種族或人種之個人資料,但本規則使用「種族」 乙詞並不代表歐盟承認旨於區別個別種族存在之理論。照片之處理不 應被制式化地認為係特殊類型之個人資料處理,蓋僅有在透過特殊識 別方法之處理而得獨特識別或驗證出當事人時,始得將照片涵蓋於生 物特徵識別資料的定義之下。該等個人資料不得處理,但其處理係本 規則明定之特別情況所允許,且考量到會員國法為使其與本規則規定 之適用相符以遵守其法定義務或符合公共利益執行職務或委託控管 者行使公權力而對於資料保護定有具體規範者,不在此限。除就該等 處理所定之特別要件以外,本規則所定之一般原則及其他規定亦應予 適用,尤其是涉及處理之合法性要件。為特殊類型之個人資料處理所 設一般禁止規定之例外,應予明確規定,包括:資料主體明確同意或 涉及特殊需求之資料處理,尤其是基於實現基本自由之目的而為某些組織或基金會之正當活動所為之處理者。
(52) 於歐盟法或會員國法已有明文且有適當保護措施以保護個人資 料及其他基本權之情況下,為基於公共利益之目的,特別是在勞動法、 包括退休金及安全衛生等社會法領域、監控及警示目的、傳染病及其 他對於健康造成重大威脅之疾病預防及控制所為之個人資料處理,特 殊類型個人資料處理之禁止規定亦應允許例外。基於健康目的,包括 公共衛生及醫療保健服務之管理,特別是為確保醫療保險制度中處理 福利及服務訴求之程序的品質與效益,或是符合公共利益之存檔目的、 科學或歷史研究或統計目的,該等例外規定得以為之。為建構、行使 或防禦法律上之請求而有必要者,不問係於訴訟程序或行政程序或於 法院以外之程序,該等個人資料處理之禁止規定亦應允許例外。
(53) 值得受較高度保護之特殊類型個人資料,於下述情形始得處理 之,亦即:僅有基於與健康相關之目的,且基於全體人類及社會整體 之利益為達成該等目的所必要者,特別是在健康或社會照護服務及系 統之管理,包括為品質控制、管理資訊及一般國內及地方監管健康或 社會照護系統之目的管理及整合國內醫療院所之該等資料之處理,以 及為確保健康或社會照護及跨境醫療保健或健康安全之永續性、為監 控及警示目的或符合公共利益之存檔目的、科學或歷史研究或統計目 的、基於符合公共利益目的之歐盟法或會員國法以及符合公共利益在 公共衛生領域所為之研究。因此,本規則應就涉及健康之該等特殊類 型個人資料之處理,針對特殊需求,為一致性之規範,尤其是該等資 料之處理係為特定醫療相關目的,由因職業持有秘密而負法定保密義 務之人所為之者。歐盟法或會員國法應明文規定具體適當之措施,以 保障個人基本權及其個人資料。會員國應被允許維持或採用進一步規定,包括但不限於關於基因資料、生物特徵識別資訊或與健康相關資訊之個人資料處理。惟該等條款適用於該等個人資料之跨境處理時,不得妨礙個人資料於歐盟境內之自由流通。
(54) 未取得資料主體同意之特殊類型個人資料處理,於公共衛生領 域基於公共利益之理由可能是有必要的。該等處理應受適當具體措施 之拘束以維護當事人之權利及自由。就此,「公共衛生」應以歐洲議 會及歐盟理事會[11]第 1338/2008 號歐盟規則所作定義而為解釋,亦即 與健康有關之全部要素(即健康狀況),包括疾病與殘疾、對於健康 狀態產生影響之決定性因素、醫療保健之需求、醫療保健之資源分配、 醫療保健之提供及普及性以及醫療保健之開支及財務規劃及致死率 之起因。以公共利益為由所為涉及健康資料之該等處理,不得因其他 目的而由諸如雇主或保險公司及銀行等第三人為處理。
(55) 再者,機關所為個人資料處理係為實現官方所認可之宗教組織 所定符合憲法或國際公法之目標者,應屬具備公共利益之基礎。
(56) 凡於選舉活動過程中,會員國內民主制度之運作要求政黨編纂 關於人民政治觀點之個人資料,於建構適當保護措施之情況下,基於 公共利益之理由,該等資料處理得予准許。
Lignes directrices & Jurisprudence
(EN) The first exception is based on “explicit consent”. Article 9 consent differs from the general notion of consent of article 6 in one important aspect: it must be explicitly provided by the person concerned. It means that the consent must be freely given, specific, informed, and unambiguous, under the definition of article 4 (11), and, in addition to these requirements, it must be “explicit”.
What form of consent is considered “explicit” and thus valid under article 9? The sensitive nature of the data involved entails a consent that goes beyond the regular “statement or clear affirmative action” [article 4 (11)] on the part of the data subject. It means that s/he must give “an express statement of consent” (Guidelines on Consent), even in the case where services are provided on a contractual basis. An explicit consent is needed because there is no contract based exceptions in article 9 (2) a controller can rely on.
The Guidelines on Consent suggest that a written statement or even a signed written statement may be required, even though the GDPR does not prescribe such a form of consent. A signed consent may be relevant if health data are collected, for example, in the context of services offered by a private clinic or a convalescent home. A plastic surgeon may need to gather information about a client’s health condition or share medical information to seek a second opinion from one of her/his colleagues. The managers of a convalescent home will have to gather information about a future pensionary’s health condition to arrange the appropriate services needed during her/his stay.
A signed written statement is not as practical in the digital or online environment. How can a person consent if, for example, s/he buys a plane ticket online and requires special medical assistance at boarding time, during the flight or at her/his arrival at destination? A valid consent will also be difficult to obtain if a person places an online order for buying special eyewear as the seller has to collect health-related information about her/his vision and share it with the manufacturer.
Simply following a link or ticking a box might be regarded as an insufficient consent in these examples. The Guidelines on Consent recommend other forms of consent, like filling in an electronic form, using an electronic signature, recording an oral statement or proceeding with a two-step verification (ticking a box in a form and confirming the consent by email afterward, for example).
Article 9 prescribes that a person must consent “for one or more specified purposes”. The requirement goes beyond the “specific” quality of consent required by article 4 (11). Purposes must be clearly specified, which implies that the consent must be tied to specific data or precise categories of data that the controller will be allowed to process.
You must always remember that the GDPR is not a complete statement on the state of the law on data protection in a particular Member State, and it is particularly true here because there is an exception to the exception. Consent is an invalid basis to process special categories of personal data if a Member State prohibits the lifting of the prohibition for processing special categories of personal data by an individual in its national legislation, as the GDPR allows it.