(51) Data personali, li min-natura tagħha, tkun partikolarment sensittiva fir-rigward tad-drittijiet u l-libertajiet fundamentali jistħoqqilha protezzjoni speċifika billi l-kuntest tal-ipproċessar tagħha jista' joħloq riskji sinifikanti għad-drittijiet u l-libertajiet fundamentali. Dik id-data personali għandha tinkludi data personali li tiżvela l-oriġini razzjali jew etnika, fejn l-użu tat-terminu “oriġini razzjali” f'dan ir-Regolament ma jimplikax li l-Unjoni taċċetta teoriji li jippruvaw jiddeterminaw l-eżistenza ta' razez umani separati. L-ipproċessar ta' ritratti m'għandhux sistematikament jitqies bħala pproċessar ta' kategoriji speċjali ta' data personali peress li dawn ikunu koperti bid-definizzjoni ta' data bijometrika biss meta jiġu pproċessati b'mezz tekniku speċifiku li jippermetti l-identifikazzjoni unika jew l-awtentikazzjoni ta' persuna fiżika. Tali data personali ma għandhiex tiġi pproċessata, għajr jekk l-ipproċessar ikun permess f'każijiet speċifiċi stabbiliti f'dan ir-Regolament, b'kont meħud li l-liġi tal-Istati Membri tista' tistabbilixxi dispożizzjonijiet speċifiċi dwar il-protezzjoni ta' data sabiex tadatta l-applikazzjoni tar-regoli ta' dan ir-Regolament għal konformità ma' obbligu legali jew għall-prestazzjoni ta' kompitu mwettaq fl-interess pubbliku jew fl-eżerċizzju ta' awtorità uffiċjali mogħtija lill-kontrollur. Minbarra r-rekwiżiti speċifiċi għal dan l-ipproċessar, il-prinċipji ġenerali u regoli oħra ta' dan ir-Regolament għandhom japplikaw, b'mod partikolari fir-rigward tal-kondizzjonijiet għal ipproċessar legali. Id-derogi mill-projbizzjoni ġenerali għall-ipproċessar ta' tali kategoriji speċjali ta' data personali għandhom jiġu previsti b'mod espliċitu, fost oħrajn fejn is-suġġett tad-data jagħti l-kunsens espliċitu tiegħu jew tagħha jew fir-rigward ta' ħtiġijiet speċifiċi b'mod partikolari fejn l-ipproċessar isir waqt attivitajiet leġittimi minn ċerti assoċjazzjonijiet jew fondazzjonijiet li l-għan tagħhom huwa li jippermettu l-eżerċizzju ta' libertajiet fundamentali.
(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
(52) Id-deroga mill-projbizzjoni dwar l-ipproċessar ta' kategoriji speċjali ta' data personali għandha tkun permessa wkoll meta tkun prevista fil-liġi tal-Unjoni jew ta' Stat Membru u soġġett għal salvagwardji adatti, sabiex jiġu protetti d-data personali u drittijiet fundamentali oħra, fejn ikun fl-interess pubbliku li jsir hekk, b'mod partikolari l-ipproċessar ta' data personali fil-qasam tal-liġi tal-impjiegi, il-liġi tal-protezzjoni soċjali, inkluż il-pensjonijiet u għas-sigurtà tas-saħħa, għal finijiet ta' monitoraġġ u twissija, prevenzjoni u kontroll ta' mard li jittieħed u ta' theddid serju ieħor għas-saħħa. Tali deroga tista' ssir għal finijiet ta' saħħa, inkluża s-saħħa pubblika u l-ġestjoni tas-servizzi tal-kura tas-saħħa, speċjalment sabiex tkun żgurata l-kwalità u l-kosteffettività tal-proċeduri użati għat-tpaċija ta' talbiet għal benefiċċji u servizzi fis-sistema tal-assigurazzjoni tas-saħħa, jew għal finijiet ta' arkivjar fl-interess pubbliku, għal finijiet ta' riċerka xjentifika jew storika jew għal finijiet ta' statistika. Id-deroga għandha tippermetti wkoll l-ipproċessar ta' tali data personali fejn dan ikun meħtieġ għall-istabbiliment, l-eżerċizzju jew id-difiża ta' talbiet legali, kemm jekk fi proċedimenti ġudizzjarji kif ukoll jekk fi proċedura amministrattiva jew extraġudizzjarja.
(52) Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
(53) Il-kategoriji speċjali ta' data personali li jistħoqqilhom aktar protezzjoni għandhom jiġu pproċessati biss għal finijiet relatati mas-saħħa fejn ikun meħtieġ biex jinkisbu dawk il-finijiet għall-benefiċċju ta' persuni fiżiċi u s-soċjetà inġenerali, b'mod partikolari fil-kuntest tal-ġestjoni tas-servizzi tal-kura tas-saħħa jew soċjali u sistemi, li jinkludu l-ipproċessar mill-awtoritajiet tal-ġestjoni u tas-saħħa nazzjonali ċentrali ta' tali data għall-fini tal-kontroll tal-kwalità, l-informazzjoni ta' ġestjoni u s-superviżjoni ġenerali nazzjonali u lokali tas-sistema tal-kura tas-saħħa jew soċjali, u billi tiġi żgurata kontinwità tal-kura tas-saħħa jew soċjali u l-kura tas-saħħa transkonfinali jew tas-sigurtà tas-saħħa, għall-finijiet ta' monitoraġġ u twissija jew għal finijiet ta' arkivjar fl-interess pubbliku, għal finijiet ta' riċerka xjentifika jew storika jew għal finijiet ta' statistika abbażi tal-liġi tal-Unjoni jew ta' Stat Membru li għandha tilħaq objettiv ta' interess pubbliku, kif ukoll għal studji mwettqa fl-interess pubbliku fil-qasam tas-saħħa pubblika. Għalhekk dan ir-Regolament għandu jipprevedi kondizzjonijiet armonizzati għall-ipproċessar ta' kategoriji speċjali ta' data personali dwar is-saħħa, fir-rigward ta' ħtiġijiet speċifiċi, b'mod partikolari fejn l-ipproċessar ta' tali data jsir għal ċerti finijiet relatati mas-saħħa minn persuni soġġetti għal obbligu legali ta' segretezza professjonali. Il-liġi tal-Unjoni jew ta' Stat Membru għandha tipprovdi għal miżuri speċifiċi u adatti sabiex jiġu protetti d-drittijiet fundamentali u d-data personali tal-persuni fiżiċi. L-Istati Membri għandhom ikunu jistgħu jżommu jew jintroduċu aktar kondizzjonijiet, inklużi limitazzjonijiet, fir-rigward tal-ipproċessar ta' data ġenetika, data bijometrika jew data dwar is-saħħa. Madankollu, dan m'għandux ixekkel il-fluss liberu tad-data personali fl-Unjoni meta dawk il-kondizzjonijiet japplikaw għall-ipproċessar transkonfinali ta' tali data.
(53) Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.
(54) L-ipproċessar ta' kategoriji speċjali ta' data personali jista' jkun meħtieġ għal raġunijiet ta' interess pubbliku fl-oqsma tas-saħħa pubblika mingħajr il-kunsens tas-suġġett tad-data. Tali pproċessar jeħtieġ li jkun soġġett għal miżuri adatti u speċifiċi sabiex jiġu protetti d-drittijiet u l-libertajiet tal-persuni fiżiċi. F'dak il-kuntest, “saħħa pubblika” għandha tiġi interpretata kif definita fir-Regolament (KE) Nru 1338/2008 tal-Parlament Ewropew u tal-Kunsill (11), jiġifieri l-elementi kollha relatati mas-saħħa, b'mod partikolari l-istat tas-saħħa, inklużi l-morbożità u d-diżabbiltà, il-fatturi determinanti li għandhom effett fuq l-istat tas-saħħa, il-bżonnijiet fil-qasam tal-kura tas-saħħa, ir-riżorsi allokati għall-kura tas-saħħa, il-forniment tal-kura tas-saħħa u l-aċċess universali għaliha, kif ukoll l-infiq u l-finanzjament tal-kura tas-saħħa, u l-kawżi ta' mortalità. Tali pproċessar ta' data dwar is-saħħa għal raġunijiet ta' interess pubbliku ma għandux jirriżulta fl-ipproċessar ta' data personali għal finijiet oħra minn partijiet terzi bħal min iħaddem, kumpanniji tal-assigurazzjoni u kumpanniji bankarji.
(54) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council [11], namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.
(55) Barra minn hekk, l-ipproċessar ta' data personali minn awtoritajiet uffiċjali bil-għan li jinkisbu l-miri, stabbiliti mil-liġi kostituzzjonali jew mil-liġi pubblika internazzjonali, ta' assoċjazzjonijiet reliġjużi rikonoxxuti uffiċjalment jitwettaq għal raġunijiet ta' interess pubbliku.
(55) Moreover, the processing of personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognised religious associations, is carried out on grounds of public interest.
(56) Fejn, matul attivitajiet elettorali, l-operat tas-sistema demokratika fi Stat Membru teħtieġ li l-partiti politiċi jikkompilaw data personali dwar l-opinjonijiet politiċi tan-nies, l-ipproċessar ta' din id-data jista' jkun permess għal raġunijiet ta' interess pubbliku, dment li jiġu stabbiliti salvagwardji adatti.
(56) Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.
(EN) The first exception is based on “explicit consent”. Article 9 consent differs from the general notion of consent of article 6 in one important aspect: it must be explicitly provided by the person concerned. It means that the consent must be freely given, specific, informed, and unambiguous, under the definition of article 4 (11), and, in addition to these requirements, it must be “explicit”.
What form of consent is considered “explicit” and thus valid under article 9? The sensitive nature of the data involved entails a consent that goes beyond the regular “statement or clear affirmative action” [article 4 (11)] on the part of the data subject. It means that s/he must give “an express statement of consent” (Guidelines on Consent), even in the case where services are provided on a contractual basis. An explicit consent is needed because there is no contract based exceptions in article 9 (2) a controller can rely on.
The Guidelines on Consent suggest that a written statement or even a signed written statement may be required, even though the GDPR does not prescribe such a form of consent. A signed consent may be relevant if health data are collected, for example, in the context of services offered by a private clinic or a convalescent home. A plastic surgeon may need to gather information about a client’s health condition or share medical information to seek a second opinion from one of her/his colleagues. The managers of a convalescent home will have to gather information about a future pensionary’s health condition to arrange the appropriate services needed during her/his stay.
A signed written statement is not as practical in the digital or online environment. How can a person consent if, for example, s/he buys a plane ticket online and requires special medical assistance at boarding time, during the flight or at her/his arrival at destination? A valid consent will also be difficult to obtain if a person places an online order for buying special eyewear as the seller has to collect health-related information about her/his vision and share it with the manufacturer.
Simply following a link or ticking a box might be regarded as an insufficient consent in these examples. The Guidelines on Consent recommend other forms of consent, like filling in an electronic form, using an electronic signature, recording an oral statement or proceeding with a two-step verification (ticking a box in a form and confirming the consent by email afterward, for example).
Article 9 prescribes that a person must consent “for one or more specified purposes”. The requirement goes beyond the “specific” quality of consent required by article 4 (11). Purposes must be clearly specified, which implies that the consent must be tied to specific data or precise categories of data that the controller will be allowed to process.
You must always remember that the GDPR is not a complete statement on the state of the law on data protection in a particular Member State, and it is particularly true here because there is an exception to the exception. Consent is an invalid basis to process special categories of personal data if a Member State prohibits the lifting of the prohibition for processing special categories of personal data by an individual in its national legislation, as the GDPR allows it.