Article 29 Working Party, Opinion 2/2012 on Facial Recognition in Online and Mobile Services (2012).
Article 29 Working Party, Opinion 3/2012 on Developments in Biometric Technologies (2012).
EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).
EDPB, Guidelines 8/2020 on the targeting of social media users (2020):
If a social media provider or a targeter uses observed data to categorise users as having certain religious, philosophical or political beliefs-regardless of whether the categorization is correct/true or not-this categorisation of the user must obviously be seen as processing of special category of personal data in this context. As long as the categorisation enables targeting based on special category data, it does not matter how the category is labelled.
EDPB, Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR (2020).
Financial transactions can reveal sensitive information about individual data subject, including those related to special categories of personal data. For example, political opinions and religious beliefs may be revealed by donations made to political parties or organisations, churches or parishes. Trade union membership may be revealed by the deduction of an annual membership fee from a person’s bank account. Personal data concerning health may be gathered from analysing medical bills paid by a data subject. Finally, information on certain purchases may reveal information concerning a person’s sex life or sexual orientation.
Moreover, through the sum of financial transactions, different kinds of behavioural patterns could be revealed, including special categories of personal data and additional services that are facilitated by account information services might rely on profiling as defined by article 4 (4) of the GDPR. Therefore, the chances are considerable that a service provider processing information on financial transactions of data subjects also processes special categories of personal data.
(51) 본질적으로 기본권과 자유와 관련해 특히 민감한 개인정보는 그 처리가 기본권 및 자유에 중대한 위험을 초래할 수 있기 때문에 특정한 보호를 받아야 한다. 이러한 정보에는 인종 또는 민족출신을 드러나는 개인정보도 포함되어야 하나, 본 규정에서 ‘인종출신’이라는 용어를 사용한다고 하여 유럽연합이 서로 다른 인종이 존재한다고 단정 지으려는 이론을 용인한다는 의미는 아니다. 사진의 처리는 개인을 고유하게 식별하거나 인증할 수 있는 특정 기술 수단을 통해 처리될 시에만 생체정보의 정의에 해당되기 때문에, 체계적으로는 특별 범주의 개인정보 처리로 분류되지 않는다. 그 개인정보는 회원국의 법률이 공익을 위하거나 컨트롤러에 부여된 공적 권한 행사에 따른 직무 수행 또는 법적 의무의 준수를 위해 본 규정의 규칙 적용을 변경하고자 데이터 보호에 관한 특정 조문을 규정할 수 있다는 사실을 고려하여 본 규정에 명시된 특정 상황에서 허용되지 않는다면 처리되어서는 안 된다. 그 처리에 대한 특정 요건과 더불어, 본 규정의 통칙 및 기타 규칙은 특히 적법한 처리를 위한 조건과 관련하여 적용되어야 한다. 그 같은 특별 범주의 개인정보 처리를 일반적으로 금지하는 것에 대한 적용제외는 명시적으로 제공되어야 하고, 특히 정보주체가 명백한 동의를 제공한 경우나 특히 기본적 자유 행사를 허용할 목적으로 특정 재단 또는 협회가 행하는 정당한 활동 중에 처리가 이루어지는 경우의 특정 요구조건과 관련하여 더욱 그러하다.
(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
(EN) The first exception is based on “explicit consent”. Article 9 consent differs from the general notion of consent of article 6 in one important aspect: it must be explicitly provided by the person concerned. It means that the consent must be freely given, specific, informed, and unambiguous, under the definition of article 4 (11), and, in addition to these requirements, it must be “explicit”.
What form of consent is considered “explicit” and thus valid under article 9? The sensitive nature of the data involved entails a consent that goes beyond the regular “statement or clear affirmative action” [article 4 (11)] on the part of the data subject. It means that s/he must give “an express statement of consent” (Guidelines on Consent), even in the case where services are provided on a contractual basis. An explicit consent is needed because there is no contract based exceptions in article 9 (2) a controller can rely on.
The Guidelines on Consent suggest that a written statement or even a signed written statement may be required, even though the GDPR does not prescribe such a form of consent. A signed consent may be relevant if health data are collected, for example, in the context of services offered by a private clinic or a convalescent home. A plastic surgeon may need to gather information about a client’s health condition or share medical information to seek a second opinion from one of her/his colleagues. The managers of a convalescent home will have to gather information about a future pensionary’s health condition to arrange the appropriate services needed during her/his stay.
A signed written statement is not as practical in the digital or online environment. How can a person consent if, for example, s/he buys a plane ticket online and requires special medical assistance at boarding time, during the flight or at her/his arrival at destination? A valid consent will also be difficult to obtain if a person places an online order for buying special eyewear as the seller has to collect health-related information about her/his vision and share it with the manufacturer.
Simply following a link or ticking a box might be regarded as an insufficient consent in these examples. The Guidelines on Consent recommend other forms of consent, like filling in an electronic form, using an electronic signature, recording an oral statement or proceeding with a two-step verification (ticking a box in a form and confirming the consent by email afterward, for example).
Article 9 prescribes that a person must consent “for one or more specified purposes”. The requirement goes beyond the “specific” quality of consent required by article 4 (11). Purposes must be clearly specified, which implies that the consent must be tied to specific data or precise categories of data that the controller will be allowed to process.
You must always remember that the GDPR is not a complete statement on the state of the law on data protection in a particular Member State, and it is particularly true here because there is an exception to the exception. Consent is an invalid basis to process special categories of personal data if a Member State prohibits the lifting of the prohibition for processing special categories of personal data by an individual in its national legislation, as the GDPR allows it.