Navigazzjoni
RĠPD (GDPR) > Artikolu 9. Ipproċessar ta' kategoriji speċjali ta' data personali
Download PDF

Artikolu 9 RĠPD (GDPR). Ipproċessar ta' kategoriji speċjali ta' data personali

Article 9 GDPR. Processing of special categories of personal data

1. L-ipproċessar ta’ data personali, li jiżvela oriġini razzjali jew etnika, opinjonijiet politiċi, twemmin reliġjuż jew filosofiku, jew sħubija fi trade union, u l-ipproċessar ta’ data ġenetika, data bijometrika sabiex tidentifika b’mod uniku persuna fiżika, data dwar is-saħħa jew data dwar il-ħajja sesswali u l-orjentazzjoni sesswali ta’ persuna fiżika huma projbiti.

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

Linji ta 'Gwida & Ġurisprudenza Premessi

(51) Data personali, li min-natura tagħha, tkun partikolarment sensittiva fir-rigward tad-drittijiet u l-libertajiet fundamentali jistħoqqilha protezzjoni speċifika billi l-kuntest tal-ipproċessar tagħha jista' joħloq riskji sinifikanti għad-drittijiet u l-libertajiet fundamentali. Dik id-data personali għandha tinkludi data personali li tiżvela l-oriġini razzjali jew etnika, fejn l-użu tat-terminu “oriġini razzjali” f'dan ir-Regolament ma jimplikax li l-Unjoni taċċetta teoriji li jippruvaw jiddeterminaw l-eżistenza ta' razez umani separati. L-ipproċessar ta' ritratti m'għandhux sistematikament jitqies bħala pproċessar ta' kategoriji speċjali ta' data personali peress li dawn ikunu koperti bid-definizzjoni ta' data bijometrika biss meta jiġu pproċessati b'mezz tekniku speċifiku li jippermetti l-identifikazzjoni unika jew l-awtentikazzjoni ta' persuna fiżika. Tali data personali ma għandhiex tiġi pproċessata, għajr jekk l-ipproċessar ikun permess f'każijiet speċifiċi stabbiliti f'dan ir-Regolament, b'kont meħud li l-liġi tal-Istati Membri tista' tistabbilixxi dispożizzjonijiet speċifiċi dwar il-protezzjoni ta' data sabiex tadatta l-applikazzjoni tar-regoli ta' dan ir-Regolament għal konformità ma' obbligu legali jew għall-prestazzjoni ta' kompitu mwettaq fl-interess pubbliku jew fl-eżerċizzju ta' awtorità uffiċjali mogħtija lill-kontrollur. Minbarra r-rekwiżiti speċifiċi għal dan l-ipproċessar, il-prinċipji ġenerali u regoli oħra ta' dan ir-Regolament għandhom japplikaw, b'mod partikolari fir-rigward tal-kondizzjonijiet għal ipproċessar legali. Id-derogi mill-projbizzjoni ġenerali għall-ipproċessar ta' tali kategoriji speċjali ta' data personali għandhom jiġu previsti b'mod espliċitu, fost oħrajn fejn is-suġġett tad-data jagħti l-kunsens espliċitu tiegħu jew tagħha jew fir-rigward ta' ħtiġijiet speċifiċi b'mod partikolari fejn l-ipproċessar isir waqt attivitajiet leġittimi minn ċerti assoċjazzjonijiet jew fondazzjonijiet li l-għan tagħhom huwa li jippermettu l-eżerċizzju ta' libertajiet fundamentali.

(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

2. Il-paragrafu 1 ma għandux japplika jekk japplika wieħed minn dawn li ġejjin:

2. Paragraph 1 shall not apply if one of the following applies:

Premessi

(52) Id-deroga mill-projbizzjoni dwar l-ipproċessar ta' kategoriji speċjali ta' data personali għandha tkun permessa wkoll meta tkun prevista fil-liġi tal-Unjoni jew ta' Stat Membru u soġġett għal salvagwardji adatti, sabiex jiġu protetti d-data personali u drittijiet fundamentali oħra, fejn ikun fl-interess pubbliku li jsir hekk, b'mod partikolari l-ipproċessar ta' data personali fil-qasam tal-liġi tal-impjiegi, il-liġi tal-protezzjoni soċjali, inkluż il-pensjonijiet u għas-sigurtà tas-saħħa, għal finijiet ta' monitoraġġ u twissija, prevenzjoni u kontroll ta' mard li jittieħed u ta' theddid serju ieħor għas-saħħa. Tali deroga tista' ssir għal finijiet ta' saħħa, inkluża s-saħħa pubblika u l-ġestjoni tas-servizzi tal-kura tas-saħħa, speċjalment sabiex tkun żgurata l-kwalità u l-kosteffettività tal-proċeduri użati għat-tpaċija ta' talbiet għal benefiċċji u servizzi fis-sistema tal-assigurazzjoni tas-saħħa, jew għal finijiet ta' arkivjar fl-interess pubbliku, għal finijiet ta' riċerka xjentifika jew storika jew għal finijiet ta' statistika. Id-deroga għandha tippermetti wkoll l-ipproċessar ta' tali data personali fejn dan ikun meħtieġ għall-istabbiliment, l-eżerċizzju jew id-difiża ta' talbiet legali, kemm jekk fi proċedimenti ġudizzjarji kif ukoll jekk fi proċedura amministrattiva jew extraġudizzjarja.

(52) Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

(53) Il-kategoriji speċjali ta' data personali li jistħoqqilhom aktar protezzjoni għandhom jiġu pproċessati biss għal finijiet relatati mas-saħħa fejn ikun meħtieġ biex jinkisbu dawk il-finijiet għall-benefiċċju ta' persuni fiżiċi u s-soċjetà inġenerali, b'mod partikolari fil-kuntest tal-ġestjoni tas-servizzi tal-kura tas-saħħa jew soċjali u sistemi, li jinkludu l-ipproċessar mill-awtoritajiet tal-ġestjoni u tas-saħħa nazzjonali ċentrali ta' tali data għall-fini tal-kontroll tal-kwalità, l-informazzjoni ta' ġestjoni u s-superviżjoni ġenerali nazzjonali u lokali tas-sistema tal-kura tas-saħħa jew soċjali, u billi tiġi żgurata kontinwità tal-kura tas-saħħa jew soċjali u l-kura tas-saħħa transkonfinali jew tas-sigurtà tas-saħħa, għall-finijiet ta' monitoraġġ u twissija jew għal finijiet ta' arkivjar fl-interess pubbliku, għal finijiet ta' riċerka xjentifika jew storika jew għal finijiet ta' statistika abbażi tal-liġi tal-Unjoni jew ta' Stat Membru li għandha tilħaq objettiv ta' interess pubbliku, kif ukoll għal studji mwettqa fl-interess pubbliku fil-qasam tas-saħħa pubblika. Għalhekk dan ir-Regolament għandu jipprevedi kondizzjonijiet armonizzati għall-ipproċessar ta' kategoriji speċjali ta' data personali dwar is-saħħa, fir-rigward ta' ħtiġijiet speċifiċi, b'mod partikolari fejn l-ipproċessar ta' tali data jsir għal ċerti finijiet relatati mas-saħħa minn persuni soġġetti għal obbligu legali ta' segretezza professjonali. Il-liġi tal-Unjoni jew ta' Stat Membru għandha tipprovdi għal miżuri speċifiċi u adatti sabiex jiġu protetti d-drittijiet fundamentali u d-data personali tal-persuni fiżiċi. L-Istati Membri għandhom ikunu jistgħu jżommu jew jintroduċu aktar kondizzjonijiet, inklużi limitazzjonijiet, fir-rigward tal-ipproċessar ta' data ġenetika, data bijometrika jew data dwar is-saħħa. Madankollu, dan m'għandux ixekkel il-fluss liberu tad-data personali fl-Unjoni meta dawk il-kondizzjonijiet japplikaw għall-ipproċessar transkonfinali ta' tali data.

(53) Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.

(54) L-ipproċessar ta' kategoriji speċjali ta' data personali jista' jkun meħtieġ għal raġunijiet ta' interess pubbliku fl-oqsma tas-saħħa pubblika mingħajr il-kunsens tas-suġġett tad-data. Tali pproċessar jeħtieġ li jkun soġġett għal miżuri adatti u speċifiċi sabiex jiġu protetti d-drittijiet u l-libertajiet tal-persuni fiżiċi. F'dak il-kuntest, “saħħa pubblika” għandha tiġi interpretata kif definita fir-Regolament (KE) Nru 1338/2008 tal-Parlament Ewropew u tal-Kunsill (11), jiġifieri l-elementi kollha relatati mas-saħħa, b'mod partikolari l-istat tas-saħħa, inklużi l-morbożità u d-diżabbiltà, il-fatturi determinanti li għandhom effett fuq l-istat tas-saħħa, il-bżonnijiet fil-qasam tal-kura tas-saħħa, ir-riżorsi allokati għall-kura tas-saħħa, il-forniment tal-kura tas-saħħa u l-aċċess universali għaliha, kif ukoll l-infiq u l-finanzjament tal-kura tas-saħħa, u l-kawżi ta' mortalità. Tali pproċessar ta' data dwar is-saħħa għal raġunijiet ta' interess pubbliku ma għandux jirriżulta fl-ipproċessar ta' data personali għal finijiet oħra minn partijiet terzi bħal min iħaddem, kumpanniji tal-assigurazzjoni u kumpanniji bankarji.

(54) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council [11], namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.

(11) Regolament (KE) Nru 1338/2008 tal-Parlament Ewropew u tal-Kunsill tas-16 ta' Diċembru 2008 dwar l-istatistika Komunitarja dwar is-saħħa pubblika u s-saħħa u s-sigurtà fuq ix-xogħol (ĠU L 354, 31.12.2008, p. 70). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2008:354:TOC

[11] Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (OJ L 354, 31.12.2008, p. 70). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2008:354:TOC

(55) Barra minn hekk, l-ipproċessar ta' data personali minn awtoritajiet uffiċjali bil-għan li jinkisbu l-miri, stabbiliti mil-liġi kostituzzjonali jew mil-liġi pubblika internazzjonali, ta' assoċjazzjonijiet reliġjużi rikonoxxuti uffiċjalment jitwettaq għal raġunijiet ta' interess pubbliku.

(55) Moreover, the processing of personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognised religious associations, is carried out on grounds of public interest.

(56) Fejn, matul attivitajiet elettorali, l-operat tas-sistema demokratika fi Stat Membru teħtieġ li l-partiti politiċi jikkompilaw data personali dwar l-opinjonijiet politiċi tan-nies, l-ipproċessar ta' din id-data jista' jkun permess għal raġunijiet ta' interess pubbliku, dment li jiġu stabbiliti salvagwardji adatti.

(56) Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.

(a) is-suġġett tad-data jkun ta kunsens espliċitu għall-ipproċessar ta’ dik id-data personali għal fini speċifiku wieħed jew aktar, għajr fejn il-liġi tal-Unjoni jew il-liġi ta’ Stat Membru tipprevedi li l-projbizzjoni msemmija fil-paragrafu 1 ma tistax titneħħa mis-suġġett tad-data;

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

Kummentarju
(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 9(2)(a) GDPR:

7.2.4 Obtain and record consent

Control

The organization should obtain and record consent from PII principals according to the documented processes.

Implementation guidance

The organization should obtain and record consent from PII principals in such a way that it can provide on request details of the consent provided (for example the time that consent was provided, the identification of the PII principal, and the consent statement).

(EN) […]


to read the full text

Testi relatati

(b) l-ipproċessar ikun meħtieġ għall-finijiet tat-twettiq tal-obbligi u l-eżerċizzju ta’ drittijiet speċifiċi tal-kontrollur jew tas-suġġett tad-data fil-qasam tal-liġi dwar l-impjiegi u dwar il-protezzjoni soċjali u s-sigurtà soċjali sa fejn dan ikun awtorizzat mil-liġi tal-Unjoni jew mil-liġi ta’ Stat Membru jew minn ftehim kollettiv skont il-liġi ta’ Stat Membru li jipprevedu salvagwardji xierqa għad-drittijiet fundamentali u l-interessi tas-suġġett tad-data;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

Kummentarju
(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert

(c) l-ipproċessar ikun meħtieġ għall-protezzjoni tal-interessi vitali tas-suġġett tad-data jew ta’ persuna fiżika oħra fejn is-suġġett tad-data ma jkunx fiżikament jew legalment kapaċi li jagħti l-kunsens;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

Kummentarju
(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert

(d) l-ipproċessar isir waqt l-attivitajiet leġittimi tiegħu b’salvagwardji adatti minn fondazzjoni, assoċjazzjoni jew kwalunkwe korp ieħor mingħajr skop ta’ qligħ b’għan politiku, filosofiku, reliġjuż jew ta’ trade union u bil-kondizzjoni li l-ipproċessar ikun relatat biss mal-membri jew ex membri tal-korp jew ma’ persuni li għandhom kuntatt regolari miegħu b’rabta mal-finijiet tiegħu u li d-data personali ma tkunx żvelata barra dak il-korp mingħajr il-kunsens tas-suġġetti tad-data;

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

Kummentarju
(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert

(e) l-ipproċessar ikun relatat ma’ data personali li b’mod ċar tkun saret pubblika mis-suġġett tad-data;

(e) processing relates to personal data which are manifestly made public by the data subject;

Kummentarju

(EN) The European legislator introduced an exception – for special categories of personal data which are manifestly made public by a person – that seems completely logical at first glance. If a person willingly shares her/his data, it sounds reasonable to allow the processing of these data by third parties. On second thought, many questions come to mind. What does “manifestly” mean? When are data “public”? How to determine if a person intended to make her/his data public?

The exception does not concern all special categories of data publicly available. It applies strictly to data that an individual personally disclosed. It must be a publication that results from a clear and voluntary decision from an individual to disclose information about her/him. It should not be an accidental, inadvertent, involuntary or unintentional disclosure. It should be the result of a free and deliberate decision. The individual must be fully conscious that s/he made her/his data public. Thus, it excludes leaked data, data accessible after a security breach or data shared unintentionally or by inadvertence…

(EN) […]


to read the full text

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
Linji ta 'Gwida & Ġurisprudenza

(f) l-ipproċessar ikun meħtieġ għall-istabbiliment, l-eżerċizzju jew id-difiża ta’ talbiet legali jew kull darba li l-qrati jkunu qed jaġixxu fil-kapaċità ġudizzjarja tagħhom;

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

Kummentarju
(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert

(g) l-ipproċessar ikun meħtieġ għal raġunijiet ta’ interess pubbliku sostanzjali, fuq il-bażi tal-liġi tal-Unjoni jew ta’ Stat Membru, li għandha tkun proporzjonata mal-għan segwit, tirrispetta l-essenza tad-dritt għall-protezzjoni tad-data u tipprevedi miżuri xierqa u speċifiċi sabiex tissalvagwardja d-drittijiet fundamentali u l-interessi tas-suġġett tad-data;

(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

Kummentarju
(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert

(h) l-ipproċessar ikun meħtieġ għall-finijiet ta’ mediċina preventiva jew okkupazzjonali, għall-valutazzjoni tal-kapaċità ta’ ħaddiem għax-xogħol, dijanjosi medika, il-forniment ta’ kura tas-saħħa jew soċjali jew it-trattament jew il-ġestjoni ta’ sistemi u servizzi tal-kura tas-saħħa u soċjali abbażi tal-liġi tal-Unjoni jew tal-liġi ta’ Stat Membru jew skont kuntratt ma’ professjonista fil-kura medika u soġġett għall-kondizzjonijiet u s-salvagwardji msemmija fil-paragrafu 3;

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

Kummentarju
(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
Linji ta 'Gwida & Ġurisprudenza

(i) l-ipproċessar ikun meħtieġ għal raġunijiet ta’ interess pubbliku fil-qasam tas-saħħa pubblika, bħall-protezzjoni kontra theddid transkonfinali serju għas-saħħa jew biex jiġu żgurati standards għoljin ta’ kwalità u sikurezza tal-kura tas-saħħa u ta’ prodotti mediċinali jew apparat mediku, fuq il-bażi tal-liġi tal-Unjoni, jew tal-liġi ta’ Stat Membru li tipprevedi miżuri adatti u speċifiċi sabiex jiġu protetti d-drittijiet u l-libertajiet tas-suġġett tad-data, b’mod partikulari s-segretezza professjonali;

(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

Kummentarju
(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
Linji ta 'Gwida & Ġurisprudenza

(j) l-ipproċessar ikun meħtieġ għal finijiet ta’ arkivjar fl-interess pubbliku, għal finijiet ta’ riċerka xjentifika jew storika jew għal finijiet ta’ statistika f’konformità mal-Artikolu 89(1) fuq il-bażi tal-liġi tal-Unjoni jew ta’ Stat Membru, li għandha tkun proporzjonata mal-għan segwit, tirrispetta l-essenza tad-dritt għall-protezzjoni tad-data u tipprevedi miżuri xierqa u speċifiċi sabiex tissalvagwardja d-drittijiet fundamentali u l-interessi tas-suġġett tad-data.

(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Kummentarju
(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
Linji ta 'Gwida & Ġurisprudenza Testi relatati

3. Id-data personali msemmija fil-paragrafu 1 tista’ tiġi pproċessata għall-finijiet imsemmija fil-punt (h) tal-paragrafu 2 meta dik id-data tiġi pproċessata minn professjonista jew taħt ir-responsabbiltà tiegħu li jkun soġġett għall-obbligu ta’ segretezza professjonali skont il-liġi tal-Unjoni jew ta’ Stat Membru jew regoli stabbiliti minn korpi kompetenti nazzjonali jew minn persuna oħra li tkun ukoll soġġetta għal obbligu ta’ segretezza skont il-liġi tal-Unjoni jew ta’ Stat Membru jew ir-regoli stabbiliti minn korpi kompetenti nazzjonali.

3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4. L-Istati Membri jistgħu jżommu jew jintroduċu aktar kondizzjonijiet, inklużi limitazzjonijiet, fir-rigward tal-ipproċessar ta’ data ġenetika, data bijometrika jew data dwar is-saħħa.

4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

Kummentarju ISO 27701 Premessi Linji ta 'Gwida & Ġurisprudenza Ħalli kumment
Kummentarju

(EN) Some personal data, because of their sensitive nature, belong to special categories in the General Data Protection Regulation. Processing data mentioned in one of these eight (8) categories poses indeed “significant risks to the fundamental rights and freedoms” of an individual (recital 51). Risks vary depending on the type of data involved. Paragraph one of article 9 enumerates all types of data covered, but they are not readily intelligible. A visual list, broken down into eight points, helps to clarify the scope of the provision and what data are considered “special” by the European regulation:

  1. data disclosing racial or ethnic origin;
  2. data divulging political opinions;
  3. data revealing religious or philosophical beliefs;
  4. data about trade union membership;
  5. genetic data;
  6. biometric data used to identify a person;
  7. data concerning health; and
  8. data relating to a person’s sex life or sexual orientation.

The list must be considered exhaustive as exceptions must be interpreted strictly, so it means that no other exception can be admitted by the Court of Justice of the European Union or by Member States’ legislation. Personal data relating to criminal convictions and offences are not mentioned in this list because they fall under a different legal regime (article 10).

The “special categories of personal data” are treated distinctively mainly to protect individuals from discrimination (recital 71). Their processing might also lead to physical, material or non-material damage, including identity theft, fraud, harm to one’s reputation or breach of professional secrecy (recital 75).

Racial or ethnic origin related data include names, places of birth, native languages, and even extend to the names of an individual’s parents. They are considered sensitive because they may reveal a person’s origin or her/his ethnicity.

Political opinions can be inferred from activities revealing an individual’s political inclination, like membership in a political party, petitions s/he signed or events, meetings or protests s/he attempted. They include information reflecting ideas s/he supports as well as the ones s/he rejects or opposes to.

Data revealing an individual’s practice of a religion or interest in it – like attempting church, buying religious books, participating in religious-related events or demonstrations – may give a glue to a person’s religious affiliation or her/his absence of religious conviction. It is more difficult to determine what philosophical beliefs are. An example taken from an English case law indicates that it is essentially a genuinely held belief that concerns a substantial aspect of human life and behaviour and it is worthy of respect in a democratic society (Grainger Plc v. Nicholson).

The special protection granted to trade union membership information is based on the logic of fundamental rights in the labor environment. It protects individuals from discrimination at work, as a potential consequence of their union activities, and preserves their collective bargaining power among other rights.

Analysis of biological samples provides information about a person’s “inherited or acquired genetic characteristics” [recital 34 and article 4 (13)]. The resulting genetic data may give information about a person’s origin, ethnicity, physiology or health, as some health problems find their cause in abnormalities in the human genome.

Biometric data are information obtained from different measurements of a person’s “physical, physiological or behavioural characteristics” [article 4 (14)]. They serve to uniquely identify an individual, like fingerprints, iris patterns, facial attributes or voice modulation. A photograph is not always classified as biometric data, it is only considered so when its processing reveals characteristics allowing a person to be uniquely identified (recital 51).

(EN) […]


to read the full text

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 9 GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.

(EN) […]


to read the full text

Premessi

(51) Data personali, li min-natura tagħha, tkun partikolarment sensittiva fir-rigward tad-drittijiet u l-libertajiet fundamentali jistħoqqilha protezzjoni speċifika billi l-kuntest tal-ipproċessar tagħha jista' joħloq riskji sinifikanti għad-drittijiet u l-libertajiet fundamentali. Dik id-data personali għandha tinkludi data personali li tiżvela l-oriġini razzjali jew etnika, fejn l-użu tat-terminu “oriġini razzjali” f'dan ir-Regolament ma jimplikax li l-Unjoni taċċetta teoriji li jippruvaw jiddeterminaw l-eżistenza ta' razez umani separati. L-ipproċessar ta' ritratti m'għandhux sistematikament jitqies bħala pproċessar ta' kategoriji speċjali ta' data personali peress li dawn ikunu koperti bid-definizzjoni ta' data bijometrika biss meta jiġu pproċessati b'mezz tekniku speċifiku li jippermetti l-identifikazzjoni unika jew l-awtentikazzjoni ta' persuna fiżika. Tali data personali ma għandhiex tiġi pproċessata, għajr jekk l-ipproċessar ikun permess f'każijiet speċifiċi stabbiliti f'dan ir-Regolament, b'kont meħud li l-liġi tal-Istati Membri tista' tistabbilixxi dispożizzjonijiet speċifiċi dwar il-protezzjoni ta' data sabiex tadatta l-applikazzjoni tar-regoli ta' dan ir-Regolament għal konformità ma' obbligu legali jew għall-prestazzjoni ta' kompitu mwettaq fl-interess pubbliku jew fl-eżerċizzju ta' awtorità uffiċjali mogħtija lill-kontrollur. Minbarra r-rekwiżiti speċifiċi għal dan l-ipproċessar, il-prinċipji ġenerali u regoli oħra ta' dan ir-Regolament għandhom japplikaw, b'mod partikolari fir-rigward tal-kondizzjonijiet għal ipproċessar legali. Id-derogi mill-projbizzjoni ġenerali għall-ipproċessar ta' tali kategoriji speċjali ta' data personali għandhom jiġu previsti b'mod espliċitu, fost oħrajn fejn is-suġġett tad-data jagħti l-kunsens espliċitu tiegħu jew tagħha jew fir-rigward ta' ħtiġijiet speċifiċi b'mod partikolari fejn l-ipproċessar isir waqt attivitajiet leġittimi minn ċerti assoċjazzjonijiet jew fondazzjonijiet li l-għan tagħhom huwa li jippermettu l-eżerċizzju ta' libertajiet fundamentali.

(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

(52) Id-deroga mill-projbizzjoni dwar l-ipproċessar ta' kategoriji speċjali ta' data personali għandha tkun permessa wkoll meta tkun prevista fil-liġi tal-Unjoni jew ta' Stat Membru u soġġett għal salvagwardji adatti, sabiex jiġu protetti d-data personali u drittijiet fundamentali oħra, fejn ikun fl-interess pubbliku li jsir hekk, b'mod partikolari l-ipproċessar ta' data personali fil-qasam tal-liġi tal-impjiegi, il-liġi tal-protezzjoni soċjali, inkluż il-pensjonijiet u għas-sigurtà tas-saħħa, għal finijiet ta' monitoraġġ u twissija, prevenzjoni u kontroll ta' mard li jittieħed u ta' theddid serju ieħor għas-saħħa. Tali deroga tista' ssir għal finijiet ta' saħħa, inkluża s-saħħa pubblika u l-ġestjoni tas-servizzi tal-kura tas-saħħa, speċjalment sabiex tkun żgurata l-kwalità u l-kosteffettività tal-proċeduri użati għat-tpaċija ta' talbiet għal benefiċċji u servizzi fis-sistema tal-assigurazzjoni tas-saħħa, jew għal finijiet ta' arkivjar fl-interess pubbliku, għal finijiet ta' riċerka xjentifika jew storika jew għal finijiet ta' statistika. Id-deroga għandha tippermetti wkoll l-ipproċessar ta' tali data personali fejn dan ikun meħtieġ għall-istabbiliment, l-eżerċizzju jew id-difiża ta' talbiet legali, kemm jekk fi proċedimenti ġudizzjarji kif ukoll jekk fi proċedura amministrattiva jew extraġudizzjarja.

(52) Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

(53) Il-kategoriji speċjali ta' data personali li jistħoqqilhom aktar protezzjoni għandhom jiġu pproċessati biss għal finijiet relatati mas-saħħa fejn ikun meħtieġ biex jinkisbu dawk il-finijiet għall-benefiċċju ta' persuni fiżiċi u s-soċjetà inġenerali, b'mod partikolari fil-kuntest tal-ġestjoni tas-servizzi tal-kura tas-saħħa jew soċjali u sistemi, li jinkludu l-ipproċessar mill-awtoritajiet tal-ġestjoni u tas-saħħa nazzjonali ċentrali ta' tali data għall-fini tal-kontroll tal-kwalità, l-informazzjoni ta' ġestjoni u s-superviżjoni ġenerali nazzjonali u lokali tas-sistema tal-kura tas-saħħa jew soċjali, u billi tiġi żgurata kontinwità tal-kura tas-saħħa jew soċjali u l-kura tas-saħħa transkonfinali jew tas-sigurtà tas-saħħa, għall-finijiet ta' monitoraġġ u twissija jew għal finijiet ta' arkivjar fl-interess pubbliku, għal finijiet ta' riċerka xjentifika jew storika jew għal finijiet ta' statistika abbażi tal-liġi tal-Unjoni jew ta' Stat Membru li għandha tilħaq objettiv ta' interess pubbliku, kif ukoll għal studji mwettqa fl-interess pubbliku fil-qasam tas-saħħa pubblika. Għalhekk dan ir-Regolament għandu jipprevedi kondizzjonijiet armonizzati għall-ipproċessar ta' kategoriji speċjali ta' data personali dwar is-saħħa, fir-rigward ta' ħtiġijiet speċifiċi, b'mod partikolari fejn l-ipproċessar ta' tali data jsir għal ċerti finijiet relatati mas-saħħa minn persuni soġġetti għal obbligu legali ta' segretezza professjonali. Il-liġi tal-Unjoni jew ta' Stat Membru għandha tipprovdi għal miżuri speċifiċi u adatti sabiex jiġu protetti d-drittijiet fundamentali u d-data personali tal-persuni fiżiċi. L-Istati Membri għandhom ikunu jistgħu jżommu jew jintroduċu aktar kondizzjonijiet, inklużi limitazzjonijiet, fir-rigward tal-ipproċessar ta' data ġenetika, data bijometrika jew data dwar is-saħħa. Madankollu, dan m'għandux ixekkel il-fluss liberu tad-data personali fl-Unjoni meta dawk il-kondizzjonijiet japplikaw għall-ipproċessar transkonfinali ta' tali data.

(53) Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.

(54) L-ipproċessar ta' kategoriji speċjali ta' data personali jista' jkun meħtieġ għal raġunijiet ta' interess pubbliku fl-oqsma tas-saħħa pubblika mingħajr il-kunsens tas-suġġett tad-data. Tali pproċessar jeħtieġ li jkun soġġett għal miżuri adatti u speċifiċi sabiex jiġu protetti d-drittijiet u l-libertajiet tal-persuni fiżiċi. F'dak il-kuntest, “saħħa pubblika” għandha tiġi interpretata kif definita fir-Regolament (KE) Nru 1338/2008 tal-Parlament Ewropew u tal-Kunsill (11), jiġifieri l-elementi kollha relatati mas-saħħa, b'mod partikolari l-istat tas-saħħa, inklużi l-morbożità u d-diżabbiltà, il-fatturi determinanti li għandhom effett fuq l-istat tas-saħħa, il-bżonnijiet fil-qasam tal-kura tas-saħħa, ir-riżorsi allokati għall-kura tas-saħħa, il-forniment tal-kura tas-saħħa u l-aċċess universali għaliha, kif ukoll l-infiq u l-finanzjament tal-kura tas-saħħa, u l-kawżi ta' mortalità. Tali pproċessar ta' data dwar is-saħħa għal raġunijiet ta' interess pubbliku ma għandux jirriżulta fl-ipproċessar ta' data personali għal finijiet oħra minn partijiet terzi bħal min iħaddem, kumpanniji tal-assigurazzjoni u kumpanniji bankarji.

(54) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council [11], namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.

(11) Regolament (KE) Nru 1338/2008 tal-Parlament Ewropew u tal-Kunsill tas-16 ta' Diċembru 2008 dwar l-istatistika Komunitarja dwar is-saħħa pubblika u s-saħħa u s-sigurtà fuq ix-xogħol (ĠU L 354, 31.12.2008, p. 70). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2008:354:TOC

[11] Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (OJ L 354, 31.12.2008, p. 70). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2008:354:TOC

(55) Barra minn hekk, l-ipproċessar ta' data personali minn awtoritajiet uffiċjali bil-għan li jinkisbu l-miri, stabbiliti mil-liġi kostituzzjonali jew mil-liġi pubblika internazzjonali, ta' assoċjazzjonijiet reliġjużi rikonoxxuti uffiċjalment jitwettaq għal raġunijiet ta' interess pubbliku.

(55) Moreover, the processing of personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognised religious associations, is carried out on grounds of public interest.

(56) Fejn, matul attivitajiet elettorali, l-operat tas-sistema demokratika fi Stat Membru teħtieġ li l-partiti politiċi jikkompilaw data personali dwar l-opinjonijiet politiċi tan-nies, l-ipproċessar ta' din id-data jista' jkun permess għal raġunijiet ta' interess pubbliku, dment li jiġu stabbiliti salvagwardji adatti.

(56) Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.

Linji ta 'Gwida & Ġurisprudenza Ħalli kumment
[js-disqus]