Artikolu 9 📖 RĠPD (GDPR). Ipproċessar ta' kategoriji speċjali ta' data personali

Artikolu 9 RĠPD (GDPR). Ipproċessar ta' kategoriji speċjali ta' data personali

Article 9 GDPR. Processing of special categories of personal data

1. L-ipproċessar ta’ data personali, li jiżvela oriġini razzjali jew etnika, opinjonijiet politiċi, twemmin reliġjuż jew filosofiku, jew sħubija fi trade union, u l-ipproċessar ta’ data ġenetika, data bijometrika sabiex tidentifika b’mod uniku persuna fiżika, data dwar is-saħħa jew data dwar il-ħajja sesswali u l-orjentazzjoni sesswali ta’ persuna fiżika huma projbiti.

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

Linji ta 'Gwida & Ġurisprudenza Premessi

Linji ta 'Gwida & Ġurisprudenza

(EN)

Documents

Article 29 Working Party, Opinion 2/2012 on Facial Recognition in Online and Mobile Services (2012).

Article 29 Working Party, Opinion 3/2012 on Developments in Biometric Technologies (2012).

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

EDPB, Guidelines 8/2020 on the targeting of social media users (2020):

If a social media provider or a targeter uses observed data to categorise users as having certain religious, philosophical or political beliefs-regardless of whether the categorization is correct/true or not-this categorisation of the user must obviously be seen as processing of special category of personal data in this context. As long as the categorisation enables targeting based on special category data, it does not matter how the category is labelled.

EDPB, Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR (2020).

Financial transactions can reveal sensitive information about individual data subject, including those related to special categories of personal data. For example, political opinions and religious beliefs may be revealed by donations made to political parties or organisations, churches or parishes. Trade union membership may be revealed by the deduction of an annual membership fee from a person’s bank account. Personal data concerning health may be gathered from analysing medical bills paid by a data subject. Finally, information on certain purchases may reveal information concerning a person’s sex life or sexual orientation.

Moreover, through the sum of financial transactions, different kinds of behavioural patterns could be revealed, including special categories of personal data and additional services that are facilitated by account information services might rely on profiling as defined by article 4 (4) of the GDPR. Therefore, the chances are considerable that a service provider processing information on financial transactions of data subjects also processes special categories of personal data.

Premessi

(51) Data personali, li min-natura tagħha, tkun partikolarment sensittiva fir-rigward tad-drittijiet u l-libertajiet fundamentali jistħoqqilha protezzjoni speċifika billi l-kuntest tal-ipproċessar tagħha jista' joħloq riskji sinifikanti għad-drittijiet u l-libertajiet fundamentali. Dik id-data personali għandha tinkludi data personali li tiżvela l-oriġini razzjali jew etnika, fejn l-użu tat-terminu “oriġini razzjali” f'dan ir-Regolament ma jimplikax li l-Unjoni taċċetta teoriji li jippruvaw jiddeterminaw l-eżistenza ta' razez umani separati. L-ipproċessar ta' ritratti m'għandhux sistematikament jitqies bħala pproċessar ta' kategoriji speċjali ta' data personali peress li dawn ikunu koperti bid-definizzjoni ta' data bijometrika biss meta jiġu pproċessati b'mezz tekniku speċifiku li jippermetti l-identifikazzjoni unika jew l-awtentikazzjoni ta' persuna fiżika. Tali data personali ma għandhiex tiġi pproċessata, għajr jekk l-ipproċessar ikun permess f'każijiet speċifiċi stabbiliti f'dan ir-Regolament, b'kont meħud li l-liġi tal-Istati Membri tista' tistabbilixxi dispożizzjonijiet speċifiċi dwar il-protezzjoni ta' data sabiex tadatta l-applikazzjoni tar-regoli ta' dan ir-Regolament għal konformità ma' obbligu legali jew għall-prestazzjoni ta' kompitu mwettaq fl-interess pubbliku jew fl-eżerċizzju ta' awtorità uffiċjali mogħtija lill-kontrollur. Minbarra r-rekwiżiti speċifiċi għal dan l-ipproċessar, il-prinċipji ġenerali u regoli oħra ta' dan ir-Regolament għandhom japplikaw, b'mod partikolari fir-rigward tal-kondizzjonijiet għal ipproċessar legali. Id-derogi mill-projbizzjoni ġenerali għall-ipproċessar ta' tali kategoriji speċjali ta' data personali għandhom jiġu previsti b'mod espliċitu, fost oħrajn fejn is-suġġett tad-data jagħti l-kunsens espliċitu tiegħu jew tagħha jew fir-rigward ta' ħtiġijiet speċifiċi b'mod partikolari fejn l-ipproċessar isir waqt attivitajiet leġittimi minn ċerti assoċjazzjonijiet jew fondazzjonijiet li l-għan tagħhom huwa li jippermettu l-eżerċizzju ta' libertajiet fundamentali.

(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

2. Il-paragrafu 1 ma għandux japplika jekk japplika wieħed minn dawn li ġejjin:

2. Paragraph 1 shall not apply if one of the following applies:

Premessi

(52) Id-deroga mill-projbizzjoni dwar l-ipproċessar ta' kategoriji speċjali ta' data personali għandha tkun permessa wkoll meta tkun prevista fil-liġi tal-Unjoni jew ta' Stat Membru u soġġett għal salvagwardji adatti, sabiex jiġu protetti d-data personali u drittijiet fundamentali oħra, fejn ikun fl-interess pubbliku li jsir hekk, b'mod partikolari l-ipproċessar ta' data personali fil-qasam tal-liġi tal-impjiegi, il-liġi tal-protezzjoni soċjali, inkluż il-pensjonijiet u għas-sigurtà tas-saħħa, għal finijiet ta' monitoraġġ u twissija, prevenzjoni u kontroll ta' mard li jittieħed u ta' theddid serju ieħor għas-saħħa. Tali deroga tista' ssir għal finijiet ta' saħħa, inkluża s-saħħa pubblika u l-ġestjoni tas-servizzi tal-kura tas-saħħa, speċjalment sabiex tkun żgurata l-kwalità u l-kosteffettività tal-proċeduri użati għat-tpaċija ta' talbiet għal benefiċċji u servizzi fis-sistema tal-assigurazzjoni tas-saħħa, jew għal finijiet ta' arkivjar fl-interess pubbliku, għal finijiet ta' riċerka xjentifika jew storika jew għal finijiet ta' statistika. Id-deroga għandha tippermetti wkoll l-ipproċessar ta' tali data personali fejn dan ikun meħtieġ għall-istabbiliment, l-eżerċizzju jew id-difiża ta' talbiet legali, kemm jekk fi proċedimenti ġudizzjarji kif ukoll jekk fi proċedura amministrattiva jew extraġudizzjarja.

(52) Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

(53) Il-kategoriji speċjali ta' data personali li jistħoqqilhom aktar protezzjoni għandhom jiġu pproċessati biss għal finijiet relatati mas-saħħa fejn ikun meħtieġ biex jinkisbu dawk il-finijiet għall-benefiċċju ta' persuni fiżiċi u s-soċjetà inġenerali, b'mod partikolari fil-kuntest tal-ġestjoni tas-servizzi tal-kura tas-saħħa jew soċjali u sistemi, li jinkludu l-ipproċessar mill-awtoritajiet tal-ġestjoni u tas-saħħa nazzjonali ċentrali ta' tali data għall-fini tal-kontroll tal-kwalità, l-informazzjoni ta' ġestjoni u s-superviżjoni ġenerali nazzjonali u lokali tas-sistema tal-kura tas-saħħa jew soċjali, u billi tiġi żgurata kontinwità tal-kura tas-saħħa jew soċjali u l-kura tas-saħħa transkonfinali jew tas-sigurtà tas-saħħa, għall-finijiet ta' monitoraġġ u twissija jew għal finijiet ta' arkivjar fl-interess pubbliku, għal finijiet ta' riċerka xjentifika jew storika jew għal finijiet ta' statistika abbażi tal-liġi tal-Unjoni jew ta' Stat Membru li għandha tilħaq objettiv ta' interess pubbliku, kif ukoll għal studji mwettqa fl-interess pubbliku fil-qasam tas-saħħa pubblika. Għalhekk dan ir-Regolament għandu jipprevedi kondizzjonijiet armonizzati għall-ipproċessar ta' kategoriji speċjali ta' data personali dwar is-saħħa, fir-rigward ta' ħtiġijiet speċifiċi, b'mod partikolari fejn l-ipproċessar ta' tali data jsir għal ċerti finijiet relatati mas-saħħa minn persuni soġġetti għal obbligu legali ta' segretezza professjonali. Il-liġi tal-Unjoni jew ta' Stat Membru għandha tipprovdi għal miżuri speċifiċi u adatti sabiex jiġu protetti d-drittijiet fundamentali u d-data personali tal-persuni fiżiċi. L-Istati Membri għandhom ikunu jistgħu jżommu jew jintroduċu aktar kondizzjonijiet, inklużi limitazzjonijiet, fir-rigward tal-ipproċessar ta' data ġenetika, data bijometrika jew data dwar is-saħħa. Madankollu, dan m'għandux ixekkel il-fluss liberu tad-data personali fl-Unjoni meta dawk il-kondizzjonijiet japplikaw għall-ipproċessar transkonfinali ta' tali data.

(53) Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.

(54) L-ipproċessar ta' kategoriji speċjali ta' data personali jista' jkun meħtieġ għal raġunijiet ta' interess pubbliku fl-oqsma tas-saħħa pubblika mingħajr il-kunsens tas-suġġett tad-data. Tali pproċessar jeħtieġ li jkun soġġett għal miżuri adatti u speċifiċi sabiex jiġu protetti d-drittijiet u l-libertajiet tal-persuni fiżiċi. F'dak il-kuntest, “saħħa pubblika” għandha tiġi interpretata kif definita fir-Regolament (KE) Nru 1338/2008 tal-Parlament Ewropew u tal-Kunsill (11), jiġifieri l-elementi kollha relatati mas-saħħa, b'mod partikolari l-istat tas-saħħa, inklużi l-morbożità u d-diżabbiltà, il-fatturi determinanti li għandhom effett fuq l-istat tas-saħħa, il-bżonnijiet fil-qasam tal-kura tas-saħħa, ir-riżorsi allokati għall-kura tas-saħħa, il-forniment tal-kura tas-saħħa u l-aċċess universali għaliha, kif ukoll l-infiq u l-finanzjament tal-kura tas-saħħa, u l-kawżi ta' mortalità. Tali pproċessar ta' data dwar is-saħħa għal raġunijiet ta' interess pubbliku ma għandux jirriżulta fl-ipproċessar ta' data personali għal finijiet oħra minn partijiet terzi bħal min iħaddem, kumpanniji tal-assigurazzjoni u kumpanniji bankarji.

(54) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council [11], namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.

_{(11) Regolament (KE) Nru 1338/2008 tal-Parlament Ewropew u tal-Kunsill tas-16 ta' Diċembru 2008 dwar l-istatistika Komunitarja dwar is-saħħa pubblika u s-saħħa u s-sigurtà fuq ix-xogħol (ĠU L 354, 31.12.2008, p. 70). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2008:354:TOC}

_{[11] Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (OJ L 354, 31.12.2008, p. 70). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2008:354:TOC}

(55) Barra minn hekk, l-ipproċessar ta' data personali minn awtoritajiet uffiċjali bil-għan li jinkisbu l-miri, stabbiliti mil-liġi kostituzzjonali jew mil-liġi pubblika internazzjonali, ta' assoċjazzjonijiet reliġjużi rikonoxxuti uffiċjalment jitwettaq għal raġunijiet ta' interess pubbliku.

(55) Moreover, the processing of personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognised religious associations, is carried out on grounds of public interest.

(56) Fejn, matul attivitajiet elettorali, l-operat tas-sistema demokratika fi Stat Membru teħtieġ li l-partiti politiċi jikkompilaw data personali dwar l-opinjonijiet politiċi tan-nies, l-ipproċessar ta' din id-data jista' jkun permess għal raġunijiet ta' interess pubbliku, dment li jiġu stabbiliti salvagwardji adatti.

(56) Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.

(a) is-suġġett tad-data jkun ta kunsens espliċitu għall-ipproċessar ta’ dik id-data personali għal fini speċifiku wieħed jew aktar, għajr fejn il-liġi tal-Unjoni jew il-liġi ta’ Stat Membru tipprevedi li l-projbizzjoni msemmija fil-paragrafu 1 ma tistax titneħħa mis-suġġett tad-data;

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

Kummentarju ISO 27701 Testi relatati

Kummentarju

(EN) The first exception is based on “explicit consent”. Article 9 consent differs from the general notion of consent of article 6 in one important aspect: it must be explicitly provided by the person concerned. It means that the consent must be freely given, specific, informed, and unambiguous, under the definition of article 4 (11), and, in addition to these requirements, it must be “explicit”.

What form of consent is considered “explicit” and thus valid under article 9? The sensitive nature of the data involved entails a consent that goes beyond the regular “statement or clear affirmative action” [article 4 (11)] on the part of the data subject. It means that s/he must give “an express statement of consent” (Guidelines on Consent), even in the case where services are provided on a contractual basis. An explicit consent is needed because there is no contract based exceptions in article 9 (2) a controller can rely on.

The Guidelines on Consent suggest that a written statement or even a signed written statement may be required, even though the GDPR does not prescribe such a form of consent. A signed consent may be relevant if health data are collected, for example, in the context of services offered by a private clinic or a convalescent home. A plastic surgeon may need to gather information about a client’s health condition or share medical information to seek a second opinion from one of her/his colleagues. The managers of a convalescent home will have to gather information about a future pensionary’s health condition to arrange the appropriate services needed during her/his stay.

A signed written statement is not as practical in the digital or online environment. How can a person consent if, for example, s/he buys a plane ticket online and requires special medical assistance at boarding time, during the flight or at her/his arrival at destination? A valid consent will also be difficult to obtain if a person places an online order for buying special eyewear as the seller has to collect health-related information about her/his vision and share it with the manufacturer.

Simply following a link or ticking a box might be regarded as an insufficient consent in these examples. The Guidelines on Consent recommend other forms of consent, like filling in an electronic form, using an electronic signature, recording an oral statement or proceeding with a two-step verification (ticking a box in a form and confirming the consent by email afterward, for example).

Article 9 prescribes that a person must consent “for one or more specified purposes”. The requirement goes beyond the “specific” quality of consent required by article 4 (11). Purposes must be clearly specified, which implies that the consent must be tied to specific data or precise categories of data that the controller will be allowed to process.

You must always remember that the GDPR is not a complete statement on the state of the law on data protection in a particular Member State, and it is particularly true here because there is an exception to the exception. Consent is an invalid basis to process special categories of personal data if a Member State prohibits the lifting of the prohibition for processing special categories of personal data by an individual in its national legislation, as the GDPR allows it.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 9(2)(a) GDPR:

7.2.4 Obtain and record consent

Control

The organization should obtain and record consent from PII principals according to the documented processes.

Implementation guidance

The organization should obtain and record consent from PII principals in such a way that it can provide on request details of the consent provided (for example the time that consent was provided, the identification of the PII principal, and the consent statement).

(EN) […]

(EN) Sign in
to read the full text

Testi relatati

Guidelines on consent under Regulation 2016/679

OBTAINING EXPLICIT CONSENT

93. The term explicit refers to the way consent is expressed by the data subject. It means that the data subject must give an express statement of consent. An obvious way to make sure consent is explicit would be to expressly confirm consent in a written statement. Where appropriate, the controller could make sure the written statement is signed by the data subject, in order to remove all possible doubt and potential lack of evidence in the future.[47]

_{[47] See also WP29 Opinion 15/2011, on the definition of consent (WP 187), p. 25.}

94. However, such a signed statement is not the only way to obtain explicit consent and, it cannot be said that the GDPR prescribes written and signed statements in all circumstances that require valid explicit consent. For example, in the digital or online context, a data subject may be able to issue the required statement by filling in an electronic form, by sending an email, by uploading a scanned document carrying the signature of the data subject, or by using an electronic signature. In theory, the use of oral statements can also be sufficiently express to obtain valid explicit consent, however, it may be difficult to prove for the controller that all conditions for valid explicit consent were met when the statement was recorded.

95. An organisation may also obtain explicit consent through a telephone conversation, provided that the information about the choice is fair, intelligible and clear, and it asks for a specific confirmation from the data subject (e.g. pressing a button or providing oral confirmation).

(b) l-ipproċessar ikun meħtieġ għall-finijiet tat-twettiq tal-obbligi u l-eżerċizzju ta’ drittijiet speċifiċi tal-kontrollur jew tas-suġġett tad-data fil-qasam tal-liġi dwar l-impjiegi u dwar il-protezzjoni soċjali u s-sigurtà soċjali sa fejn dan ikun awtorizzat mil-liġi tal-Unjoni jew mil-liġi ta’ Stat Membru jew minn ftehim kollettiv skont il-liġi ta’ Stat Membru li jipprevedu salvagwardji xierqa għad-drittijiet fundamentali u l-interessi tas-suġġett tad-data;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

Kummentarju

(EN) Processing of special categories of personal data in the field of employment, social security, and social protection law is possible only if it is “necessary” (read about the necessity and proportionality principles in the general commentary below) and it satisfies two other conditions:

it is authorised by the European Union or Member State law or a collective agreement; and
there are appropriate safeguards in place to protect the fundamental rights and interests of individuals.

The European regulation essentially refers to the legislation of the Member States to acknowledge the existence of exceptions and verify if individuals’ fundamental rights are preserved. Therefore, there are no general rules applicable to the entire Union and the exception can only be understood on a State by State basis. The controller has to invoke a specific legal provision authorizing the processing of personal data in the context of employment, social security or social protection law.

Member States may allow employers to collect personal data in order to provide health insurance policies to their employees, maintain records of sick, maternity or paternity leaves, deduct union dues from payslips or provide special working conditions or environment to persons with disabilities. They can also authorize insurers, for example, to process health data for paying accidents or invalidity indemnities to employees.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

(c) l-ipproċessar ikun meħtieġ għall-protezzjoni tal-interessi vitali tas-suġġett tad-data jew ta’ persuna fiżika oħra fejn is-suġġett tad-data ma jkunx fiżikament jew legalment kapaċi li jagħti l-kunsens;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

Kummentarju

(EN) According to article 9 2) (c), processing of special categories of personal data is allowed if it is “necessary” (read about the necessity and proportionality principles in the general commentary below) to protect a person’s vital interests or third parties’ ones. The vital interests exception is similar to article 6 1) (d) lawful basis to process data except that it applies only if you cannot obtain a person’s consent.

The scope of the exception is limited as it concerns only the protection of a “vital interest” of a person, that is to say, “an interest which is essential for [her/his] life” (recital 46). It includes threats to the physical integrity or life of a person or a third person. In other words, it must be a matter of life and death even though recital 46 seems to widen the scope of the exception. It suggests that it may also apply to humanitarian situations such as monitoring epidemics or providing relief for natural or man-made disasters.

The second condition limits drastically the scope of the vital interests exception: it may be invoked only if the individual is physically or legally incapable of giving consent. It can be the case if a person is unconscious, for example, or is unable to consent because of her/his legal status, like a minor or an adult under guardianship or trusteeship. You should ask for explicit consent, according to paragraph 2 a) of article 9, whenever it is possible. You cannot rely on the vital interests exception as an alternative option if a person is able to consent and has refused to do so.

Essentially, the vital interests exception is useful for medical emergency situations. If a person has suffered a life-threatening injury, for example, the medical staff may need her/his medical history to decide on the proper treatment. As the person is unable to offer her/his consent, the hospital needs a legal basis to process her/his health data and the vital interests exception might prove useful. It can also be convenient in cases of epidemics. It may be impossible for all infected individuals to consent in a timely manner to allow medical staff to gather data in order to prevent the spread of the epidemic and, in doing so, to protect third parties’ vital interests.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

(d) l-ipproċessar isir waqt l-attivitajiet leġittimi tiegħu b’salvagwardji adatti minn fondazzjoni, assoċjazzjoni jew kwalunkwe korp ieħor mingħajr skop ta’ qligħ b’għan politiku, filosofiku, reliġjuż jew ta’ trade union u bil-kondizzjoni li l-ipproċessar ikun relatat biss mal-membri jew ex membri tal-korp jew ma’ persuni li għandhom kuntatt regolari miegħu b’rabta mal-finijiet tiegħu u li d-data personali ma tkunx żvelata barra dak il-korp mingħajr il-kunsens tas-suġġetti tad-data;

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

Kummentarju

(EN) The General Data Protection Regulation contains a circumscribed exception for the processing of special categories of personal data by the following types of organizations:

associations;
foundations; and
other not-for-profit bodies.

The list appears to be closed and limited to these exact types of organizations, excluding any other types. As the legal status of charity, nonprofit, and philanthropy organizations is not uniform in the European Union, one should not attach too much importance to the name of the concerned body. The word “other” confirms that the list is illustrative and the exact nature of the organization depends on the legal form and structure the Member States give them.

It is more a question of the aims or goals of the organization than of its exact denomination, as it must pursue one of the following objectives

political;
philosophical;
religious; or
trade union.

The list refers to a limited number of activities and it cannot be extended beyond. Political parties, worship organizations or trade unions are clearly targeted. The philosophical aim category is not as easy to define. An organization devoted to environmental, vegan or anti-speciesism questions may qualify as pursuing a philosophical goal depending on a Member State law. How far that category may be expanded will depend on the Court of Justice of the European Union interpretation of the provision.

These organizations must process special categories of personal data only in the course of their “legitimate activities”. It means that the processing must be directly connected to the political, philosophical, religious or trade union activities of the organization. An association, a foundation or any other not-for-profit body cannot invoke that exception to process special categories of personal data that are not closely related to its core activities in accordance with its purposes and powers set out in its governing charter.

The GDPR requires that organizations handle special categories of personal data with appropriate safeguards. It is not clear what exactly the legislator had in mind by adopting this additional condition. It clearly implies that proper security measures should be in place to protect the processed data due to their sensitive nature. Data must also be accessible only to the persons who need to deal with them to achieve the organizations’ aims.

It follows logically that the personal data cannot be disclosed outside the organization, although article 9 2) (d) allows such divulgation with the consent of the concerned individuals. The body cannot share its membership list, for example, with other organizations unless it obtained its members’ consent. I do not see any legal impediment prohibiting the selling of that same list to finance the organization’s activities if its members consent to the divulgation of their personal data. The organization will also have to seek consent to name any individual members in a fundraiser campaign or an annual report, for example.

The scope of the exception is limited to processing special categories of personal data concerning an organization’s i) members, ii) former members or iii) individuals who have “regular contact” with it in connection with its goals. It excludes the organization’s employees or prospective members before they join the organization, but it may include partners, contributors or regular beneficiaries of the organization’s services who are not formally members of it.

It is a self-evident exception to the general rule that special categories of personal data cannot be processed as it allows organizations that owe their existence solely to the pursuit of one of the goals mentioned to process data essential to their operation. How would a political party exist if it cannot process the political opinions of their partisans? It is the same with trade unions that have to deal with data concerning their members or churches that have to process data revealing their believers’ religious beliefs in the course of their regular activities (see article 91).

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

(e) l-ipproċessar ikun relatat ma’ data personali li b’mod ċar tkun saret pubblika mis-suġġett tad-data;

(e) processing relates to personal data which are manifestly made public by the data subject;

Kummentarju Linji ta 'Gwida & Ġurisprudenza

Kummentarju

(EN) The European legislator introduced an exception – for special categories of personal data which are manifestly made public by a person – that seems completely logical at first glance. If a person willingly shares her/his data, it sounds reasonable to allow the processing of these data by third parties. On second thought, many questions come to mind. What does “manifestly” mean? When are data “public”? How to determine if a person intended to make her/his data public?

The exception does not concern all special categories of data publicly available. It applies strictly to data that an individual personally disclosed. It must be a publication that results from a clear and voluntary decision from an individual to disclose information about her/him. It should not be an accidental, inadvertent, involuntary or unintentional disclosure. It should be the result of a free and deliberate decision. The individual must be fully conscious that s/he made her/his data public. Thus, it excludes leaked data, data accessible after a security breach or data shared unintentionally or by inadvertence…

(EN) […]

(EN) Sign in
to read the full text

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

Linji ta 'Gwida & Ġurisprudenza

(EN) EDPB, Guidelines 8/2020 on the targeting of social media users (2020):

The word “manifestly” implies that there must be a high threshold for relying on this exemption.The EDPB notes that the presence of a single element may not always be sufficient to establish that the data have been “manifestly” made public by the data subject. In practice,a combination of the following or other elements may need to be considered for controllers to demonstrate that the data subject has clearly manifested the intention to make the data public, and a case-by-case assessment is needed. The following elements may be relevant to help inform this assessment:

the default settings of the social media platform (i.e. whether the data subject took a specific action to change these default private settings into public ones); or

the nature of the social media platform (i.e. whether this platform is intrinsically linked with the idea of connecting with close acquaintances of the data subject or creating intimate relations (such as online dating platforms), or if it is meant to provide a wider scope of interpersonal relations, such as professional relations, or microblogging, etc… ; or

the accessibility of the page where the sensitive data is published (i.e. whether the information is publically accessible or if, for instance, the creation of an account is necessary before accessing the information); or

the visibility of the information where the data subject is informed of the public nature of the information that they publish (i.e. whether there is for example a continuous banner on the page, or whether the button for publishing informs the data subject that the information will be made public…); or

if the data subject has published the sensitive data himself/herself, or whether instead the data has been published by a third party (e.g. a photo published by a friend which reveals sensitive data) or inferred.

The EDPB notes that the presence of a single element may not always be sufficient to establish that the data have been “manifestly” made public by the data subject. In practice,a combination of these or other elements may need to be considered for controllers to demonstrate that the data subject has clearly manifested the intention to make the data public.

(f) l-ipproċessar ikun meħtieġ għall-istabbiliment, l-eżerċizzju jew id-difiża ta’ talbiet legali jew kull darba li l-qrati jkunu qed jaġixxu fil-kapaċità ġudizzjarja tagħhom;

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

Kummentarju

(EN) The legal exception comprises two distinct parts, as it applies to:

processing necessary for establishing, exercising or defending a legal claim, and
courts acting in their judicial capacity.

1) The legal claim exception, in the context of article 9, is broad and is not limited to pending legal proceedings. It applies to ongoing legal claims along with prospective ones. A person may have to share personal data in order to obtain legal advice, to report a situation that may potentially lead to a legal claim or to prepare future proceedings, even if no procedures have been filed in court yet. It might concern administrative or court proceedings, as well as out-of-court procedures (recital 52).

The keyword in paragraph 2) (f) is “necessary” (read about the necessity principle in the general commentary below): the use of personal information must be necessary to establish, exercise or defend legal rights. It still needs to be defined what necessary means in the context of the GDPR. A reference to the general necessity principle in European Union law should lead to justifying the use of personal data for the legal claim exception based on objective evidence. There must be a substantial connection between the processing and the data processed in the context of a specific case.

The use of personal data should also be proportionate (read about the proportionality principle in the general commentary below): it should not go beyond what is necessary to achieve the objective pursued. Data used must be adequate and relevant “for the establishment, exercise or defence of legal claims” and their use should be limited to what is needed. In other words, it means that you should not use more data than what is necessary to proceed.

An example of using personal data before any legal proceedings have been initiated is if you have to report an accident to your insurer. Your insurer will eventually have to deal with data concerning your health or the health of other persons implicated in the accident. It does not mean that a claim will be brought before the court and if so, that it will not be settled before any proceedings take place.

I may cite another typical example, concerning this time the establishment of a defence to an actual legal claim. Your employee is suing you after that an accident has occurred in the workplace. You will have to share the details of the accident, including information in your possession about the injuries your employee has suffered, with your lawyer. As these data are considered health-related information, you will have to invoke paragraph 2) (f) exception.

2) The second part of the legal exception concerns courts acting in their judicial capacity. The exception is necessary to preserve the independence of justice (recital 20), which also ensures compliance with legal guarantees provided for by European and national rights and freedoms instruments. The GDPR does not specify the scope of the expression “courts […] acting in their judicial capacity”, except that it includes the decision-making process (recital 20).

Article 9 mentions only “courts”, but recital 97 seems to extend the exception to “independent judicial authorities”. Even if it is not the case, the interpretation of the term “court” may lead to such an extension. It raises questions in consequence for many existing procedures lead by quasi-judicial bodies, like arbitrators, arbitration tribunals or public administrative agencies. They conduct proceedings, during which the rights and freedoms of the parties involved must be guaranteed, they determine facts, they interpret the law, and they have powers of adjudication much like any courts of law.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

(g) l-ipproċessar ikun meħtieġ għal raġunijiet ta’ interess pubbliku sostanzjali, fuq il-bażi tal-liġi tal-Unjoni jew ta’ Stat Membru, li għandha tkun proporzjonata mal-għan segwit, tirrispetta l-essenza tad-dritt għall-protezzjoni tad-data u tipprevedi miżuri xierqa u speċifiċi sabiex tissalvagwardja d-drittijiet fundamentali u l-interessi tas-suġġett tad-data;

(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

Kummentarju

(EN) The substantial public interest exception is characterized by the number of conditions attached to it and therefore its limited scope:

Processing must be necessary;
It must be based on a Union or Member State law; and
The Union or Member State law itself must:
- be proportionate to the goal pursued;
- respect the essence of the right to data protection; and
- guarantee suitable and specific measures to safeguard the fundamental rights and the interests of individuals concerned.

The terms “substantial public interest” are not defined in the General Data Protection Regulation. As the exception refers to the Union or Member State law, article 9 2) (g) gives a margin of appreciation to the national jurisdictions to decide locally what is of “substantial public interest”. A “substantial” public interest clearly requires a higher standard than simple public interest. If the latter refers to the public good and what is in the best interests of the society, the former must have to do with a real and tangible interest, an interest of considerable importance. A substantial public interest may be related to the exercise of fundamental rights and freedoms, like organizing the electoral process, or the maintenance of order and security, like fighting terrorism.

The Data Protection Act 2018, for example, recognizes twenty-three (23) cases where a substantial public interest is involved in the United Kingdom. Exceptions range from the administration of justice to safeguarding of children at risk, and extend to equality of opportunity, anti-doping in sport or publication of legal decisions. It is hard to distinguish in these examples what is in the general public interest and what is based on “substantial” public interest.

The substantial public interest exception does not apply to special categories of personal data which already benefit from an exception under article 9, like public health [paragraph 2, sub-paragraph (i)]. It is sometimes tricky though to decide which exception is applicable. One must refer to the specifics of the case and examine the facts attentively to decide what would be the best legal basis to process special categories of personal data.

Political parties may be required by a Member State’s legislation to compile personal data on individuals’ political opinions in the course of the electoral process based on the substantial public interest exception (recital 56). It differs from the foundation, association or not-for-profit body exception [article 9 2) (d)] in one aspect: the compilation is required by law and is not done as part of a political party’s main activities. It also exempts the organization from obtaining its members’ consent to divulge the collected personal data to the appropriate authorities.

I was asked recently about the proper legal basis to process data about students with disabilities. A school needs to collect and use these data to offer children services adapted to their learning capacity. Information about disabilities should be considered health-related data and thus special categories of personal data. They cannot be processed unless there is a specific exception that can be invoked.

It does not seem to be possible to rely on the public health exception [see paragraph 2, sub-paragraph (i) comment] to satisfy that request. If the Member State’s legislation in which the school operates provides for an exception to process special categories of personal data for the education of children with disabilities, the substantial public interest exception would be an appropriate legal basis. As it might be possible to get explicit consent [paragraph 2, sub-paragraph (a)] to process such data, that option should also be explored in the circumstances. The school will then have to respect the other requirements set in article 9 2) (g).

I already discussed the necessity principle in the general commentary below, and I would refer readers to it, as well as the proportionality principle that Union or Member State law must respect. The European or national text must also uphold the “essence of the right to data protection” and offer “suitable and specific measures” to protect the rights and interests of individuals concerned. It is therefore essential for the local authorities to comply with the Charter of Fundamental Rights of the European Union (article 8) and the principles set out in the GDPR.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

(h) l-ipproċessar ikun meħtieġ għall-finijiet ta’ mediċina preventiva jew okkupazzjonali, għall-valutazzjoni tal-kapaċità ta’ ħaddiem għax-xogħol, dijanjosi medika, il-forniment ta’ kura tas-saħħa jew soċjali jew it-trattament jew il-ġestjoni ta’ sistemi u servizzi tal-kura tas-saħħa u soċjali abbażi tal-liġi tal-Unjoni jew tal-liġi ta’ Stat Membru jew skont kuntratt ma’ professjonista fil-kura medika u soġġett għall-kondizzjonijiet u s-salvagwardji msemmija fil-paragrafu 3;

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

Kummentarju Linji ta 'Gwida & Ġurisprudenza

Kummentarju

(EN) Article 9 2) (h) provides for exceptions to processing data related to medical and social care, which must be necessary (read about the necessity principle in the general commentary below) for:

preventive medicine;
occupational medicine;
assessing the working capacity of employees;
medical diagnosis;
provision of health or social care or treatment; or
management of health or social care systems.

It is a list of self-explanatory exceptions and they do not need more exemplification except for the assessing the working capacity of employees exception. It does not overlap with the employment, social security and social protection law exception [sub-paragraph (b)] as it does not concern sensitive data about employees in general, but exclusively data necessary to assess the capacity of an employee to perform her/his job. The assessment can be performed through, for example, drug testing, physical tests or medical exams. The goal is to find out if the person is apt to work in a position that requires specific abilities or a particular health condition.

As it is often the case with the GDPR, the legal basis for the exception is to be sought in the Union or Member State law. Knowledge of the European legislation is not enough, you also have to understand the national law of the concerned Member State. The legal basis for the medical and social care exception may equally be found in a contract with a health professional if some conditions and safeguards are respected.

Paragraph 3 of article 9 states that the exception is applicable, if based on a contract with a health professional, only if data are processed by a person who is bound by professional secrecy. The conditions and obligations linked to the secrecy can be enumerated in a European Union or national law or established by a national competent body. The definition of health professionals is also left to the Member States. It may include any professionals subject to a duty of confidentiality, like doctors, dentists, nurses, opticians, physiotherapists or social workers.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

Linji ta 'Gwida & Ġurisprudenza

(EN) EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

(i) l-ipproċessar ikun meħtieġ għal raġunijiet ta’ interess pubbliku fil-qasam tas-saħħa pubblika, bħall-protezzjoni kontra theddid transkonfinali serju għas-saħħa jew biex jiġu żgurati standards għoljin ta’ kwalità u sikurezza tal-kura tas-saħħa u ta’ prodotti mediċinali jew apparat mediku, fuq il-bażi tal-liġi tal-Unjoni, jew tal-liġi ta’ Stat Membru li tipprevedi miżuri adatti u speċifiċi sabiex jiġu protetti d-drittijiet u l-libertajiet tas-suġġett tad-data, b’mod partikulari s-segretezza professjonali;

(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

Kummentarju Linji ta 'Gwida & Ġurisprudenza

Kummentarju

(EN) The difference between the medical and social care [subparagraph (h)] and the public health exceptions is not that obvious and both exceptions may overlap in some cases. The first exception applies to the processing of sensitive data for preventive medicine, for example, whereas the second one affects cross-border threats to health. It is not impossible that the same set of data may be used in one case as well the other for the exact same purpose.

The perimeter of article 9 2) (i) is apparently well delimited: it applies to the processing of sensitive data, without the explicit consent of an individual based on subparagraph (a) (recital 54), that are necessary (read about the necessity principle in the general commentary below) for reasons of public interest in the area of public health. Public interest refers to the public good and what is in the best interests of a group of individuals or the society as a whole (recital 53). A personal interest is not enough to justify the application of this exception and once data have been processed under this subparagraph, they cannot be shared with third parties, like employers, insurers or banks (recital 54).

Public health is exemplified in article 9 2) (i) itself, but it offers a non-exhaustive list of possible uses. It includes the protection against serious cross-border threats to health and insurance of high standards of quality and safety of health care, medicinal products or medical devices. It encompasses, for example, data necessary to study or fight epidemics or to plan a vaccination program.

Public health is further defined as “all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality” [Regulation (EC) No 1338/2008]. Some aspects of that definition are undoubtedly covered by the medical and social care exception [subparagraph (h)], as management of health or social care systems.

As it is often the case with the GDPR, the legal basis for the exception is to be sought in the Union or Member State law. Knowledge of the European legislation is not enough, you also have to understand the national law of the concerned Member State. Member States may maintain or introduce further conditions and limitations than those provided for in article 9 2) (i) [article 9 (4) and recital 53]. They should furthermore guarantee individuals’ fundamental rights and the protection of their personal data by law (recitals 53 and 54).

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

Linji ta 'Gwida & Ġurisprudenza

(EN)

Legislation

Regulation (EC) No 1338/2008 on Community Statistics on Public Health and Health and Safety at Work, OJEU L 354, 31 December 2008, p. 70.

Documents

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

(j) l-ipproċessar ikun meħtieġ għal finijiet ta’ arkivjar fl-interess pubbliku, għal finijiet ta’ riċerka xjentifika jew storika jew għal finijiet ta’ statistika f’konformità mal-Artikolu 89(1) fuq il-bażi tal-liġi tal-Unjoni jew ta’ Stat Membru, li għandha tkun proporzjonata mal-għan segwit, tirrispetta l-essenza tad-dritt għall-protezzjoni tad-data u tipprevedi miżuri xierqa u speċifiċi sabiex tissalvagwardja d-drittijiet fundamentali u l-interessi tas-suġġett tad-data.

(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Kummentarju Linji ta 'Gwida & Ġurisprudenza Testi relatati

Kummentarju

(EN) Exceptions under article 9 2) (j) cover a wide range of interests and they might prove essential for the whole society and future generations. They concern four (4) different spheres:

Archives;
Scientific research;
Historical research; and
Statistical.

The archiving, research, and statistics exception must respect a list of conditions:

Processing must be necessary;
It must be based on a Union or Member State law; and
The Union or Member State law itself must:
- be proportionate to the goal pursued;
- respect the essence of the right to data protection; and
- guarantee suitable and specific measures to safeguard the fundamental rights and the interests of individuals concerned.

I’ve already discussed the necessity principle in the general commentary below, and I would refer readers to it, as well as the proportionality principle that Union or Member State law must respect. The European or national legal text must also uphold the “essence of the right to data protection” and offer “suitable and specific measures” to protect the rights and interests of individuals concerned. It is therefore essential for the local authorities to comply with the Charter of Fundamental Rights of the European Union (article 8) and the principles set out in the GDPR. Article 89 provides for more specifics on the safeguards and derogations relating to the processing of sensitive data in the context of the archiving, research, and statistics exception, and I invite you to read my comment relating to that provision.

As for the archiving exception, you must further demonstrate that the processing is in the public interest. A personal, corporate or financial interest is not enough to justify the application of this exception, you must be able to demonstrate that you are processing special categories of personal data for the public good and in the best interests of a group of individuals or the society as a whole (recital 53).

Archives concern public authorities, as well as public or private bodies that “have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records” (recital 158). Cold case murder investigations, for example, may justify the archiving of sensitive data in the public interest. Collecting information about political behavior under former totalitarian state regimes or related to genocide and crimes against humanity constitutes a further example (recital 158). Archived data may be used after for different purposes, among them is scientific research (recital 162).

Scientific research based on public and private registries may provide deeper knowledge of widespread medical conditions, like cardiovascular disease, cancer or depression (recital 157). Archives may also allow researchers to establish long-term correlations between unemployment or education and other life conditions (recital 157). Knowledge-based policy can thus be implemented to offer better social services or to improve the quality of life of the population (recital 157).

The scientific research exception aims at achieving a European research area to encourage the flow of researchers, scientific knowledge and technology [article 179(1) TFEU]. It must be interpreted broadly, according to the GDPR, and it applies to both public-sector and privately funded research (recital 159).

Clinical research undertaken in the public interest and meeting the other criteria of subparagraph (j) should be based on this exception rather than on express consent [subparagraph (a) and Regulation (EU) No 536/2014, article 29], recommends the European Data Protection Board (Opinion 3/2019). It is the safest possible ground as research may be compromised if individuals withdraw their consent while the research is conducted or after.

A classic example is a pharmaceutical company that conducts clinical trials for a new drug. If it relies on explicit consent [subparagraph (a)], it might face awkward consequences. Individuals participating in the trial might change their minds at the last stage of the research and decide to withdraw their consent. That eventuality would jeopardize the whole process and deprive society of the potential benefits of a new drug. Pharmaceutical companies may give additional guarantees by using anonymized or pseudonymized data in the course of their research to reduce the impact on participants and to compensate for the impossibility to withdraw their consent if the scientific research exception is invoked.

Statistical purposes is defined as “any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results” (recital 162). Statistics should be developed, produced and disseminated according to six (6) principles: impartiality, reliability, objectivity, independence, cost-effectiveness, and confidentiality [article 338(2) TFEU].

The collection of stats should result in “aggregate data” and not “personal data”, which means that they should not concern any particular individuals but constitute abstract data concerning a group of anonymized individuals (recital 162). The statistics thus generated cannot be used to make decisions about any targeted individuals (recital 162). Furthermore, confidential information collected for statistical purposes must be protected with appropriate legal and technical safeguards (recital 163).

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

Linji ta 'Gwida & Ġurisprudenza

(EN)

Document

EDPB, Opinion 3/2019 Concerning the Questions and Answers on the Interplay Between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR) (art. 70.1.b)) (2019).

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

Legislation

Regulation (EU) No 536/2014 on Clinical Trials on Medicinal Products for Human Use, OJEU L 158, 27 May 2014, p. 1.

Testi relatati

Artikolu 89 RĠPD (GDPR). Salvagwardji u derogi relatati mal-ipproċessar għal finijiet ta' arkivjar fl-interess pubbliku, għal finijiet ta' riċerka xjentifika jew storika jew għal finijiet ta' statistika

Article 89 GDPR. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

1. L-ipproċessar għal finijiet ta’ arkivjar fl-interess pubbliku, għal finijiet ta’ riċerka xjentifika jew storika jew għal finijiet ta’ statistika, għandu jkun soġġett għal salvagwardji xierqa, f’konformità ma’ dan ir-Regolament, għad-drittijiet u l-libertajiet tas-suġġett tad-data. Dawk is-salvagwardji għandhom jiżguraw li jkunu fis-seħħ miżuri tekniċi u organizzattivi b’mod partikolari sabiex jiġi żgurat ir-rispett tal-prinċipju ta’ minimizzazzjoni tad-data. Dawk il-miżuri jistgħu jinkludu psewdonimizzazzjoni, sakemm dawk il-finijiet jistgħu jiġu sodisfatti b’dak il-mod. Fejn dawk il-finijiet jistgħu jiġu sodisfatti bi pproċessar ulterjuri li ma jippermettix jew ma għadux jippermetti l-identifikazzjoni ta’ suġġetti tad-data dawk il-finijiet għandhom jiġu sodisfatti b’dak il-mod.

1. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

[…]

Guidelines on consent under Regulation 2016/679

Scientific research

153. Recital 33 seems to bring some flexibility to the degree of specification and granularity of consent in the context of scientific research. Recital 33 states: “It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.”

3. Id-data personali msemmija fil-paragrafu 1 tista’ tiġi pproċessata għall-finijiet imsemmija fil-punt (h) tal-paragrafu 2 meta dik id-data tiġi pproċessata minn professjonista jew taħt ir-responsabbiltà tiegħu li jkun soġġett għall-obbligu ta’ segretezza professjonali skont il-liġi tal-Unjoni jew ta’ Stat Membru jew regoli stabbiliti minn korpi kompetenti nazzjonali jew minn persuna oħra li tkun ukoll soġġetta għal obbligu ta’ segretezza skont il-liġi tal-Unjoni jew ta’ Stat Membru jew ir-regoli stabbiliti minn korpi kompetenti nazzjonali.

3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4. L-Istati Membri jistgħu jżommu jew jintroduċu aktar kondizzjonijiet, inklużi limitazzjonijiet, fir-rigward tal-ipproċessar ta’ data ġenetika, data bijometrika jew data dwar is-saħħa.

4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

Regolament Ġenerali dwar il-Protezzjoni tad-Data (RĠPD, GDPR)

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.

Kummentarju ISO 27701 Premessi Linji ta 'Gwida & Ġurisprudenza Ħalli kumment

Kummentarju

(EN) Some personal data, because of their sensitive nature, belong to special categories in the General Data Protection Regulation. Processing data mentioned in one of these eight (8) categories poses indeed “significant risks to the fundamental rights and freedoms” of an individual (recital 51). Risks vary depending on the type of data involved. Paragraph one of article 9 enumerates all types of data covered, but they are not readily intelligible. A visual list, broken down into eight points, helps to clarify the scope of the provision and what data are considered “special” by the European regulation:

data disclosing racial or ethnic origin;
data divulging political opinions;
data revealing religious or philosophical beliefs;
data about trade union membership;
genetic data;
biometric data used to identify a person;
data concerning health; and
data relating to a person’s sex life or sexual orientation.

(EN) […]

(EN) Sign in
to read the full text

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 9 GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.

(EN) […]

(EN) Sign in
to read the full text

Premessi

Linji ta 'Gwida & Ġurisprudenza

(EN)

Documents

Article 29 Working Party, Opinion 2/2010 on behavioural advertising (2010):

Any possible targeting of data subjects based on sensitive information opens the possibility of abuse. Furthermore, given the sensitivity of such information and the possible awkward situations which may arise if individuals receive advertising that reveals, for example, sexual preferences or political activity, offering/using interest categories that would reveal sensitive data should be discouraged.

In this context, the only available legal ground that would legitimize the data processing would be explicit, separate prior opt-in consent. The requirement for a separate, affirmative prior indication of the data subjects’ agreement means that in no case would an opt-out consent mechanism meet the requirement of the law. It also means that such consent could not be obtained through browser settings. To lawfully collect and process this type of information, ad network providers would have to set up mechanisms to obtain explicit prior consent, separate from other consent obtained for processing in general.

EDPB, Assessing the Necessity of Measures That Limit the Fundamental Right to the Protection of Personal Data: A Toolkit (2017).

WP29, Opinion on data processing at work (2017).

European Commission, Commission Guidance on the application of Union data protection law in the electoral context, A contribution from the European Commission to the Leaders’ meeting in Salzburg on 19-20 September 2018.

EDPB, Guidelines on Assessing the Proportionality of Measures That Limit the Fundamental Rights to Privacy and to the Protection of Personal Data (2019).

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

EDPB, Guidelines 8/2020 on the targeting of social media users (2020).

EDPB, Guidelines 3/2020 on the Processing of Data Concerning Health for the Purpose of Scientific Research in the Context of the Covid-19 Outbreak (2020).

EDPB, Guidelines 3/2019 on Processing of Personal Data through Video Devices (2020).

European Commission, Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection Brussels (2020).

EDPB, Guidelines 02/2021 on Virtual Voice Assistants (2021).