9 pants 📖 VDAR. Īpašu kategoriju personas datu apstrāde

9 pants VDAR. Īpašu kategoriju personas datu apstrāde

Article 9 GDPR. Processing of special categories of personal data

1. Ir aizliegta tādu personas datu apstrāde, kas atklāj rases vai etnisko piederību, politiskos uzskatus, reliģisko vai filozofisko pārliecību vai dalību arodbiedrībās, un ģenētisko datu, biometrisko datu, lai veiktu fiziskas personas unikālu identifikāciju, veselības datu vai datu par fiziskas personas dzimumdzīvi vai seksuālo orientāciju apstrāde.

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

Vadlīnijas & Case Law Apsvērums

Vadlīnijas & Case Law

(EN)

Documents

Article 29 Working Party, Opinion 2/2012 on Facial Recognition in Online and Mobile Services (2012).

Article 29 Working Party, Opinion 3/2012 on Developments in Biometric Technologies (2012).

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

EDPB, Guidelines 8/2020 on the targeting of social media users (2020):

If a social media provider or a targeter uses observed data to categorise users as having certain religious, philosophical or political beliefs-regardless of whether the categorization is correct/true or not-this categorisation of the user must obviously be seen as processing of special category of personal data in this context. As long as the categorisation enables targeting based on special category data, it does not matter how the category is labelled.

EDPB, Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR (2020).

Financial transactions can reveal sensitive information about individual data subject, including those related to special categories of personal data. For example, political opinions and religious beliefs may be revealed by donations made to political parties or organisations, churches or parishes. Trade union membership may be revealed by the deduction of an annual membership fee from a person’s bank account. Personal data concerning health may be gathered from analysing medical bills paid by a data subject. Finally, information on certain purchases may reveal information concerning a person’s sex life or sexual orientation.

Moreover, through the sum of financial transactions, different kinds of behavioural patterns could be revealed, including special categories of personal data and additional services that are facilitated by account information services might rely on profiling as defined by article 4 (4) of the GDPR. Therefore, the chances are considerable that a service provider processing information on financial transactions of data subjects also processes special categories of personal data.

Apsvērums

(51) Personas datiem, kas pēc savas būtības ir īpaši sensitīvi saistībā ar pamattiesībām un brīvībām, pienākas īpaša aizsardzība, jo to apstrādes konteksts varētu radīt nopietnu risku pamattiesībām un brīvībām. Minētajiem personas datiem būtu jāaptver personas dati, kuri atklāj rases vai etnisko piederību, turklāt termina “rases piederība” izmatošana šajā regulā nenozīmē, ka Savienība atzīst teorijas, ar kuru palīdzību notiek mēģinājumi noteikt dažādu cilvēku rasu pastāvēšanu. Fotogrāfiju apstrāde nebūtu sistemātiski jāuzskata par īpašu kategoriju personas datu apstrādi, jo uz tām biometrisko datu definīcija attiecas tikai tad, kad tās apstrādās ar konkrētiem tehniskiem līdzekļiem, kas ļauj veikt fiziskas personas unikālu identifikāciju vai autentifikāciju. Šādi personas dati nebūtu jāapstrādā, ja vien apstrāde nav atļauta konkrētos, šajā regulā precizētos gadījumos, ņemot vērā, ka dalībvalstu tiesību aktos var būt paredzēti konkrēti noteikumi par datu aizsardzību, lai pieņemtu šīs regulas noteikumu piemērošanu juridisku pienākumu izpildei vai sabiedrības interesēs veiktu uzdevumu izpildei, vai pārzinim likumīgi piešķirto oficiālo pilnvaru īstenošanai. Papildus konkrētajām prasībām attiecībā uz šādu apstrādi būtu jāpiemēro vispārējie principi un citi šīs regulas noteikumi, jo īpaši attiecībā uz likumīgas apstrādes nosacījumiem. Būtu skaidri jāparedz atkāpes no vispārējā aizlieguma apstrādāt šādu īpašu kategoriju personas datus, cita starpā tad, ja datu subjekts dot nepārprotamu piekrišanu, vai attiecībā uz īpašām vajadzībām, jo īpaši gadījumos, kad apstrādi veic konkrētas apvienības vai nodibinājumi savu leģitīmo darbību ietvaros, kuru nolūks ir atļaut īstenot pamatbrīvības.

(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

2. Šā panta 1. punktu nepiemēro, ja ir piemērojams kāds no šādiem pamatojumiem:

2. Paragraph 1 shall not apply if one of the following applies:

Apsvērums

(52) Atkāpties no aizlieguma apstrādāt īpašu kategoriju personas datus būtu jāatļauj arī tad, ja tas paredzēts Savienības vai dalībvalsts tiesību aktos un ja ir paredzētas atbilstošas garantijas personas datu un citu pamattiesību aizsardzībai, ja to darīt ir sabiedrības interesēs, jo īpaši personas datu apstrāde nodarbinātības tiesību aktu, sociālās aizsardzības tiesību aktu jomā, tostarp attiecībā uz pensijām un veselības drošības, uzraudzības un brīdināšanas nolūkos, lipīgu infekcijas slimību un citu nopietnu veselības apdraudējumu profilaksei vai kontrolei. Šādu atkāpi var veikt ar veselību saistītos nolūkos, tostarp sabiedrības veselības un veselības aprūpes pakalpojumu pārvaldības nolūkos, jo īpaši, lai nodrošinātu pabalstu un veselības apdrošināšanas sistēmas pakalpojumu pieprasīšanai izmantoto procedūru kvalitāti un izmaksu lietderību vai lai veiktu arhivēšanu sabiedrības interesēs, zinātniskās vai vēstures pētniecības nolūkos vai statistikas nolūkos. Atkāpei būtu jāpieļauj arī tādu personas datu apstrāde, kas vajadzīgi, lai celtu, īstenotu vai aizstāvētu likumīgas prasības vai nu tiesas procesā, vai administratīvā vai ārpustiesas procedūrā.

(52) Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

(53) Īpašu kategoriju personas datus, kuriem pienākas augstāka aizsardzība, būtu jāapstrādā ar veselību saistītos nolūkos tikai tad, ja minētie nolūki jāsasniedz fizisku personu un visas sabiedrības labā, jo īpaši saistībā ar veselības vai sociālās aprūpes pakalpojumu un sistēmu pārvaldību, tostarp šādu datu apstrādi, ko kvalitātes kontroles nolūkos veic pārvaldības un centrālās valsts veselības iestādes, informāciju par pārvaldību un veselības vai sociālās aprūpes sistēmas vispārēju valsts mēroga un vietēju pārraudzību, un lai nodrošinātu veselības vai sociālās aprūpes un pārrobežu veselības aprūpes nepārtrauktību vai veselības drošību, pārraudzības vai brīdināšanas nolūkos vai arhivēšanas nolūkos sabiedrības interesēs, zinātniskās vai vēstures pētniecības nolūkos vai statistikas nolūkos, pamatojoties uz Savienības vai dalībvalsts tiesību aktiem, kam jāatbilst sabiedrības interešu mērķim, kā arī pētījumiem, kurus sabiedrības veselības jomā veic sabiedrības interesēs. Tāpēc šai regulai būtu jānodrošina saskaņoti nosacījumi īpašu kategoriju personas veselības datu apstrādei attiecībā uz konkrētām vajadzībām, jo īpaši gadījumos, kad šādu datu apstrādi konkrētos ar veselību saistītos nolūkos veic personas, uz kurām attiecas juridiskais pienākums ievērot dienesta noslēpumu. Savienības vai dalībvalsts tiesību aktiem būtu jāparedz konkrēti un atbilstoši pasākumi, lai aizsargātu fizisku personu pamattiesības un personas datus. Būtu jāļauj dalībvalstīm saglabāt vai ieviest papildu nosacījumus, tostarp ierobežojumus, attiecībā uz ģenētisko datu, biometrisko datu vai veselības datu apstrādi. Tomēr tam nevajadzētu kavēt personas datu brīvo plūsmu Savienībā gadījumos, kad minētos nosacījumus piemēro šādu datu pārrobežu apstrādei.

(53) Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.

(54) Īpašu kategoriju personas datu apstrāde bez datu subjekta piekrišanas var būt nepieciešama sabiedrības interešu dēļ sabiedrības veselības jomās. Uz šādu apstrādi būtu jāattiecas atbilstošiem un konkrētiem pasākumiem fizisku personu tiesību un brīvību aizsardzībai. Minētajā kontekstā “sabiedrības veselība” būtu jāinterpretē saskaņā ar definīciju Eiropas Parlamenta un Padomes Regulā (EK) Nr. 1338/2008 [11], proti, kā visi elementi, kas saistīti ar veselību, proti, veselības stāvoklis, tostarp saslimstība un invaliditāte, faktori, kas ietekmē veselības stāvokli, veselības aprūpes vajadzības, veselības aprūpei piešķirtie resursi, veselības aprūpes nodrošināšana un vispārēja piekļuve tai, kā arī veselības aprūpes izdevumi un finansējums, un nāves cēloņi. Šādai veselības datu apstrādei sabiedrības interešu vārdā nebūtu jānoved pie tā, ka trešās personas, piemēram, darba devēji vai apdrošināšanas sabiedrības un kredītiestādes, apstrādā personas datus citos nolūkos.

(54) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council [11], namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.

_{[11] Eiropas Parlamenta un Padomes Regula (EK) Nr. 1338/2008 (2008. gada 16. decembris) attiecībā uz Kopienas statistiku par sabiedrības veselību un veselības aizsardzību un drošību darbā (OV L 354, 31.12.2008., 70. lpp.). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2008:354:TOC}

_{[11] Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (OJ L 354, 31.12.2008, p. 70). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2008:354:TOC}

(55) Turklāt oficiālo iestāžu veiktā oficiāli atzītu reliģisku apvienību personu datu apstrāde, lai sasniegtu konstitucionālajās tiesībās vai starptautiskajās publiskajās tiesībās paredzētus mērķus, tiek veikta, pamatojoties uz sabiedrības interesēm.

(55) Moreover, the processing of personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognised religious associations, is carried out on grounds of public interest.

(56) Ja dalībvalstī vēlēšanu pasākumu laikā demokrātiskās sistēmas darbība prasa, lai politiskās partijas vāktu personas datus par cilvēku politiskajiem uzskatiem, šādu datu apstrādi var pieļaut sabiedrības interešu dēļ, ar noteikumu, ka ir noteikti atbilstoši aizsardzības pasākumi.

(56) Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.

a) datu subjekts ir devis nepārprotamu piekrišanu šo personas datu apstrādei vienam vai vairākiem konkrētiem nolūkiem, izņemot, ja Savienības vai dalībvalsts tiesību akti paredz, ka 1. punktā minēto aizliegumu datu subjekts nevar atcelt;

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

Ekspertu komentāri ISO 27701 Savienojumi

Ekspertu komentāri

(EN) The first exception is based on “explicit consent”. Article 9 consent differs from the general notion of consent of article 6 in one important aspect: it must be explicitly provided by the person concerned. It means that the consent must be freely given, specific, informed, and unambiguous, under the definition of article 4 (11), and, in addition to these requirements, it must be “explicit”.

What form of consent is considered “explicit” and thus valid under article 9? The sensitive nature of the data involved entails a consent that goes beyond the regular “statement or clear affirmative action” [article 4 (11)] on the part of the data subject. It means that s/he must give “an express statement of consent” (Guidelines on Consent), even in the case where services are provided on a contractual basis. An explicit consent is needed because there is no contract based exceptions in article 9 (2) a controller can rely on.

The Guidelines on Consent suggest that a written statement or even a signed written statement may be required, even though the GDPR does not prescribe such a form of consent. A signed consent may be relevant if health data are collected, for example, in the context of services offered by a private clinic or a convalescent home. A plastic surgeon may need to gather information about a client’s health condition or share medical information to seek a second opinion from one of her/his colleagues. The managers of a convalescent home will have to gather information about a future pensionary’s health condition to arrange the appropriate services needed during her/his stay.

A signed written statement is not as practical in the digital or online environment. How can a person consent if, for example, s/he buys a plane ticket online and requires special medical assistance at boarding time, during the flight or at her/his arrival at destination? A valid consent will also be difficult to obtain if a person places an online order for buying special eyewear as the seller has to collect health-related information about her/his vision and share it with the manufacturer.

Simply following a link or ticking a box might be regarded as an insufficient consent in these examples. The Guidelines on Consent recommend other forms of consent, like filling in an electronic form, using an electronic signature, recording an oral statement or proceeding with a two-step verification (ticking a box in a form and confirming the consent by email afterward, for example).

Article 9 prescribes that a person must consent “for one or more specified purposes”. The requirement goes beyond the “specific” quality of consent required by article 4 (11). Purposes must be clearly specified, which implies that the consent must be tied to specific data or precise categories of data that the controller will be allowed to process.

You must always remember that the GDPR is not a complete statement on the state of the law on data protection in a particular Member State, and it is particularly true here because there is an exception to the exception. Consent is an invalid basis to process special categories of personal data if a Member State prohibits the lifting of the prohibition for processing special categories of personal data by an individual in its national legislation, as the GDPR allows it.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 9(2)(a) GDPR:

7.2.4 Obtain and record consent

Control

The organization should obtain and record consent from PII principals according to the documented processes.

Implementation guidance

The organization should obtain and record consent from PII principals in such a way that it can provide on request details of the consent provided (for example the time that consent was provided, the identification of the PII principal, and the consent statement).

…

Pieslēgties
lai piekļūtu pilnam tekstam

Savienojumi

Guidelines on consent under Regulation 2016/679

OBTAINING EXPLICIT CONSENT

93. The term explicit refers to the way consent is expressed by the data subject. It means that the data subject must give an express statement of consent. An obvious way to make sure consent is explicit would be to expressly confirm consent in a written statement. Where appropriate, the controller could make sure the written statement is signed by the data subject, in order to remove all possible doubt and potential lack of evidence in the future.[47]

_{[47] See also WP29 Opinion 15/2011, on the definition of consent (WP 187), p. 25.}

94. However, such a signed statement is not the only way to obtain explicit consent and, it cannot be said that the GDPR prescribes written and signed statements in all circumstances that require valid explicit consent. For example, in the digital or online context, a data subject may be able to issue the required statement by filling in an electronic form, by sending an email, by uploading a scanned document carrying the signature of the data subject, or by using an electronic signature. In theory, the use of oral statements can also be sufficiently express to obtain valid explicit consent, however, it may be difficult to prove for the controller that all conditions for valid explicit consent were met when the statement was recorded.

95. An organisation may also obtain explicit consent through a telephone conversation, provided that the information about the choice is fair, intelligible and clear, and it asks for a specific confirmation from the data subject (e.g. pressing a button or providing oral confirmation).

b) apstrāde ir vajadzīga, lai realizētu pārziņa pienākumus un īstenotu pārziņa vai datu subjekta konkrētas tiesības nodarbinātības, sociālā nodrošinājuma un sociālās aizsardzības tiesību jomā, ciktāl to pieļauj Savienības vai dalībvalsts tiesību akti vai koplīgums atbilstīgi dalībvalsts tiesību aktiem, paredzot piemērotas garantijas datu subjekta pamattiesībām un interesēm;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

Ekspertu komentāri

(EN) Processing of special categories of personal data in the field of employment, social security, and social protection law is possible only if it is “necessary” (read about the necessity and proportionality principles in the general commentary below) and it satisfies two other conditions:

it is authorised by the European Union or Member State law or a collective agreement; and
there are appropriate safeguards in place to protect the fundamental rights and interests of individuals.

The European regulation essentially refers to the legislation of the Member States to acknowledge the existence of exceptions and verify if individuals’ fundamental rights are preserved. Therefore, there are no general rules applicable to the entire Union and the exception can only be understood on a State by State basis. The controller has to invoke a specific legal provision authorizing the processing of personal data in the context of employment, social security or social protection law.

Member States may allow employers to collect personal data in order to provide health insurance policies to their employees, maintain records of sick, maternity or paternity leaves, deduct union dues from payslips or provide special working conditions or environment to persons with disabilities. They can also authorize insurers, for example, to process health data for paying accidents or invalidity indemnities to employees.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

c) apstrāde ir vajadzīga, lai aizsargātu datu subjekta vai citas fiziskas personas vitālas intereses, ja datu subjekts ir fiziski vai tiesiski nespējīgs dot savu piekrišanu;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

Ekspertu komentāri

(EN) According to article 9 2) (c), processing of special categories of personal data is allowed if it is “necessary” (read about the necessity and proportionality principles in the general commentary below) to protect a person’s vital interests or third parties’ ones. The vital interests exception is similar to article 6 1) (d) lawful basis to process data except that it applies only if you cannot obtain a person’s consent.

The scope of the exception is limited as it concerns only the protection of a “vital interest” of a person, that is to say, “an interest which is essential for [her/his] life” (recital 46). It includes threats to the physical integrity or life of a person or a third person. In other words, it must be a matter of life and death even though recital 46 seems to widen the scope of the exception. It suggests that it may also apply to humanitarian situations such as monitoring epidemics or providing relief for natural or man-made disasters.

The second condition limits drastically the scope of the vital interests exception: it may be invoked only if the individual is physically or legally incapable of giving consent. It can be the case if a person is unconscious, for example, or is unable to consent because of her/his legal status, like a minor or an adult under guardianship or trusteeship. You should ask for explicit consent, according to paragraph 2 a) of article 9, whenever it is possible. You cannot rely on the vital interests exception as an alternative option if a person is able to consent and has refused to do so.

Essentially, the vital interests exception is useful for medical emergency situations. If a person has suffered a life-threatening injury, for example, the medical staff may need her/his medical history to decide on the proper treatment. As the person is unable to offer her/his consent, the hospital needs a legal basis to process her/his health data and the vital interests exception might prove useful. It can also be convenient in cases of epidemics. It may be impossible for all infected individuals to consent in a timely manner to allow medical staff to gather data in order to prevent the spread of the epidemic and, in doing so, to protect third parties’ vital interests.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

d) veicot leģitīmas darbības un nodrošinot atbilstošas garantijas, apstrādi veic fonds, apvienība vai jebkura cita bezpeļņas struktūra, kas to dara ar politisku, filozofisku, reliģisku vai ar arodbiedrībām saistītu mērķi un ar nosacījumu, ka apstrāde attiecas tikai uz šīs struktūras locekļiem vai bijušajiem locekļiem, vai personām, kas ar šo struktūru uztur regulārus sakarus saistībā ar tās nolūkiem, un ka bez datu subjekta piekrišanas personas datus neizpauž ārpus minētās struktūras;

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

Ekspertu komentāri

(EN) The General Data Protection Regulation contains a circumscribed exception for the processing of special categories of personal data by the following types of organizations:

associations;
foundations; and
other not-for-profit bodies.

The list appears to be closed and limited to these exact types of organizations, excluding any other types. As the legal status of charity, nonprofit, and philanthropy organizations is not uniform in the European Union, one should not attach too much importance to the name of the concerned body. The word “other” confirms that the list is illustrative and the exact nature of the organization depends on the legal form and structure the Member States give them.

It is more a question of the aims or goals of the organization than of its exact denomination, as it must pursue one of the following objectives

political;
philosophical;
religious; or
trade union.

The list refers to a limited number of activities and it cannot be extended beyond. Political parties, worship organizations or trade unions are clearly targeted. The philosophical aim category is not as easy to define. An organization devoted to environmental, vegan or anti-speciesism questions may qualify as pursuing a philosophical goal depending on a Member State law. How far that category may be expanded will depend on the Court of Justice of the European Union interpretation of the provision.

These organizations must process special categories of personal data only in the course of their “legitimate activities”. It means that the processing must be directly connected to the political, philosophical, religious or trade union activities of the organization. An association, a foundation or any other not-for-profit body cannot invoke that exception to process special categories of personal data that are not closely related to its core activities in accordance with its purposes and powers set out in its governing charter.

The GDPR requires that organizations handle special categories of personal data with appropriate safeguards. It is not clear what exactly the legislator had in mind by adopting this additional condition. It clearly implies that proper security measures should be in place to protect the processed data due to their sensitive nature. Data must also be accessible only to the persons who need to deal with them to achieve the organizations’ aims.

It follows logically that the personal data cannot be disclosed outside the organization, although article 9 2) (d) allows such divulgation with the consent of the concerned individuals. The body cannot share its membership list, for example, with other organizations unless it obtained its members’ consent. I do not see any legal impediment prohibiting the selling of that same list to finance the organization’s activities if its members consent to the divulgation of their personal data. The organization will also have to seek consent to name any individual members in a fundraiser campaign or an annual report, for example.

The scope of the exception is limited to processing special categories of personal data concerning an organization’s i) members, ii) former members or iii) individuals who have “regular contact” with it in connection with its goals. It excludes the organization’s employees or prospective members before they join the organization, but it may include partners, contributors or regular beneficiaries of the organization’s services who are not formally members of it.

It is a self-evident exception to the general rule that special categories of personal data cannot be processed as it allows organizations that owe their existence solely to the pursuit of one of the goals mentioned to process data essential to their operation. How would a political party exist if it cannot process the political opinions of their partisans? It is the same with trade unions that have to deal with data concerning their members or churches that have to process data revealing their believers’ religious beliefs in the course of their regular activities (see article 91).

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

e) apstrāde attiecas uz personas datiem, kurus datu subjekts apzināti ir publiskojis;

(e) processing relates to personal data which are manifestly made public by the data subject;

Ekspertu komentāri Vadlīnijas & Case Law

Ekspertu komentāri

(EN) The European legislator introduced an exception – for special categories of personal data which are manifestly made public by a person – that seems completely logical at first glance. If a person willingly shares her/his data, it sounds reasonable to allow the processing of these data by third parties. On second thought, many questions come to mind. What does “manifestly” mean? When are data “public”? How to determine if a person intended to make her/his data public?

The exception does not concern all special categories of data publicly available. It applies strictly to data that an individual personally disclosed. It must be a publication that results from a clear and voluntary decision from an individual to disclose information about her/him. It should not be an accidental, inadvertent, involuntary or unintentional disclosure. It should be the result of a free and deliberate decision. The individual must be fully conscious that s/he made her/his data public. Thus, it excludes leaked data, data accessible after a security breach or data shared unintentionally or by inadvertence…

…

Pieslēgties
lai piekļūtu pilnam tekstam

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

Vadlīnijas & Case Law

(EN) EDPB, Guidelines 8/2020 on the targeting of social media users (2020):

The word “manifestly” implies that there must be a high threshold for relying on this exemption.The EDPB notes that the presence of a single element may not always be sufficient to establish that the data have been “manifestly” made public by the data subject. In practice,a combination of the following or other elements may need to be considered for controllers to demonstrate that the data subject has clearly manifested the intention to make the data public, and a case-by-case assessment is needed. The following elements may be relevant to help inform this assessment:

the default settings of the social media platform (i.e. whether the data subject took a specific action to change these default private settings into public ones); or

the nature of the social media platform (i.e. whether this platform is intrinsically linked with the idea of connecting with close acquaintances of the data subject or creating intimate relations (such as online dating platforms), or if it is meant to provide a wider scope of interpersonal relations, such as professional relations, or microblogging, etc… ; or

the accessibility of the page where the sensitive data is published (i.e. whether the information is publically accessible or if, for instance, the creation of an account is necessary before accessing the information); or

the visibility of the information where the data subject is informed of the public nature of the information that they publish (i.e. whether there is for example a continuous banner on the page, or whether the button for publishing informs the data subject that the information will be made public…); or

if the data subject has published the sensitive data himself/herself, or whether instead the data has been published by a third party (e.g. a photo published by a friend which reveals sensitive data) or inferred.

The EDPB notes that the presence of a single element may not always be sufficient to establish that the data have been “manifestly” made public by the data subject. In practice,a combination of these or other elements may need to be considered for controllers to demonstrate that the data subject has clearly manifested the intention to make the data public.

f) apstrāde ir vajadzīga, lai celtu, īstenotu vai aizstāvētu likumīgas prasības, vai ikreiz, kad tiesas pilda savus uzdevumus;

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

Ekspertu komentāri

(EN) The legal exception comprises two distinct parts, as it applies to:

processing necessary for establishing, exercising or defending a legal claim, and
courts acting in their judicial capacity.

1) The legal claim exception, in the context of article 9, is broad and is not limited to pending legal proceedings. It applies to ongoing legal claims along with prospective ones. A person may have to share personal data in order to obtain legal advice, to report a situation that may potentially lead to a legal claim or to prepare future proceedings, even if no procedures have been filed in court yet. It might concern administrative or court proceedings, as well as out-of-court procedures (recital 52).

The keyword in paragraph 2) (f) is “necessary” (read about the necessity principle in the general commentary below): the use of personal information must be necessary to establish, exercise or defend legal rights. It still needs to be defined what necessary means in the context of the GDPR. A reference to the general necessity principle in European Union law should lead to justifying the use of personal data for the legal claim exception based on objective evidence. There must be a substantial connection between the processing and the data processed in the context of a specific case.

The use of personal data should also be proportionate (read about the proportionality principle in the general commentary below): it should not go beyond what is necessary to achieve the objective pursued. Data used must be adequate and relevant “for the establishment, exercise or defence of legal claims” and their use should be limited to what is needed. In other words, it means that you should not use more data than what is necessary to proceed.

An example of using personal data before any legal proceedings have been initiated is if you have to report an accident to your insurer. Your insurer will eventually have to deal with data concerning your health or the health of other persons implicated in the accident. It does not mean that a claim will be brought before the court and if so, that it will not be settled before any proceedings take place.

I may cite another typical example, concerning this time the establishment of a defence to an actual legal claim. Your employee is suing you after that an accident has occurred in the workplace. You will have to share the details of the accident, including information in your possession about the injuries your employee has suffered, with your lawyer. As these data are considered health-related information, you will have to invoke paragraph 2) (f) exception.

2) The second part of the legal exception concerns courts acting in their judicial capacity. The exception is necessary to preserve the independence of justice (recital 20), which also ensures compliance with legal guarantees provided for by European and national rights and freedoms instruments. The GDPR does not specify the scope of the expression “courts […] acting in their judicial capacity”, except that it includes the decision-making process (recital 20).

Article 9 mentions only “courts”, but recital 97 seems to extend the exception to “independent judicial authorities”. Even if it is not the case, the interpretation of the term “court” may lead to such an extension. It raises questions in consequence for many existing procedures lead by quasi-judicial bodies, like arbitrators, arbitration tribunals or public administrative agencies. They conduct proceedings, during which the rights and freedoms of the parties involved must be guaranteed, they determine facts, they interpret the law, and they have powers of adjudication much like any courts of law.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

g) apstrāde ir vajadzīga būtisku sabiedrības interešu dēļ, pamatojoties uz Savienības vai dalībvalsts tiesību aktiem, kas ir samērīgas izvirzītajam mērķim, ievēro tiesību uz datu aizsardzību būtību un paredz piemērotus un konkrētus pasākumus datu subjekta pamattiesību un interešu aizsardzībai;

(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

Ekspertu komentāri

(EN) The substantial public interest exception is characterized by the number of conditions attached to it and therefore its limited scope:

Processing must be necessary;
It must be based on a Union or Member State law; and
The Union or Member State law itself must:
- be proportionate to the goal pursued;
- respect the essence of the right to data protection; and
- guarantee suitable and specific measures to safeguard the fundamental rights and the interests of individuals concerned.

The terms “substantial public interest” are not defined in the General Data Protection Regulation. As the exception refers to the Union or Member State law, article 9 2) (g) gives a margin of appreciation to the national jurisdictions to decide locally what is of “substantial public interest”. A “substantial” public interest clearly requires a higher standard than simple public interest. If the latter refers to the public good and what is in the best interests of the society, the former must have to do with a real and tangible interest, an interest of considerable importance. A substantial public interest may be related to the exercise of fundamental rights and freedoms, like organizing the electoral process, or the maintenance of order and security, like fighting terrorism.

The Data Protection Act 2018, for example, recognizes twenty-three (23) cases where a substantial public interest is involved in the United Kingdom. Exceptions range from the administration of justice to safeguarding of children at risk, and extend to equality of opportunity, anti-doping in sport or publication of legal decisions. It is hard to distinguish in these examples what is in the general public interest and what is based on “substantial” public interest.

The substantial public interest exception does not apply to special categories of personal data which already benefit from an exception under article 9, like public health [paragraph 2, sub-paragraph (i)]. It is sometimes tricky though to decide which exception is applicable. One must refer to the specifics of the case and examine the facts attentively to decide what would be the best legal basis to process special categories of personal data.

Political parties may be required by a Member State’s legislation to compile personal data on individuals’ political opinions in the course of the electoral process based on the substantial public interest exception (recital 56). It differs from the foundation, association or not-for-profit body exception [article 9 2) (d)] in one aspect: the compilation is required by law and is not done as part of a political party’s main activities. It also exempts the organization from obtaining its members’ consent to divulge the collected personal data to the appropriate authorities.

I was asked recently about the proper legal basis to process data about students with disabilities. A school needs to collect and use these data to offer children services adapted to their learning capacity. Information about disabilities should be considered health-related data and thus special categories of personal data. They cannot be processed unless there is a specific exception that can be invoked.

It does not seem to be possible to rely on the public health exception [see paragraph 2, sub-paragraph (i) comment] to satisfy that request. If the Member State’s legislation in which the school operates provides for an exception to process special categories of personal data for the education of children with disabilities, the substantial public interest exception would be an appropriate legal basis. As it might be possible to get explicit consent [paragraph 2, sub-paragraph (a)] to process such data, that option should also be explored in the circumstances. The school will then have to respect the other requirements set in article 9 2) (g).

I already discussed the necessity principle in the general commentary below, and I would refer readers to it, as well as the proportionality principle that Union or Member State law must respect. The European or national text must also uphold the “essence of the right to data protection” and offer “suitable and specific measures” to protect the rights and interests of individuals concerned. It is therefore essential for the local authorities to comply with the Charter of Fundamental Rights of the European Union (article 8) and the principles set out in the GDPR.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

h) apstrāde ir vajadzīga profilaktiskās vai arodmedicīnas nolūkos, darbinieka darbspējas novērtēšanai, medicīniskas diagnozes, veselības vai sociālās aprūpes vai ārstēšanas vai veselības vai sociālās aprūpes sistēmu un pakalpojumu pārvaldības nodrošināšanas nolūkos, pamatojoties uz Savienības vai dalībvalsts tiesību aktiem vai saskaņā ar līgumu ar veselības darba profesionāli un ievērojot 3. punktā minētos nosacījumus un garantijas;

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

Ekspertu komentāri Vadlīnijas & Case Law

Ekspertu komentāri

(EN) Article 9 2) (h) provides for exceptions to processing data related to medical and social care, which must be necessary (read about the necessity principle in the general commentary below) for:

preventive medicine;
occupational medicine;
assessing the working capacity of employees;
medical diagnosis;
provision of health or social care or treatment; or
management of health or social care systems.

It is a list of self-explanatory exceptions and they do not need more exemplification except for the assessing the working capacity of employees exception. It does not overlap with the employment, social security and social protection law exception [sub-paragraph (b)] as it does not concern sensitive data about employees in general, but exclusively data necessary to assess the capacity of an employee to perform her/his job. The assessment can be performed through, for example, drug testing, physical tests or medical exams. The goal is to find out if the person is apt to work in a position that requires specific abilities or a particular health condition.

As it is often the case with the GDPR, the legal basis for the exception is to be sought in the Union or Member State law. Knowledge of the European legislation is not enough, you also have to understand the national law of the concerned Member State. The legal basis for the medical and social care exception may equally be found in a contract with a health professional if some conditions and safeguards are respected.

Paragraph 3 of article 9 states that the exception is applicable, if based on a contract with a health professional, only if data are processed by a person who is bound by professional secrecy. The conditions and obligations linked to the secrecy can be enumerated in a European Union or national law or established by a national competent body. The definition of health professionals is also left to the Member States. It may include any professionals subject to a duty of confidentiality, like doctors, dentists, nurses, opticians, physiotherapists or social workers.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

Vadlīnijas & Case Law

(EN) EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

i) apstrāde ir vajadzīga sabiedrības interešu dēļ sabiedrības veselības jomā, piemēram, aizsardzībai pret nopietniem pārrobežu draudiem veselībai vai augstu kvalitātes un drošības standartu nodrošināšanai, cita starpā zālēm vai medicīniskām ierīcēm, pamatojoties uz Savienības vai dalībvalsts tiesību aktiem, kas paredz atbilstošus un konkrētus pasākumus datu subjekta tiesību un brīvību, jo īpaši dienesta noslēpuma, aizsardzībai;

(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

Ekspertu komentāri Vadlīnijas & Case Law

Ekspertu komentāri

(EN) The difference between the medical and social care [subparagraph (h)] and the public health exceptions is not that obvious and both exceptions may overlap in some cases. The first exception applies to the processing of sensitive data for preventive medicine, for example, whereas the second one affects cross-border threats to health. It is not impossible that the same set of data may be used in one case as well the other for the exact same purpose.

The perimeter of article 9 2) (i) is apparently well delimited: it applies to the processing of sensitive data, without the explicit consent of an individual based on subparagraph (a) (recital 54), that are necessary (read about the necessity principle in the general commentary below) for reasons of public interest in the area of public health. Public interest refers to the public good and what is in the best interests of a group of individuals or the society as a whole (recital 53). A personal interest is not enough to justify the application of this exception and once data have been processed under this subparagraph, they cannot be shared with third parties, like employers, insurers or banks (recital 54).

Public health is exemplified in article 9 2) (i) itself, but it offers a non-exhaustive list of possible uses. It includes the protection against serious cross-border threats to health and insurance of high standards of quality and safety of health care, medicinal products or medical devices. It encompasses, for example, data necessary to study or fight epidemics or to plan a vaccination program.

Public health is further defined as “all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality” [Regulation (EC) No 1338/2008]. Some aspects of that definition are undoubtedly covered by the medical and social care exception [subparagraph (h)], as management of health or social care systems.

As it is often the case with the GDPR, the legal basis for the exception is to be sought in the Union or Member State law. Knowledge of the European legislation is not enough, you also have to understand the national law of the concerned Member State. Member States may maintain or introduce further conditions and limitations than those provided for in article 9 2) (i) [article 9 (4) and recital 53]. They should furthermore guarantee individuals’ fundamental rights and the protection of their personal data by law (recitals 53 and 54).

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

Vadlīnijas & Case Law

(EN)

Legislation

Regulation (EC) No 1338/2008 on Community Statistics on Public Health and Health and Safety at Work, OJEU L 354, 31 December 2008, p. 70.

Documents

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

j) apstrāde ir vajadzīga arhivēšanas nolūkos sabiedrības interesēs, zinātniskās vai vēstures pētniecības nolūkos, vai statistikas nolūkos saskaņā ar 89. panta 1. punktu, pamatojoties uz Savienības vai dalībvalsts tiesību aktiem, kas ir samērīgi izvirzītajam mērķim, ievēro tiesību uz datu aizsardzību būtību un paredz piemērotus un konkrētus pasākumus datu subjekta pamattiesību un interešu aizsardzībai.

(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Ekspertu komentāri Vadlīnijas & Case Law Savienojumi

Ekspertu komentāri

(EN) Exceptions under article 9 2) (j) cover a wide range of interests and they might prove essential for the whole society and future generations. They concern four (4) different spheres:

Archives;
Scientific research;
Historical research; and
Statistical.

The archiving, research, and statistics exception must respect a list of conditions:

Processing must be necessary;
It must be based on a Union or Member State law; and
The Union or Member State law itself must:
- be proportionate to the goal pursued;
- respect the essence of the right to data protection; and
- guarantee suitable and specific measures to safeguard the fundamental rights and the interests of individuals concerned.

I’ve already discussed the necessity principle in the general commentary below, and I would refer readers to it, as well as the proportionality principle that Union or Member State law must respect. The European or national legal text must also uphold the “essence of the right to data protection” and offer “suitable and specific measures” to protect the rights and interests of individuals concerned. It is therefore essential for the local authorities to comply with the Charter of Fundamental Rights of the European Union (article 8) and the principles set out in the GDPR. Article 89 provides for more specifics on the safeguards and derogations relating to the processing of sensitive data in the context of the archiving, research, and statistics exception, and I invite you to read my comment relating to that provision.

As for the archiving exception, you must further demonstrate that the processing is in the public interest. A personal, corporate or financial interest is not enough to justify the application of this exception, you must be able to demonstrate that you are processing special categories of personal data for the public good and in the best interests of a group of individuals or the society as a whole (recital 53).

Archives concern public authorities, as well as public or private bodies that “have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records” (recital 158). Cold case murder investigations, for example, may justify the archiving of sensitive data in the public interest. Collecting information about political behavior under former totalitarian state regimes or related to genocide and crimes against humanity constitutes a further example (recital 158). Archived data may be used after for different purposes, among them is scientific research (recital 162).

Scientific research based on public and private registries may provide deeper knowledge of widespread medical conditions, like cardiovascular disease, cancer or depression (recital 157). Archives may also allow researchers to establish long-term correlations between unemployment or education and other life conditions (recital 157). Knowledge-based policy can thus be implemented to offer better social services or to improve the quality of life of the population (recital 157).

The scientific research exception aims at achieving a European research area to encourage the flow of researchers, scientific knowledge and technology [article 179(1) TFEU]. It must be interpreted broadly, according to the GDPR, and it applies to both public-sector and privately funded research (recital 159).

Clinical research undertaken in the public interest and meeting the other criteria of subparagraph (j) should be based on this exception rather than on express consent [subparagraph (a) and Regulation (EU) No 536/2014, article 29], recommends the European Data Protection Board (Opinion 3/2019). It is the safest possible ground as research may be compromised if individuals withdraw their consent while the research is conducted or after.

A classic example is a pharmaceutical company that conducts clinical trials for a new drug. If it relies on explicit consent [subparagraph (a)], it might face awkward consequences. Individuals participating in the trial might change their minds at the last stage of the research and decide to withdraw their consent. That eventuality would jeopardize the whole process and deprive society of the potential benefits of a new drug. Pharmaceutical companies may give additional guarantees by using anonymized or pseudonymized data in the course of their research to reduce the impact on participants and to compensate for the impossibility to withdraw their consent if the scientific research exception is invoked.

Statistical purposes is defined as “any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results” (recital 162). Statistics should be developed, produced and disseminated according to six (6) principles: impartiality, reliability, objectivity, independence, cost-effectiveness, and confidentiality [article 338(2) TFEU].

The collection of stats should result in “aggregate data” and not “personal data”, which means that they should not concern any particular individuals but constitute abstract data concerning a group of anonymized individuals (recital 162). The statistics thus generated cannot be used to make decisions about any targeted individuals (recital 162). Furthermore, confidential information collected for statistical purposes must be protected with appropriate legal and technical safeguards (recital 163).

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

Vadlīnijas & Case Law

(EN)

Document

EDPB, Opinion 3/2019 Concerning the Questions and Answers on the Interplay Between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR) (art. 70.1.b)) (2019).

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

Legislation

Regulation (EU) No 536/2014 on Clinical Trials on Medicinal Products for Human Use, OJEU L 158, 27 May 2014, p. 1.

Savienojumi

89 pants VDAR. Garantijas un atkāpes, kas attiecas uz apstrādi arhivēšanas nolūkos sabiedrības interesēs, zinātniskās vai vēstures pētniecības nolūkos vai statistikas nolūkos

Article 89 GDPR. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

1. Uz apstrādi arhivēšanas nolūkos sabiedrības interesēs, zinātniskās vai vēstures pētniecības nolūkos, vai statistikas nolūkos saskaņā ar šo regulu attiecas atbilstošas garantijas datu subjekta tiesībām un brīvībām. Ar minētajām garantijām nodrošina, ka pastāv tehniski un organizatoriski pasākumi, jo īpaši, lai nodrošinātu datu minimizēšanas principa ievērošanu. Minētie pasākumi var ietvert pseidonimizēšanu, ar noteikumu, ka minētos nolūkus var sasniegt minētajā veidā. Ja minētos nolūkus var sasniegt, veicot turpmāku apstrādi, kas neļauj vai vairs neļauj identificēt datu subjektus, minētos nolūkus sasniedz minētajā veidā.

1. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

[…]

Guidelines on consent under Regulation 2016/679

Scientific research

153. Recital 33 seems to bring some flexibility to the degree of specification and granularity of consent in the context of scientific research. Recital 33 states: “It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.”

3. Šā panta 1. punktā minētos personas datus var apstrādāt 2. punkta h) apakšpunktā minētajos nolūkos, ja šos datus apstrādā profesionālis, uz kuru saskaņā ar Savienības vai dalībvalsts tiesību aktiem vai valsts kompetento iestāžu ieviestiem noteikumiem attiecas dienesta noslēpuma ievērošanas pienākums, vai ja tos apstrādā šāda profesionāļa atbildībā; vai cita persona, uz kuru arī attiecas pienākums ievērot dienesta noslēpumu saskaņā ar Savienības vai dalībvalsts tiesību aktiem vai valsts kompetento iestāžu ieviestiem noteikumiem.

3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4. Dalībvalstis var saglabāt vai ieviest papildu nosacījumus, tostarp ierobežojumus, attiecībā uz ģenētisko datu, biometrisko datu vai veselības datu apstrādi.

4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

Vispārīgā datu aizsardzības regula (VDAR)

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.

Ekspertu komentāri ISO 27701 Apsvērums Vadlīnijas & Case Law Atstājiet savu komentāru

Ekspertu komentāri

(EN) Some personal data, because of their sensitive nature, belong to special categories in the General Data Protection Regulation. Processing data mentioned in one of these eight (8) categories poses indeed “significant risks to the fundamental rights and freedoms” of an individual (recital 51). Risks vary depending on the type of data involved. Paragraph one of article 9 enumerates all types of data covered, but they are not readily intelligible. A visual list, broken down into eight points, helps to clarify the scope of the provision and what data are considered “special” by the European regulation:

data disclosing racial or ethnic origin;
data divulging political opinions;
data revealing religious or philosophical beliefs;
data about trade union membership;
genetic data;
biometric data used to identify a person;
data concerning health; and
data relating to a person’s sex life or sexual orientation.

…

Pieslēgties
lai piekļūtu pilnam tekstam

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 9 GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.

…

Pieslēgties
lai piekļūtu pilnam tekstam

Apsvērums

Vadlīnijas & Case Law

(EN)

Documents

Article 29 Working Party, Opinion 2/2010 on behavioural advertising (2010):

Any possible targeting of data subjects based on sensitive information opens the possibility of abuse. Furthermore, given the sensitivity of such information and the possible awkward situations which may arise if individuals receive advertising that reveals, for example, sexual preferences or political activity, offering/using interest categories that would reveal sensitive data should be discouraged.

In this context, the only available legal ground that would legitimize the data processing would be explicit, separate prior opt-in consent. The requirement for a separate, affirmative prior indication of the data subjects’ agreement means that in no case would an opt-out consent mechanism meet the requirement of the law. It also means that such consent could not be obtained through browser settings. To lawfully collect and process this type of information, ad network providers would have to set up mechanisms to obtain explicit prior consent, separate from other consent obtained for processing in general.

EDPB, Assessing the Necessity of Measures That Limit the Fundamental Right to the Protection of Personal Data: A Toolkit (2017).

WP29, Opinion on data processing at work (2017).

European Commission, Commission Guidance on the application of Union data protection law in the electoral context, A contribution from the European Commission to the Leaders’ meeting in Salzburg on 19-20 September 2018.

EDPB, Guidelines on Assessing the Proportionality of Measures That Limit the Fundamental Rights to Privacy and to the Protection of Personal Data (2019).

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

EDPB, Guidelines 8/2020 on the targeting of social media users (2020).

EDPB, Guidelines 3/2020 on the Processing of Data Concerning Health for the Purpose of Scientific Research in the Context of the Covid-19 Outbreak (2020).

EDPB, Guidelines 3/2019 on Processing of Personal Data through Video Devices (2020).

European Commission, Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection Brussels (2020).

EDPB, Guidelines 02/2021 on Virtual Voice Assistants (2021).