Documents
Article 29 Working Party, Opinion 2/2012 on Facial Recognition in Online and Mobile Services (2012).
Article 29 Working Party, Opinion 3/2012 on Developments in Biometric Technologies (2012).
EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).
EDPB, Guidelines 8/2020 on the targeting of social media users (2020):
If a social media provider or a targeter uses observed data to categorise users as having certain religious, philosophical or political beliefs-regardless of whether the categorization is correct/true or not-this categorisation of the user must obviously be seen as processing of special category of personal data in this context. As long as the categorisation enables targeting based on special category data, it does not matter how the category is labelled.
EDPB, Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR (2020).
Financial transactions can reveal sensitive information about individual data subject, including those related to special categories of personal data. For example, political opinions and religious beliefs may be revealed by donations made to political parties or organisations, churches or parishes. Trade union membership may be revealed by the deduction of an annual membership fee from a person’s bank account. Personal data concerning health may be gathered from analysing medical bills paid by a data subject. Finally, information on certain purchases may reveal information concerning a person’s sex life or sexual orientation.
Moreover, through the sum of financial transactions, different kinds of behavioural patterns could be revealed, including special categories of personal data and additional services that are facilitated by account information services might rely on profiling as defined by article 4 (4) of the GDPR. Therefore, the chances are considerable that a service provider processing information on financial transactions of data subjects also processes special categories of personal data.
(51) Персональные данные, которые по своей природе особенно чувствительны к фундаментальным правам и свободам, заслуживают особой защиты, поскольку контекст их обработки может создать значительные риски для фундаментальных прав и свобод. Такие персональные данные должны включать информацию, раскрывающую расовое и этническое происхождение, при этом использование термина «расовое происхождение» в настоящем Регламенте не означает, что Союз поддерживает подходы, которые пытаются установить существование отдельных человеческих рас. Обработка фотографий не должна систематически считаться обработкой особых категорий персональных данных, так как они охвачены определением понятия «биометрические данные» только, когда они обрабатываются посредством специальных технических средств, позволяющих осуществить уникальную идентификацию или аутентичность физического лица. Такие персональные данные не должны обрабатываться за исключением случаев, предусмотренных настоящим Регламентом, когда такая обработка разрешена. Следует принять во внимание, что государства-члены могут в соответствии со своим правом установить конкретные положения о защите персональных данных, чтобы адаптировать нормы Регламента в отношении соблюдения правовых обязательств или выполнения задач, осуществляемых в общественных интересах или в рамках должностных полномочий, возложенных на контролёра. В дополнение к конкретным требованиям для указанной обработки должны применяться общие принципы и иные положения настоящего Регламента, в том числе, относительно условий правомерности обработки. Изъятия из общего запрета на обработку таких особых категорий персональных данных должны быть чётко предусмотрены, в том числе когда субъект данных даёт своё явное согласие или в отношении конкретных потребностей, в частности, когда обработка осуществляется в ходе правомерной деятельность конкретных ассоциаций или фондов, целью которых является обеспечение осуществления фундаментальных свобод.
The first exception is based on “explicit consent”. Article 9 consent differs from the general notion of consent of article 6 in one important aspect: it must be explicitly provided by the person concerned. It means that the consent must be freely given, specific, informed, and unambiguous, under the definition of article 4 (11), and, in addition to these requirements, it must be “explicit”.
What form of consent is considered “explicit” and thus valid under article 9? The sensitive nature of the data involved entails a consent that goes beyond the regular “statement or clear affirmative action” [article 4 (11)] on the part of the data subject. It means that s/he must give “an express statement of consent” (Guidelines on Consent), even in the case where services are provided on a contractual basis. An explicit consent is needed because there is no contract based exceptions in article 9 (2) a controller can rely on.
The Guidelines on Consent suggest that a written statement or even a signed written statement may be required, even though the GDPR does not prescribe such a form of consent. A signed consent may be relevant if health data are collected, for example, in the context of services offered by a private clinic or a convalescent home. A plastic surgeon may need to gather information about a client’s health condition or share medical information to seek a second opinion from one of her/his colleagues. The managers of a convalescent home will have to gather information about a future pensionary’s health condition to arrange the appropriate services needed during her/his stay.
A signed written statement is not as practical in the digital or online environment. How can a person consent if, for example, s/he buys a plane ticket online and requires special medical assistance at boarding time, during the flight or at her/his arrival at destination? A valid consent will also be difficult to obtain if a person places an online order for buying special eyewear as the seller has to collect health-related information about her/his vision and share it with the manufacturer.
Simply following a link or ticking a box might be regarded as an insufficient consent in these examples. The Guidelines on Consent recommend other forms of consent, like filling in an electronic form, using an electronic signature, recording an oral statement or proceeding with a two-step verification (ticking a box in a form and confirming the consent by email afterward, for example).
Article 9 prescribes that a person must consent “for one or more specified purposes”. The requirement goes beyond the “specific” quality of consent required by article 4 (11). Purposes must be clearly specified, which implies that the consent must be tied to specific data or precise categories of data that the controller will be allowed to process.
You must always remember that the GDPR is not a complete statement on the state of the law on data protection in a particular Member State, and it is particularly true here because there is an exception to the exception. Consent is an invalid basis to process special categories of personal data if a Member State prohibits the lifting of the prohibition for processing special categories of personal data by an individual in its national legislation, as the GDPR allows it.