9. cikk 📖 GDPR. A személyes adatok különleges kategóriáinak kezelése

9. cikk GDPR. A személyes adatok különleges kategóriáinak kezelése

Article 9 GDPR. Processing of special categories of personal data

(1) A faji vagy etnikai származásra, politikai véleményre, vallási vagy világnézeti meggyőződésre vagy szakszervezeti tagságra utaló személyes adatok, valamint a természetes személyek egyedi azonosítását célzó genetikai és biometrikus adatok, az egészségügyi adatok és a természetes személyek szexuális életére vagy szexuális irányultságára vonatkozó személyes adatok kezelése tilos.

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

Irányelvek & Case Law Preambulumbekezdése

Irányelvek & Case Law

(EN)

Documents

Article 29 Working Party, Opinion 2/2012 on Facial Recognition in Online and Mobile Services (2012).

Article 29 Working Party, Opinion 3/2012 on Developments in Biometric Technologies (2012).

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

EDPB, Guidelines 8/2020 on the targeting of social media users (2020):

If a social media provider or a targeter uses observed data to categorise users as having certain religious, philosophical or political beliefs-regardless of whether the categorization is correct/true or not-this categorisation of the user must obviously be seen as processing of special category of personal data in this context. As long as the categorisation enables targeting based on special category data, it does not matter how the category is labelled.

EDPB, Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR (2020).

Financial transactions can reveal sensitive information about individual data subject, including those related to special categories of personal data. For example, political opinions and religious beliefs may be revealed by donations made to political parties or organisations, churches or parishes. Trade union membership may be revealed by the deduction of an annual membership fee from a person’s bank account. Personal data concerning health may be gathered from analysing medical bills paid by a data subject. Finally, information on certain purchases may reveal information concerning a person’s sex life or sexual orientation.

Moreover, through the sum of financial transactions, different kinds of behavioural patterns could be revealed, including special categories of personal data and additional services that are facilitated by account information services might rely on profiling as defined by article 4 (4) of the GDPR. Therefore, the chances are considerable that a service provider processing information on financial transactions of data subjects also processes special categories of personal data.

Preambulumbekezdése

(51) Az alapvető jogok és szabadságok szempontjából a természetüknél fogva különösen érzékeny személyes adatok egyedi védelmet igényelnek, mivel az alapvető jogokra és szabadságokra nézve a kezelésük körülményei jelentős kockázatot hordozhatnak. Ilyen adatnak minősül a faji vagy etnikai származásra utaló személyes adatok is; e tekintetben megjegyzendő, hogy a „faji származás” kifejezés e rendelet keretében történő alkalmazása nem értelmezhető úgy, hogy az Unió elfogadja a különböző emberi fajok létezésének megállapítására törekvő elméleteket. A fényképek kezelését nem szükséges szisztematikusan különleges adatkezelésnek tekinteni, mivel azokra csak azokban az esetekben vonatkozik a biometrikus adatok fogalommeghatározása, amikor a természetes személy egyedi azonosítását vagy hitelesítését lehetővé tevő speciális eszközzel kezelik őket. Az ilyen adatok nem kezelhetők, kivéve, ha az adatkezelés az e rendeletben meghatározott egyedi esetekben megengedett, azt is figyelembe véve, hogy a tagállami jog különös rendelkezéseket állapíthat meg az adatok védelmére vonatkozóan annak érdekében, hogy kiigazítsák az e rendeletben foglalt szabályok alkalmazását valamely jogi kötelezettségnek való megfelelés vagy közérdekből végzett feladat végrehajtása vagy az adatkezelőre ruházott közhatalmi jogosítvány gyakorlása tekintetében. Az ilyen adatkezelésre vonatkozó konkrét előírásokon kívül e rendelet általános elveit és egyéb szabályait kell alkalmazni, különösen a jogszerű adatkezelés feltételei tekintetében. A személyes adatok ilyen különleges kategóriáinak kezelésére vonatkozó általános tilalomtól való eltérésről kifejezetten rendelkezni kell, ideértve, ha az érintett egyértelmű hozzájárulását adja, vagy bizonyos sajátos adatkezelési szükségletekre tekintettel, különösen, ha az adatkezelést jogszerű tevékenységük keretében olyan egyesületek, illetve alapítványok végzik –, amelyek célja az alapvető szabadságok gyakorlásának lehetővé tétele.

(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

(2) Az (1) bekezdés nem alkalmazandó abban az esetben, ha:

2. Paragraph 1 shall not apply if one of the following applies:

Preambulumbekezdése

(52) A személyes adatok különleges kategóriáira vonatkozó adatkezelési tilalomtól való eltérés szintén megengedhető, ha erről az uniós vagy tagállami jog rendelkezik, és ha arra megfelelő garanciák mellett kerül sor a személyes adatok és más alapvető jogok védelme érdekében, ha ez valamely közérdeken alapul, így különösen a foglalkoztatási jog és a szociális védelmi jog területén, a nyugdíjakat is beleértve, valamint a népegészség-védelem, a nyomonkövetési és riasztási célok, a fertőző betegségek és más súlyos egészségügyi veszélyek megelőzése, valamint az ellenük való védekezés érdekében végzett személyesadat-kezelés esetében. Ezekre az eltérésekre egészségügyi célokból – köztük a népegészségüggyel és az egészségügyi szolgáltatások irányításával kapcsolatos célokból – kerülhet sor, különösen annak biztosítása érdekében, hogy az egészségbiztosítási rendszer szolgáltatásaival és juttatásaival kapcsolatos igények rendezésére szolgáló eljárások magas szintűek és költséghatékonyak legyenek, továbbá a közérdekű archiválás céljából, tudományos és történelmi kutatási célból vagy statisztikai célból. Eltérés alapján az ilyen személyes adatok kezelése olyan esetekben lehetséges, amikor az jogi igények előterjesztése, érvényesítése, illetve védelme céljából szükséges, függetlenül attól, hogy erre bírósági eljárás, közigazgatási, vagy egyéb, nem bírósági útra tatozó eljárás keretében kerül-e sor.

(52) Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

(53) A különleges kategóriába tartozó, magasabb szintű védelmet igénylő személyes adatokat kizárólag abban az esetben lehet az egészséggel kapcsolatos célokból kezelni, ha az az említett céloknak a természetes személyek és a társadalom egészének érdekében történő eléréséhez szükséges, különösen az egészségügyi és szociális szolgáltatások és rendszerek irányításának összefüggésében, beleértve azt is, amikor az irányító és központi nemzeti egészségügyi hatóságok a következő célokból végzik az ilyen adatok kezelését: minőségellenőrzés, információkezelés, valamint az egészségügyi és szociális rendszer általános országos és helyi felügyelete, továbbá az egészségügyi és szociális ellátás, a határokon átnyúló egészségügyi ellátás, valamint a népegészség-védelem folytonosságának biztosítása, nyomonkövetési és riasztási célok, a közérdekű archiválás céljából, tudományos és történelmi kutatási vagy statisztikai célból közérdekű célt szolgáló uniós vagy tagállami jog alapján, illetve a népegészség területén közérdekből készített tanulmányok céljából. Ebből kifolyólag a sajátos adatkezelési szükségletek tekintetében ebben a rendeletben harmonizált feltételeket kell meghatározni az egészségügyi személyes adatok különleges kategóriáinak kezelésére vonatkozóan, különösen azt illetően, ha ezen adatok kezelését bizonyos egészséggel kapcsolatos célokból olyan személyek végzik, akikre jogszabályban megállapított szakmai titoktartási kötelezettség vonatkozik. Az uniós vagy tagállami jogban rendelkezni kell olyan célzott és megfelelő intézkedésekről, amelyek a természetes személyek alapvető jogainak és személyes adatainak védelmére irányulnak. A tagállamok további feltételeket – például korlátozásokat – tarthatnak hatályban, illetve vezethetnek be a genetikai adatok, a biometrikus adatok és az egészségügyi adatok kezelésére vonatkozóan. Ez azonban nem akadályozhatja a személyes adatok Unión belüli szabad áramlását azokban az esetekben, amikor az említett feltételek az ilyen adatok határokon átnyúló kezelésére vonatkoznak.

(53) Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.

(54) A népegészség területén közérdekből szükséges lehet a személyes adatok különleges kategóriáinak az érintett hozzájárulása nélkül történő kezelése. Az ilyen adatkezelés vonatkozásában a természetes személyek jogainak és szabadságainak védelme érdekében, megfelelő és célzott intézkedéseket kell hozni. Ebben az összefüggésben a „népegészség” fogalmát az 1338/2008/EK európai parlamenti és tanácsi rendeletben (11) meghatározottak szerint a következőképpen kell értelmezni: valamennyi, az egészséggel kapcsolatos elem, nevezetesen az egészségi állapot – beleértve a morbiditást és a fogyatékosságot –, az egészségi állapotot meghatározó tényezők, az egészségügyi ellátással kapcsolatos igények, az egészségügyi ellátásra biztosított források, az egészségügyi ellátás nyújtása és az ahhoz való általános hozzáférés, valamint az egészségügyi ellátással kapcsolatos kiadások és finanszírozás, továbbá a halálokok. Az egészségügyi adatok ilyen közérdekű kezelése nem eredményezheti a személyes adatok más célokból harmadik személyek, így munkáltatók, vagy biztosítók és bankok általi kezelését.

(54) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council [11], namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.

_{(11) Az Európai Parlament és a Tanács 1338/2008/EK rendelete ( 2008. december 16.) a népegészségre és a munkahelyi egészségre és biztonságra vonatkozó közösségi statisztikáról (HL L 354., 2008.12.31., 70. o.). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2008:354:TOC}

_{[11] Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (OJ L 354, 31.12.2008, p. 70). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2008:354:TOC}

(55) A személyes adatok hatóságok általi, hivatalosan elismert vallási szervezetek alkotmányjogban vagy nemzetközi közjogban megállapított céljainak elérése érdekében történő kezelése közérdeken alapulónak minősül.

(55) Moreover, the processing of personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognised religious associations, is carried out on grounds of public interest.

(56) Ha választással kapcsolatos tevékenységek során valamely tagállamban a demokratikus rendszer működése megkívánja, hogy a politikai pártok személyes adatokat gyűjtsenek az emberek politikai véleményéről, akkor az ilyen adatok kezelése közérdekből megengedhető, feltéve hogy megfelelő garanciák vannak érvényben.

(56) Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.

a) az érintett kifejezett hozzájárulását adta az említett személyes adatok egy vagy több konkrét célból történő kezeléséhez, kivéve, ha az uniós vagy tagállami jog úgy rendelkezik, hogy az (1) bekezdésben említett tilalom nem oldható fel az érintett hozzájárulásával;

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

Szakértői kommentár ISO 27701 Kapcsolatok

Szakértői kommentár

(EN) The first exception is based on “explicit consent”. Article 9 consent differs from the general notion of consent of article 6 in one important aspect: it must be explicitly provided by the person concerned. It means that the consent must be freely given, specific, informed, and unambiguous, under the definition of article 4 (11), and, in addition to these requirements, it must be “explicit”.

What form of consent is considered “explicit” and thus valid under article 9? The sensitive nature of the data involved entails a consent that goes beyond the regular “statement or clear affirmative action” [article 4 (11)] on the part of the data subject. It means that s/he must give “an express statement of consent” (Guidelines on Consent), even in the case where services are provided on a contractual basis. An explicit consent is needed because there is no contract based exceptions in article 9 (2) a controller can rely on.

The Guidelines on Consent suggest that a written statement or even a signed written statement may be required, even though the GDPR does not prescribe such a form of consent. A signed consent may be relevant if health data are collected, for example, in the context of services offered by a private clinic or a convalescent home. A plastic surgeon may need to gather information about a client’s health condition or share medical information to seek a second opinion from one of her/his colleagues. The managers of a convalescent home will have to gather information about a future pensionary’s health condition to arrange the appropriate services needed during her/his stay.

A signed written statement is not as practical in the digital or online environment. How can a person consent if, for example, s/he buys a plane ticket online and requires special medical assistance at boarding time, during the flight or at her/his arrival at destination? A valid consent will also be difficult to obtain if a person places an online order for buying special eyewear as the seller has to collect health-related information about her/his vision and share it with the manufacturer.

Simply following a link or ticking a box might be regarded as an insufficient consent in these examples. The Guidelines on Consent recommend other forms of consent, like filling in an electronic form, using an electronic signature, recording an oral statement or proceeding with a two-step verification (ticking a box in a form and confirming the consent by email afterward, for example).

Article 9 prescribes that a person must consent “for one or more specified purposes”. The requirement goes beyond the “specific” quality of consent required by article 4 (11). Purposes must be clearly specified, which implies that the consent must be tied to specific data or precise categories of data that the controller will be allowed to process.

You must always remember that the GDPR is not a complete statement on the state of the law on data protection in a particular Member State, and it is particularly true here because there is an exception to the exception. Consent is an invalid basis to process special categories of personal data if a Member State prohibits the lifting of the prohibition for processing special categories of personal data by an individual in its national legislation, as the GDPR allows it.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 9(2)(a) GDPR:

7.2.4 Obtain and record consent

Control

The organization should obtain and record consent from PII principals according to the documented processes.

Implementation guidance

The organization should obtain and record consent from PII principals in such a way that it can provide on request details of the consent provided (for example the time that consent was provided, the identification of the PII principal, and the consent statement).

(EN) […]

(EN) Sign in
to read the full text

Kapcsolatok

Guidelines on consent under Regulation 2016/679

OBTAINING EXPLICIT CONSENT

93. The term explicit refers to the way consent is expressed by the data subject. It means that the data subject must give an express statement of consent. An obvious way to make sure consent is explicit would be to expressly confirm consent in a written statement. Where appropriate, the controller could make sure the written statement is signed by the data subject, in order to remove all possible doubt and potential lack of evidence in the future.[47]

_{[47] See also WP29 Opinion 15/2011, on the definition of consent (WP 187), p. 25.}

94. However, such a signed statement is not the only way to obtain explicit consent and, it cannot be said that the GDPR prescribes written and signed statements in all circumstances that require valid explicit consent. For example, in the digital or online context, a data subject may be able to issue the required statement by filling in an electronic form, by sending an email, by uploading a scanned document carrying the signature of the data subject, or by using an electronic signature. In theory, the use of oral statements can also be sufficiently express to obtain valid explicit consent, however, it may be difficult to prove for the controller that all conditions for valid explicit consent were met when the statement was recorded.

95. An organisation may also obtain explicit consent through a telephone conversation, provided that the information about the choice is fair, intelligible and clear, and it asks for a specific confirmation from the data subject (e.g. pressing a button or providing oral confirmation).

b) az adatkezelés az adatkezelőnek vagy az érintettnek a foglalkoztatást, valamint a szociális biztonságot és szociális védelmet szabályozó jogi előírásokból fakadó kötelezettségei teljesítése és konkrét jogai gyakorlása érdekében szükséges, ha az érintett alapvető jogait és érdekeit védő megfelelő garanciákról is rendelkező uniós vagy tagállami jog, illetve a tagállami jog szerinti kollektív szerződés ezt lehetővé teszi;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

Szakértői kommentár

(EN) Processing of special categories of personal data in the field of employment, social security, and social protection law is possible only if it is “necessary” (read about the necessity and proportionality principles in the general commentary below) and it satisfies two other conditions:

it is authorised by the European Union or Member State law or a collective agreement; and
there are appropriate safeguards in place to protect the fundamental rights and interests of individuals.

The European regulation essentially refers to the legislation of the Member States to acknowledge the existence of exceptions and verify if individuals’ fundamental rights are preserved. Therefore, there are no general rules applicable to the entire Union and the exception can only be understood on a State by State basis. The controller has to invoke a specific legal provision authorizing the processing of personal data in the context of employment, social security or social protection law.

Member States may allow employers to collect personal data in order to provide health insurance policies to their employees, maintain records of sick, maternity or paternity leaves, deduct union dues from payslips or provide special working conditions or environment to persons with disabilities. They can also authorize insurers, for example, to process health data for paying accidents or invalidity indemnities to employees.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

c) az adatkezelés az érintett vagy más természetes személy létfontosságú érdekeinek védelméhez szükséges, ha az érintett fizikai vagy jogi cselekvőképtelensége folytán nem képes a hozzájárulását megadni;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

Szakértői kommentár

(EN) According to article 9 2) (c), processing of special categories of personal data is allowed if it is “necessary” (read about the necessity and proportionality principles in the general commentary below) to protect a person’s vital interests or third parties’ ones. The vital interests exception is similar to article 6 1) (d) lawful basis to process data except that it applies only if you cannot obtain a person’s consent.

The scope of the exception is limited as it concerns only the protection of a “vital interest” of a person, that is to say, “an interest which is essential for [her/his] life” (recital 46). It includes threats to the physical integrity or life of a person or a third person. In other words, it must be a matter of life and death even though recital 46 seems to widen the scope of the exception. It suggests that it may also apply to humanitarian situations such as monitoring epidemics or providing relief for natural or man-made disasters.

The second condition limits drastically the scope of the vital interests exception: it may be invoked only if the individual is physically or legally incapable of giving consent. It can be the case if a person is unconscious, for example, or is unable to consent because of her/his legal status, like a minor or an adult under guardianship or trusteeship. You should ask for explicit consent, according to paragraph 2 a) of article 9, whenever it is possible. You cannot rely on the vital interests exception as an alternative option if a person is able to consent and has refused to do so.

Essentially, the vital interests exception is useful for medical emergency situations. If a person has suffered a life-threatening injury, for example, the medical staff may need her/his medical history to decide on the proper treatment. As the person is unable to offer her/his consent, the hospital needs a legal basis to process her/his health data and the vital interests exception might prove useful. It can also be convenient in cases of epidemics. It may be impossible for all infected individuals to consent in a timely manner to allow medical staff to gather data in order to prevent the spread of the epidemic and, in doing so, to protect third parties’ vital interests.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

d) az adatkezelés valamely politikai, világnézeti, vallási vagy szakszervezeti célú alapítvány, egyesület vagy bármely más nonprofit szervezet megfelelő garanciák mellett végzett jogszerű tevékenysége keretében történik, azzal a feltétellel, hogy az adatkezelés kizárólag az ilyen szerv jelenlegi vagy volt tagjaira, vagy olyan személyekre vonatkozik, akik a szervezettel rendszeres kapcsolatban állnak a szervezet céljaihoz kapcsolódóan, és hogy a személyes adatokat az érintettek hozzájárulása nélkül nem teszik hozzáférhetővé a szervezeten kívüli személyek számára;

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

Szakértői kommentár

(EN) The General Data Protection Regulation contains a circumscribed exception for the processing of special categories of personal data by the following types of organizations:

associations;
foundations; and
other not-for-profit bodies.

The list appears to be closed and limited to these exact types of organizations, excluding any other types. As the legal status of charity, nonprofit, and philanthropy organizations is not uniform in the European Union, one should not attach too much importance to the name of the concerned body. The word “other” confirms that the list is illustrative and the exact nature of the organization depends on the legal form and structure the Member States give them.

It is more a question of the aims or goals of the organization than of its exact denomination, as it must pursue one of the following objectives

political;
philosophical;
religious; or
trade union.

The list refers to a limited number of activities and it cannot be extended beyond. Political parties, worship organizations or trade unions are clearly targeted. The philosophical aim category is not as easy to define. An organization devoted to environmental, vegan or anti-speciesism questions may qualify as pursuing a philosophical goal depending on a Member State law. How far that category may be expanded will depend on the Court of Justice of the European Union interpretation of the provision.

These organizations must process special categories of personal data only in the course of their “legitimate activities”. It means that the processing must be directly connected to the political, philosophical, religious or trade union activities of the organization. An association, a foundation or any other not-for-profit body cannot invoke that exception to process special categories of personal data that are not closely related to its core activities in accordance with its purposes and powers set out in its governing charter.

The GDPR requires that organizations handle special categories of personal data with appropriate safeguards. It is not clear what exactly the legislator had in mind by adopting this additional condition. It clearly implies that proper security measures should be in place to protect the processed data due to their sensitive nature. Data must also be accessible only to the persons who need to deal with them to achieve the organizations’ aims.

It follows logically that the personal data cannot be disclosed outside the organization, although article 9 2) (d) allows such divulgation with the consent of the concerned individuals. The body cannot share its membership list, for example, with other organizations unless it obtained its members’ consent. I do not see any legal impediment prohibiting the selling of that same list to finance the organization’s activities if its members consent to the divulgation of their personal data. The organization will also have to seek consent to name any individual members in a fundraiser campaign or an annual report, for example.

The scope of the exception is limited to processing special categories of personal data concerning an organization’s i) members, ii) former members or iii) individuals who have “regular contact” with it in connection with its goals. It excludes the organization’s employees or prospective members before they join the organization, but it may include partners, contributors or regular beneficiaries of the organization’s services who are not formally members of it.

It is a self-evident exception to the general rule that special categories of personal data cannot be processed as it allows organizations that owe their existence solely to the pursuit of one of the goals mentioned to process data essential to their operation. How would a political party exist if it cannot process the political opinions of their partisans? It is the same with trade unions that have to deal with data concerning their members or churches that have to process data revealing their believers’ religious beliefs in the course of their regular activities (see article 91).

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

e) az adatkezelés olyan személyes adatokra vonatkozik, amelyeket az érintett kifejezetten nyilvánosságra hozott;

(e) processing relates to personal data which are manifestly made public by the data subject;

Szakértői kommentár Irányelvek & Case Law

Szakértői kommentár

(EN) The European legislator introduced an exception – for special categories of personal data which are manifestly made public by a person – that seems completely logical at first glance. If a person willingly shares her/his data, it sounds reasonable to allow the processing of these data by third parties. On second thought, many questions come to mind. What does “manifestly” mean? When are data “public”? How to determine if a person intended to make her/his data public?

The exception does not concern all special categories of data publicly available. It applies strictly to data that an individual personally disclosed. It must be a publication that results from a clear and voluntary decision from an individual to disclose information about her/him. It should not be an accidental, inadvertent, involuntary or unintentional disclosure. It should be the result of a free and deliberate decision. The individual must be fully conscious that s/he made her/his data public. Thus, it excludes leaked data, data accessible after a security breach or data shared unintentionally or by inadvertence…

(EN) […]

(EN) Sign in
to read the full text

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

Irányelvek & Case Law

(EN) EDPB, Guidelines 8/2020 on the targeting of social media users (2020):

The word “manifestly” implies that there must be a high threshold for relying on this exemption.The EDPB notes that the presence of a single element may not always be sufficient to establish that the data have been “manifestly” made public by the data subject. In practice,a combination of the following or other elements may need to be considered for controllers to demonstrate that the data subject has clearly manifested the intention to make the data public, and a case-by-case assessment is needed. The following elements may be relevant to help inform this assessment:

the default settings of the social media platform (i.e. whether the data subject took a specific action to change these default private settings into public ones); or

the nature of the social media platform (i.e. whether this platform is intrinsically linked with the idea of connecting with close acquaintances of the data subject or creating intimate relations (such as online dating platforms), or if it is meant to provide a wider scope of interpersonal relations, such as professional relations, or microblogging, etc… ; or

the accessibility of the page where the sensitive data is published (i.e. whether the information is publically accessible or if, for instance, the creation of an account is necessary before accessing the information); or

the visibility of the information where the data subject is informed of the public nature of the information that they publish (i.e. whether there is for example a continuous banner on the page, or whether the button for publishing informs the data subject that the information will be made public…); or

if the data subject has published the sensitive data himself/herself, or whether instead the data has been published by a third party (e.g. a photo published by a friend which reveals sensitive data) or inferred.

The EDPB notes that the presence of a single element may not always be sufficient to establish that the data have been “manifestly” made public by the data subject. In practice,a combination of these or other elements may need to be considered for controllers to demonstrate that the data subject has clearly manifested the intention to make the data public.

f) az adatkezelés jogi igények előterjesztéséhez, érvényesítéséhez, illetve védelméhez szükséges, vagy amikor a bíróságok igazságszolgáltatási feladatkörükben járnak el;

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

Szakértői kommentár

(EN) The legal exception comprises two distinct parts, as it applies to:

processing necessary for establishing, exercising or defending a legal claim, and
courts acting in their judicial capacity.

1) The legal claim exception, in the context of article 9, is broad and is not limited to pending legal proceedings. It applies to ongoing legal claims along with prospective ones. A person may have to share personal data in order to obtain legal advice, to report a situation that may potentially lead to a legal claim or to prepare future proceedings, even if no procedures have been filed in court yet. It might concern administrative or court proceedings, as well as out-of-court procedures (recital 52).

The keyword in paragraph 2) (f) is “necessary” (read about the necessity principle in the general commentary below): the use of personal information must be necessary to establish, exercise or defend legal rights. It still needs to be defined what necessary means in the context of the GDPR. A reference to the general necessity principle in European Union law should lead to justifying the use of personal data for the legal claim exception based on objective evidence. There must be a substantial connection between the processing and the data processed in the context of a specific case.

The use of personal data should also be proportionate (read about the proportionality principle in the general commentary below): it should not go beyond what is necessary to achieve the objective pursued. Data used must be adequate and relevant “for the establishment, exercise or defence of legal claims” and their use should be limited to what is needed. In other words, it means that you should not use more data than what is necessary to proceed.

An example of using personal data before any legal proceedings have been initiated is if you have to report an accident to your insurer. Your insurer will eventually have to deal with data concerning your health or the health of other persons implicated in the accident. It does not mean that a claim will be brought before the court and if so, that it will not be settled before any proceedings take place.

I may cite another typical example, concerning this time the establishment of a defence to an actual legal claim. Your employee is suing you after that an accident has occurred in the workplace. You will have to share the details of the accident, including information in your possession about the injuries your employee has suffered, with your lawyer. As these data are considered health-related information, you will have to invoke paragraph 2) (f) exception.

2) The second part of the legal exception concerns courts acting in their judicial capacity. The exception is necessary to preserve the independence of justice (recital 20), which also ensures compliance with legal guarantees provided for by European and national rights and freedoms instruments. The GDPR does not specify the scope of the expression “courts […] acting in their judicial capacity”, except that it includes the decision-making process (recital 20).

Article 9 mentions only “courts”, but recital 97 seems to extend the exception to “independent judicial authorities”. Even if it is not the case, the interpretation of the term “court” may lead to such an extension. It raises questions in consequence for many existing procedures lead by quasi-judicial bodies, like arbitrators, arbitration tribunals or public administrative agencies. They conduct proceedings, during which the rights and freedoms of the parties involved must be guaranteed, they determine facts, they interpret the law, and they have powers of adjudication much like any courts of law.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

g) az adatkezelés jelentős közérdek miatt szükséges, uniós jog vagy tagállami jog alapján, amely arányos az elérni kívánt céllal, tiszteletben tartja a személyes adatok védelméhez való jog lényeges tartalmát, és az érintett alapvető jogainak és érdekeinek biztosítására megfelelő és konkrét intézkedéseket ír elő;

(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

Szakértői kommentár

(EN) The substantial public interest exception is characterized by the number of conditions attached to it and therefore its limited scope:

Processing must be necessary;
It must be based on a Union or Member State law; and
The Union or Member State law itself must:
- be proportionate to the goal pursued;
- respect the essence of the right to data protection; and
- guarantee suitable and specific measures to safeguard the fundamental rights and the interests of individuals concerned.

The terms “substantial public interest” are not defined in the General Data Protection Regulation. As the exception refers to the Union or Member State law, article 9 2) (g) gives a margin of appreciation to the national jurisdictions to decide locally what is of “substantial public interest”. A “substantial” public interest clearly requires a higher standard than simple public interest. If the latter refers to the public good and what is in the best interests of the society, the former must have to do with a real and tangible interest, an interest of considerable importance. A substantial public interest may be related to the exercise of fundamental rights and freedoms, like organizing the electoral process, or the maintenance of order and security, like fighting terrorism.

The Data Protection Act 2018, for example, recognizes twenty-three (23) cases where a substantial public interest is involved in the United Kingdom. Exceptions range from the administration of justice to safeguarding of children at risk, and extend to equality of opportunity, anti-doping in sport or publication of legal decisions. It is hard to distinguish in these examples what is in the general public interest and what is based on “substantial” public interest.

The substantial public interest exception does not apply to special categories of personal data which already benefit from an exception under article 9, like public health [paragraph 2, sub-paragraph (i)]. It is sometimes tricky though to decide which exception is applicable. One must refer to the specifics of the case and examine the facts attentively to decide what would be the best legal basis to process special categories of personal data.

Political parties may be required by a Member State’s legislation to compile personal data on individuals’ political opinions in the course of the electoral process based on the substantial public interest exception (recital 56). It differs from the foundation, association or not-for-profit body exception [article 9 2) (d)] in one aspect: the compilation is required by law and is not done as part of a political party’s main activities. It also exempts the organization from obtaining its members’ consent to divulge the collected personal data to the appropriate authorities.

I was asked recently about the proper legal basis to process data about students with disabilities. A school needs to collect and use these data to offer children services adapted to their learning capacity. Information about disabilities should be considered health-related data and thus special categories of personal data. They cannot be processed unless there is a specific exception that can be invoked.

It does not seem to be possible to rely on the public health exception [see paragraph 2, sub-paragraph (i) comment] to satisfy that request. If the Member State’s legislation in which the school operates provides for an exception to process special categories of personal data for the education of children with disabilities, the substantial public interest exception would be an appropriate legal basis. As it might be possible to get explicit consent [paragraph 2, sub-paragraph (a)] to process such data, that option should also be explored in the circumstances. The school will then have to respect the other requirements set in article 9 2) (g).

I already discussed the necessity principle in the general commentary below, and I would refer readers to it, as well as the proportionality principle that Union or Member State law must respect. The European or national text must also uphold the “essence of the right to data protection” and offer “suitable and specific measures” to protect the rights and interests of individuals concerned. It is therefore essential for the local authorities to comply with the Charter of Fundamental Rights of the European Union (article 8) and the principles set out in the GDPR.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

h) az adatkezelés megelőző egészségügyi vagy munkahelyi egészségügyi célokból, a munkavállaló munkavégzési képességének felmérése, orvosi diagnózis felállítása, egészségügyi vagy szociális ellátás vagy kezelés nyújtása, illetve egészségügyi vagy szociális rendszerek és szolgáltatások irányítása érdekében szükséges, uniós vagy tagállami jog alapján vagy egészségügyi szakemberrel kötött szerződés értelmében, továbbá a (3) bekezdésben említett feltételekre és garanciákra figyelemmel;

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

Szakértői kommentár Irányelvek & Case Law

Szakértői kommentár

(EN) Article 9 2) (h) provides for exceptions to processing data related to medical and social care, which must be necessary (read about the necessity principle in the general commentary below) for:

preventive medicine;
occupational medicine;
assessing the working capacity of employees;
medical diagnosis;
provision of health or social care or treatment; or
management of health or social care systems.

It is a list of self-explanatory exceptions and they do not need more exemplification except for the assessing the working capacity of employees exception. It does not overlap with the employment, social security and social protection law exception [sub-paragraph (b)] as it does not concern sensitive data about employees in general, but exclusively data necessary to assess the capacity of an employee to perform her/his job. The assessment can be performed through, for example, drug testing, physical tests or medical exams. The goal is to find out if the person is apt to work in a position that requires specific abilities or a particular health condition.

As it is often the case with the GDPR, the legal basis for the exception is to be sought in the Union or Member State law. Knowledge of the European legislation is not enough, you also have to understand the national law of the concerned Member State. The legal basis for the medical and social care exception may equally be found in a contract with a health professional if some conditions and safeguards are respected.

Paragraph 3 of article 9 states that the exception is applicable, if based on a contract with a health professional, only if data are processed by a person who is bound by professional secrecy. The conditions and obligations linked to the secrecy can be enumerated in a European Union or national law or established by a national competent body. The definition of health professionals is also left to the Member States. It may include any professionals subject to a duty of confidentiality, like doctors, dentists, nurses, opticians, physiotherapists or social workers.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

Irányelvek & Case Law

(EN) EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

i) az adatkezelés a népegészségügy területét érintő olyan közérdekből szükséges, mint a határokon át terjedő súlyos egészségügyi veszélyekkel szembeni védelem vagy az egészségügyi ellátás, a gyógyszerek és az orvostechnikai eszközök magas színvonalának és biztonságának a biztosítása, és olyan uniós vagy tagállami jog alapján történik, amely megfelelő és konkrét intézkedésekről rendelkezik az érintett jogait és szabadságait védő garanciákra, és különösen a szakmai titoktartásra vonatkozóan;

(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

Szakértői kommentár Irányelvek & Case Law

Szakértői kommentár

(EN) The difference between the medical and social care [subparagraph (h)] and the public health exceptions is not that obvious and both exceptions may overlap in some cases. The first exception applies to the processing of sensitive data for preventive medicine, for example, whereas the second one affects cross-border threats to health. It is not impossible that the same set of data may be used in one case as well the other for the exact same purpose.

The perimeter of article 9 2) (i) is apparently well delimited: it applies to the processing of sensitive data, without the explicit consent of an individual based on subparagraph (a) (recital 54), that are necessary (read about the necessity principle in the general commentary below) for reasons of public interest in the area of public health. Public interest refers to the public good and what is in the best interests of a group of individuals or the society as a whole (recital 53). A personal interest is not enough to justify the application of this exception and once data have been processed under this subparagraph, they cannot be shared with third parties, like employers, insurers or banks (recital 54).

Public health is exemplified in article 9 2) (i) itself, but it offers a non-exhaustive list of possible uses. It includes the protection against serious cross-border threats to health and insurance of high standards of quality and safety of health care, medicinal products or medical devices. It encompasses, for example, data necessary to study or fight epidemics or to plan a vaccination program.

Public health is further defined as “all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality” [Regulation (EC) No 1338/2008]. Some aspects of that definition are undoubtedly covered by the medical and social care exception [subparagraph (h)], as management of health or social care systems.

As it is often the case with the GDPR, the legal basis for the exception is to be sought in the Union or Member State law. Knowledge of the European legislation is not enough, you also have to understand the national law of the concerned Member State. Member States may maintain or introduce further conditions and limitations than those provided for in article 9 2) (i) [article 9 (4) and recital 53]. They should furthermore guarantee individuals’ fundamental rights and the protection of their personal data by law (recitals 53 and 54).

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

Irányelvek & Case Law

(EN)

Legislation

Regulation (EC) No 1338/2008 on Community Statistics on Public Health and Health and Safety at Work, OJEU L 354, 31 December 2008, p. 70.

Documents

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

j) az adatkezelés a 89. cikk (1) bekezdésével összhangban a közérdekű archiválás céljából, tudományos és történelmi kutatási célból vagy statisztikai célból szükséges olyan uniós vagy tagállami jog alapján, amely arányos az elérni kívánt céllal, tiszteletben tartja a személyes adatok védelméhez való jog lényeges tartalmát, és az érintett alapvető jogainak és érdekeinek biztosítására megfelelő és konkrét intézkedéseket ír elő;

(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Szakértői kommentár Irányelvek & Case Law Kapcsolatok

Szakértői kommentár

(EN) Exceptions under article 9 2) (j) cover a wide range of interests and they might prove essential for the whole society and future generations. They concern four (4) different spheres:

Archives;
Scientific research;
Historical research; and
Statistical.

The archiving, research, and statistics exception must respect a list of conditions:

Processing must be necessary;
It must be based on a Union or Member State law; and
The Union or Member State law itself must:
- be proportionate to the goal pursued;
- respect the essence of the right to data protection; and
- guarantee suitable and specific measures to safeguard the fundamental rights and the interests of individuals concerned.

I’ve already discussed the necessity principle in the general commentary below, and I would refer readers to it, as well as the proportionality principle that Union or Member State law must respect. The European or national legal text must also uphold the “essence of the right to data protection” and offer “suitable and specific measures” to protect the rights and interests of individuals concerned. It is therefore essential for the local authorities to comply with the Charter of Fundamental Rights of the European Union (article 8) and the principles set out in the GDPR. Article 89 provides for more specifics on the safeguards and derogations relating to the processing of sensitive data in the context of the archiving, research, and statistics exception, and I invite you to read my comment relating to that provision.

As for the archiving exception, you must further demonstrate that the processing is in the public interest. A personal, corporate or financial interest is not enough to justify the application of this exception, you must be able to demonstrate that you are processing special categories of personal data for the public good and in the best interests of a group of individuals or the society as a whole (recital 53).

Archives concern public authorities, as well as public or private bodies that “have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records” (recital 158). Cold case murder investigations, for example, may justify the archiving of sensitive data in the public interest. Collecting information about political behavior under former totalitarian state regimes or related to genocide and crimes against humanity constitutes a further example (recital 158). Archived data may be used after for different purposes, among them is scientific research (recital 162).

Scientific research based on public and private registries may provide deeper knowledge of widespread medical conditions, like cardiovascular disease, cancer or depression (recital 157). Archives may also allow researchers to establish long-term correlations between unemployment or education and other life conditions (recital 157). Knowledge-based policy can thus be implemented to offer better social services or to improve the quality of life of the population (recital 157).

The scientific research exception aims at achieving a European research area to encourage the flow of researchers, scientific knowledge and technology [article 179(1) TFEU]. It must be interpreted broadly, according to the GDPR, and it applies to both public-sector and privately funded research (recital 159).

Clinical research undertaken in the public interest and meeting the other criteria of subparagraph (j) should be based on this exception rather than on express consent [subparagraph (a) and Regulation (EU) No 536/2014, article 29], recommends the European Data Protection Board (Opinion 3/2019). It is the safest possible ground as research may be compromised if individuals withdraw their consent while the research is conducted or after.

A classic example is a pharmaceutical company that conducts clinical trials for a new drug. If it relies on explicit consent [subparagraph (a)], it might face awkward consequences. Individuals participating in the trial might change their minds at the last stage of the research and decide to withdraw their consent. That eventuality would jeopardize the whole process and deprive society of the potential benefits of a new drug. Pharmaceutical companies may give additional guarantees by using anonymized or pseudonymized data in the course of their research to reduce the impact on participants and to compensate for the impossibility to withdraw their consent if the scientific research exception is invoked.

Statistical purposes is defined as “any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results” (recital 162). Statistics should be developed, produced and disseminated according to six (6) principles: impartiality, reliability, objectivity, independence, cost-effectiveness, and confidentiality [article 338(2) TFEU].

The collection of stats should result in “aggregate data” and not “personal data”, which means that they should not concern any particular individuals but constitute abstract data concerning a group of anonymized individuals (recital 162). The statistics thus generated cannot be used to make decisions about any targeted individuals (recital 162). Furthermore, confidential information collected for statistical purposes must be protected with appropriate legal and technical safeguards (recital 163).

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

Irányelvek & Case Law

(EN)

Document

EDPB, Opinion 3/2019 Concerning the Questions and Answers on the Interplay Between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR) (art. 70.1.b)) (2019).

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

Legislation

Regulation (EU) No 536/2014 on Clinical Trials on Medicinal Products for Human Use, OJEU L 158, 27 May 2014, p. 1.

Kapcsolatok

89. cikk GDPR. A közérdekű archiválás céljából, tudományos és történelmi kutatási célból vagy statisztikai célból folytatott adatkezelésre vonatkozó garanciák és eltérések

Article 89 GDPR. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

(1) A személyes adatok közérdekű archiválás céljából, tudományos és történelmi kutatási célból vagy statisztikai célból folytatott kezelését e rendelettel összhangban az érintett jogait és szabadságait védő megfelelő garanciák mellett kell végezni. E garanciáknak biztosítaniuk kell, hogy olyan technikai és szervezési intézkedések legyenek érvényben, melyek biztosítják különösen az adattakarékosság elvének betartását. Ezen intézkedések közé tartozhat az álnevesítés, amennyiben az említett célok ily módon megvalósíthatók. Amennyiben e célok megvalósíthatók az adatok oly módon történő további kezelése révén, amely nem vagy már nem teszi lehetővé az érintettek azonosítását, a célokat ilyen módon kell megvalósítani.

1. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

[…]

Guidelines on consent under Regulation 2016/679

Scientific research

153. Recital 33 seems to bring some flexibility to the degree of specification and granularity of consent in the context of scientific research. Recital 33 states: “It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.”

(3) Az (1) bekezdésben említett személyes adatokat abban az esetben lehet a (2) bekezdés h) pontjában említett célokból kezelni, ha ezen adatok kezelése olyan szakember által vagy olyan szakember felelőssége mellett történik, aki uniós vagy tagállami jogban, illetve az arra hatáskörrel rendelkező tagállami szervek által megállapított szabályokban meghatározott szakmai titoktartási kötelezettség hatálya alatt áll, illetve olyan más személy által, aki szintén uniós vagy tagállami jogban, illetve az arra hatáskörrel rendelkező tagállami szervek által megállapított szabályokban meghatározott titoktartási kötelezettség hatálya alatt áll.

3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

(4) A tagállamok további feltételeket – köztük korlátozásokat – tarthatnak hatályban, illetve vezethetnek be a genetikai adatok, a biometrikus adatok és az egészségügyi adatok kezelésére vonatkozóan.

4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

Általános adatvédelmi rendelet (GDPR)

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.

Szakértői kommentár ISO 27701 Preambulumbekezdése Irányelvek & Case Law Szólj hozzá

Szakértői kommentár

(EN) Some personal data, because of their sensitive nature, belong to special categories in the General Data Protection Regulation. Processing data mentioned in one of these eight (8) categories poses indeed “significant risks to the fundamental rights and freedoms” of an individual (recital 51). Risks vary depending on the type of data involved. Paragraph one of article 9 enumerates all types of data covered, but they are not readily intelligible. A visual list, broken down into eight points, helps to clarify the scope of the provision and what data are considered “special” by the European regulation:

data disclosing racial or ethnic origin;
data divulging political opinions;
data revealing religious or philosophical beliefs;
data about trade union membership;
genetic data;
biometric data used to identify a person;
data concerning health; and
data relating to a person’s sex life or sexual orientation.

(EN) […]

(EN) Sign in
to read the full text

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 9 GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.

(EN) […]

(EN) Sign in
to read the full text

Preambulumbekezdése

Irányelvek & Case Law

(EN)

Documents

Article 29 Working Party, Opinion 2/2010 on behavioural advertising (2010):

Any possible targeting of data subjects based on sensitive information opens the possibility of abuse. Furthermore, given the sensitivity of such information and the possible awkward situations which may arise if individuals receive advertising that reveals, for example, sexual preferences or political activity, offering/using interest categories that would reveal sensitive data should be discouraged.

In this context, the only available legal ground that would legitimize the data processing would be explicit, separate prior opt-in consent. The requirement for a separate, affirmative prior indication of the data subjects’ agreement means that in no case would an opt-out consent mechanism meet the requirement of the law. It also means that such consent could not be obtained through browser settings. To lawfully collect and process this type of information, ad network providers would have to set up mechanisms to obtain explicit prior consent, separate from other consent obtained for processing in general.

EDPB, Assessing the Necessity of Measures That Limit the Fundamental Right to the Protection of Personal Data: A Toolkit (2017).

WP29, Opinion on data processing at work (2017).

European Commission, Commission Guidance on the application of Union data protection law in the electoral context, A contribution from the European Commission to the Leaders’ meeting in Salzburg on 19-20 September 2018.

EDPB, Guidelines on Assessing the Proportionality of Measures That Limit the Fundamental Rights to Privacy and to the Protection of Personal Data (2019).

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

EDPB, Guidelines 8/2020 on the targeting of social media users (2020).

EDPB, Guidelines 3/2020 on the Processing of Data Concerning Health for the Purpose of Scientific Research in the Context of the Covid-19 Outbreak (2020).

EDPB, Guidelines 3/2019 on Processing of Personal Data through Video Devices (2020).

European Commission, Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection Brussels (2020).

EDPB, Guidelines 02/2021 on Virtual Voice Assistants (2021).