The first exception is based on “explicit consent”. Article 9 consent differs from the general notion of consent of article 6 in one important aspect: it must be explicitly provided by the person concerned. It means that the consent must be freely given, specific, informed, and unambiguous, under the definition of article 4 (11), and, in addition to these requirements, it must be “explicit”.

What form of consent is considered “explicit” and thus valid under article 9? The sensitive nature of the data involved entails a consent that goes beyond the regular “statement or clear affirmative action” [article 4 (11)] on the part of the data subject. It means that s/he must give “an express statement of consent” (Guidelines on Consent), even in the case where services are provided on a contractual basis. An explicit consent is needed because there is no contract based exceptions in article 9 (2) a controller can rely on.

The Guidelines on Consent suggest that a written statement or even a signed written statement may be required, even though the GDPR does not prescribe such a form of consent. A signed consent may be relevant if health data are collected, for example, in the context of services offered by a private clinic or a convalescent home. A plastic surgeon may need to gather information about a client’s health condition or share medical information to seek a second opinion from one of her/his colleagues. The managers of a convalescent home will have to gather information about a future pensionary’s health condition to arrange the appropriate services needed during her/his stay.

A signed written statement is not as practical in the digital or online environment. How can a person consent if, for example, s/he buys a plane ticket online and requires special medical assistance at boarding time, during the flight or at her/his arrival at destination? A valid consent will also be difficult to obtain if a person places an online order for buying special eyewear as the seller has to collect health-related information about her/his vision and share it with the manufacturer.

Simply following a link or ticking a box might be regarded as an insufficient consent in these examples. The Guidelines on Consent recommend other forms of consent, like filling in an electronic form, using an electronic signature, recording an oral statement or proceeding with a two-step verification (ticking a box in a form and confirming the consent by email afterward, for example).

Article 9 prescribes that a person must consent “for one or more specified purposes”. The requirement goes beyond the “specific” quality of consent required by article 4 (11). Purposes must be clearly specified, which implies that the consent must be tied to specific data or precise categories of data that the controller will be allowed to process.

You must always remember that the GDPR is not a complete statement on the state of the law on data protection in a particular Member State, and it is particularly true here because there is an exception to the exception. Consent is an invalid basis to process special categories of personal data if a Member State prohibits the lifting of the prohibition for processing special categories of personal data by an individual in its national legislation, as the GDPR allows it.

Processing of special categories of personal data in the field of employment, social security, and social protection law is possible only if it is “necessary” (read about the necessity and proportionality principles in the general commentary below) and it satisfies two other conditions:

• it is authorised by the European Union or Member State law or a collective agreement; and
• there are appropriate safeguards in place to protect the fundamental rights and interests of individuals.

The European regulation essentially refers to the legislation of the Member States to acknowledge the existence of exceptions and verify if individuals’ fundamental rights are preserved. Therefore, there are no general rules applicable to the entire Union and the exception can only be understood on a State by State basis. The controller has to invoke a specific legal provision authorizing the processing of personal data in the context of employment, social security or social protection law.

Member States may allow employers to collect personal data in order to provide health insurance policies to their employees, maintain records of sick, maternity or paternity leaves, deduct union dues from payslips or provide special working conditions or environment to persons with disabilities. They can also authorize insurers, for example, to process health data for paying accidents or invalidity indemnities to employees.

According to article 9 2) (c), processing of special categories of personal data is allowed if it is “necessary” (read about the necessity and proportionality principles in the general commentary below) to protect a person’s vital interests or third parties’ ones. The vital interests exception is similar to article 6 1) (d) lawful basis to process data except that it applies only if you cannot obtain a person’s consent.

The scope of the exception is limited as it concerns only the protection of a “vital interest” of a person, that is to say, “an interest which is essential for [her/his] life” (recital 46). It includes threats to the physical integrity or life of a person or a third person. In other words, it must be a matter of life and death even though recital 46 seems to widen the scope of the exception. It suggests that it may also apply to humanitarian situations such as monitoring epidemics or providing relief for natural or man-made disasters.

The second condition limits drastically the scope of the vital interests exception: it may be invoked only if the individual is physically or legally incapable of giving consent. It can be the case if a person is unconscious, for example, or is unable to consent because of her/his legal status, like a minor or an adult under guardianship or trusteeship. You should ask for explicit consent, according to paragraph 2 a) of article 9, whenever it is possible. You cannot rely on the vital interests exception as an alternative option if a person is able to consent and has refused to do so.

Essentially, the vital interests exception is useful for medical emergency situations. If a person has suffered a life-threatening injury, for example, the medical staff may need her/his medical history to decide on the proper treatment. As the person is unable to offer her/his consent, the hospital needs a legal basis to process her/his health data and the vital interests exception might prove useful. It can also be convenient in cases of epidemics. It may be impossible for all infected individuals to consent in a timely manner to allow medical staff to gather data in order to prevent the spread of the epidemic and, in doing so, to protect third parties’ vital interests.

The General Data Protection Regulation contains a circumscribed exception for the processing of special categories of personal data by the following types of organizations:

• associations;
• foundations; and
• other not-for-profit bodies.

The list appears to be closed and limited to these exact types of organizations, excluding any other types. As the legal status of charity, nonprofit, and philanthropy organizations is not uniform in the European Union, one should not attach too much importance to the name of the concerned body. The word “other” confirms that the list is illustrative and the exact nature of the organization depends on the legal form and structure the Member States give them.

It is more a question of the aims or goals of the organization than of its exact denomination, as it must pursue one of the following objectives

• political;
• philosophical;
• religious; or
• trade union.

The list refers to a limited number of activities and it cannot be extended beyond. Political parties, worship organizations or trade unions are clearly targeted. The philosophical aim category is not as easy to define. An organization devoted to environmental, vegan or anti-speciesism questions may qualify as pursuing a philosophical goal depending on a Member State law. How far that category may be expanded will depend on the Court of Justice of the European Union interpretation of the provision.

These organizations must process special categories of personal data only in the course of their “legitimate activities”. It means that the processing must be directly connected to the political, philosophical, religious or trade union activities of the organization. An association, a foundation or any other not-for-profit body cannot invoke that exception to process special categories of personal data that are not closely related to its core activities in accordance with its purposes and powers set out in its governing charter.

The GDPR requires that organizations handle special categories of personal data with appropriate safeguards. It is not clear what exactly the legislator had in mind by adopting this additional condition. It clearly implies that proper security measures should be in place to protect the processed data due to their sensitive nature. Data must also be accessible only to the persons who need to deal with them to achieve the organizations’ aims.

It follows logically that the personal data cannot be disclosed outside the organization, although article 9 2) (d) allows such divulgation with the consent of the concerned individuals. The body cannot share its membership list, for example, with other organizations unless it obtained its members’ consent. I do not see any legal impediment prohibiting the selling of that same list to finance the organization’s activities if its members consent to the divulgation of their personal data. The organization will also have to seek consent to name any individual members in a fundraiser campaign or an annual report, for example.

The scope of the exception is limited to processing special categories of personal data concerning an organization’s i) members, ii) former members or iii) individuals who have “regular contact” with it in connection with its goals. It excludes the organization’s employees or prospective members before they join the organization, but it may include partners, contributors or regular beneficiaries of the organization’s services who are not formally members of it.

It is a self-evident exception to the general rule that special categories of personal data cannot be processed as it allows organizations that owe their existence solely to the pursuit of one of the goals mentioned to process data essential to their operation. How would a political party exist if it cannot process the political opinions of their partisans? It is the same with trade unions that have to deal with data concerning their members or churches that have to process data revealing their believers’ religious beliefs in the course of their regular activities (see article 91).

The legal exception comprises two distinct parts, as it applies to:

1. processing necessary for establishing, exercising or defending a legal claim, and
2. courts acting in their judicial capacity.

1) The legal claim exception, in the context of article 9, is broad and is not limited to pending legal proceedings. It applies to ongoing legal claims along with prospective ones. A person may have to share personal data in order to obtain legal advice, to report a situation that may potentially lead to a legal claim or to prepare future proceedings, even if no procedures have been filed in court yet. It might concern administrative or court proceedings, as well as out-of-court procedures (recital 52).

The keyword in paragraph 2) (f) is “necessary” (read about the necessity principle in the general commentary below): the use of personal information must be necessary to establish, exercise or defend legal rights. It still needs to be defined what necessary means in the context of the GDPR. A reference to the general necessity principle in European Union law should lead to justifying the use of personal data for the legal claim exception based on objective evidence. There must be a substantial connection between the processing and the data processed in the context of a specific case.

The use of personal data should also be proportionate (read about the proportionality principle in the general commentary below): it should not go beyond what is necessary to achieve the objective pursued. Data used must be adequate and relevant “for the establishment, exercise or defence of legal claims” and their use should be limited to what is needed. In other words, it means that you should not use more data than what is necessary to proceed.

An example of using personal data before any legal proceedings have been initiated is if you have to report an accident to your insurer. Your insurer will eventually have to deal with data concerning your health or the health of other persons implicated in the accident. It does not mean that a claim will be brought before the court and if so, that it will not be settled before any proceedings take place.

I may cite another typical example, concerning this time the establishment of a defence to an actual legal claim. Your employee is suing you after that an accident has occurred in the workplace. You will have to share the details of the accident, including information in your possession about the injuries your employee has suffered, with your lawyer. As these data are considered health-related information, you will have to invoke paragraph 2) (f) exception.

2) The second part of the legal exception concerns courts acting in their judicial capacity. The exception is necessary to preserve the independence of justice (recital 20), which also ensures compliance with legal guarantees provided for by European and national rights and freedoms instruments. The GDPR does not specify the scope of the expression “courts […] acting in their judicial capacity”, except that it includes the decision-making process (recital 20).

Article 9 mentions only “courts”, but recital 97 seems to extend the exception to “independent judicial authorities”. Even if it is not the case, the interpretation of the term “court” may lead to such an extension. It raises questions in consequence for many existing procedures lead by quasi-judicial bodies, like arbitrators, arbitration tribunals or public administrative agencies. They conduct proceedings, during which the rights and freedoms of the parties involved must be guaranteed, they determine facts, they interpret the law, and they have powers of adjudication much like any courts of law.

The substantial public interest exception is characterized by the number of conditions attached to it and therefore its limited scope:

• Processing must be necessary;
• It must be based on a Union or Member State law; and
• The Union or Member State law itself must:
  • be proportionate to the goal pursued;
  • respect the essence of the right to data protection; and
  • guarantee suitable and specific measures to safeguard the fundamental rights and the interests of individuals concerned.

The terms “substantial public interest” are not defined in the General Data Protection Regulation. As the exception refers to the Union or Member State law, article 9 2) (g) gives a margin of appreciation to the national jurisdictions to decide locally what is of “substantial public interest”. A “substantial” public interest clearly requires a higher standard than simple public interest. If the latter refers to the public good and what is in the best interests of the society, the former must have to do with a real and tangible interest, an interest of considerable importance. A substantial public interest may be related to the exercise of fundamental rights and freedoms, like organizing the electoral process, or the maintenance of order and security, like fighting terrorism.

The Data Protection Act 2018, for example, recognizes twenty-three (23) cases where a substantial public interest is involved in the United Kingdom. Exceptions range from the administration of justice to safeguarding of children at risk, and extend to equality of opportunity, anti-doping in sport or publication of legal decisions. It is hard to distinguish in these examples what is in the general public interest and what is based on “substantial” public interest.

The substantial public interest exception does not apply to special categories of personal data which already benefit from an exception under article 9, like public health [paragraph 2, sub-paragraph (i)]. It is sometimes tricky though to decide which exception is applicable. One must refer to the specifics of the case and examine the facts attentively to decide what would be the best legal basis to process special categories of personal data.

Political parties may be required by a Member State’s legislation to compile personal data on individuals’ political opinions in the course of the electoral process based on the substantial public interest exception (recital 56). It differs from the foundation, association or not-for-profit body exception [article 9 2) (d)] in one aspect: the compilation is required by law and is not done as part of a political party’s main activities. It also exempts the organization from obtaining its members’ consent to divulge the collected personal data to the appropriate authorities.

I was asked recently about the proper legal basis to process data about students with disabilities. A school needs to collect and use these data to offer children services adapted to their learning capacity. Information about disabilities should be considered health-related data and thus special categories of personal data. They cannot be processed unless there is a specific exception that can be invoked.

It does not seem to be possible to rely on the public health exception [see paragraph 2, sub-paragraph (i) comment] to satisfy that request. If the Member State’s legislation in which the school operates provides for an exception to process special categories of personal data for the education of children with disabilities, the substantial public interest exception would be an appropriate legal basis. As it might be possible to get explicit consent [paragraph 2, sub-paragraph (a)] to process such data, that option should also be explored in the circumstances. The school will then have to respect the other requirements set in article 9 2) (g).

I already discussed the necessity principle in the general commentary below, and I would refer readers to it, as well as the proportionality principle that Union or Member State law must respect. The European or national text must also uphold the “essence of the right to data protection” and offer “suitable and specific measures” to protect the rights and interests of individuals concerned. It is therefore essential for the local authorities to comply with the Charter of Fundamental Rights of the European Union (article 8) and the principles set out in the GDPR.

Article 9 2) (h) provides for exceptions to processing data related to medical and social care, which must be necessary (read about the necessity principle in the general commentary below) for:

• preventive medicine;
• occupational medicine;
• assessing the working capacity of employees;
• medical diagnosis;
• provision of health or social care or treatment; or
• management of health or social care systems.

It is a list of self-explanatory exceptions and they do not need more exemplification except for the assessing the working capacity of employees exception. It does not overlap with the employment, social security and social protection law exception [sub-paragraph (b)] as it does not concern sensitive data about employees in general, but exclusively data necessary to assess the capacity of an employee to perform her/his job. The assessment can be performed through, for example, drug testing, physical tests or medical exams. The goal is to find out if the person is apt to work in a position that requires specific abilities or a particular health condition.

As it is often the case with the GDPR, the legal basis for the exception is to be sought in the Union or Member State law. Knowledge of the European legislation is not enough, you also have to understand the national law of the concerned Member State. The legal basis for the medical and social care exception may equally be found in a contract with a health professional if some conditions and safeguards are respected.

Paragraph 3 of article 9 states that the exception is applicable, if based on a contract with a health professional, only if data are processed by a person who is bound by professional secrecy. The conditions and obligations linked to the secrecy can be enumerated in a European Union or national law or established by a national competent body. The definition of health professionals is also left to the Member States. It may include any professionals subject to a duty of confidentiality, like doctors, dentists, nurses, opticians, physiotherapists or social workers.

The difference between the medical and social care [subparagraph (h)] and the public health exceptions is not that obvious and both exceptions may overlap in some cases. The first exception applies to the processing of sensitive data for preventive medicine, for example, whereas the second one affects cross-border threats to health. It is not impossible that the same set of data may be used in one case as well the other for the exact same purpose.

The perimeter of article 9 2) (i) is apparently well delimited: it applies to the processing of sensitive data, without the explicit consent of an individual based on subparagraph (a) (recital 54), that are necessary (read about the necessity principle in the general commentary below) for reasons of public interest in the area of public health. Public interest refers to the public good and what is in the best interests of a group of individuals or the society as a whole (recital 53). A personal interest is not enough to justify the application of this exception and once data have been processed under this subparagraph, they cannot be shared with third parties, like employers, insurers or banks (recital 54).

Public health is exemplified in article 9 2) (i) itself, but it offers a non-exhaustive list of possible uses. It includes the protection against serious cross-border threats to health and insurance of high standards of quality and safety of health care, medicinal products or medical devices. It encompasses, for example, data necessary to study or fight epidemics or to plan a vaccination program.

Public health is further defined as “all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality” [Regulation (EC) No 1338/2008]. Some aspects of that definition are undoubtedly covered by the medical and social care exception [subparagraph (h)], as management of health or social care systems.

As it is often the case with the GDPR, the legal basis for the exception is to be sought in the Union or Member State law. Knowledge of the European legislation is not enough, you also have to understand the national law of the concerned Member State. Member States may maintain or introduce further conditions and limitations than those provided for in article 9 2) (i) [article 9 (4) and recital 53]. They should furthermore guarantee individuals’ fundamental rights and the protection of their personal data by law (recitals 53 and 54).

Exceptions under article 9 2) (j) cover a wide range of interests and they might prove essential for the whole society and future generations. They concern four (4) different spheres:

• Archives;
• Scientific research;
• Historical research; and
• Statistical.

The archiving, research, and statistics exception must respect a list of conditions:

• Processing must be necessary;
• It must be based on a Union or Member State law; and
• The Union or Member State law itself must:
  • be proportionate to the goal pursued;
  • respect the essence of the right to data protection; and
  • guarantee suitable and specific measures to safeguard the fundamental rights and the interests of individuals concerned.

I’ve already discussed the necessity principle in the general commentary below, and I would refer readers to it, as well as the proportionality principle that Union or Member State law must respect. The European or national legal text must also uphold the “essence of the right to data protection” and offer “suitable and specific measures” to protect the rights and interests of individuals concerned. It is therefore essential for the local authorities to comply with the Charter of Fundamental Rights of the European Union (article 8) and the principles set out in the GDPR. Article 89 provides for more specifics on the safeguards and derogations relating to the processing of sensitive data in the context of the archiving, research, and statistics exception, and I invite you to read my comment relating to that provision.

As for the archiving exception, you must further demonstrate that the processing is in the public interest. A personal, corporate or financial interest is not enough to justify the application of this exception, you must be able to demonstrate that you are processing special categories of personal data for the public good and in the best interests of a group of individuals or the society as a whole (recital 53).

Archives concern public authorities, as well as public or private bodies that “have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records” (recital 158). Cold case murder investigations, for example, may justify the archiving of sensitive data in the public interest. Collecting information about political behavior under former totalitarian state regimes or related to genocide and crimes against humanity constitutes a further example (recital 158). Archived data may be used after for different purposes, among them is scientific research (recital 162).

Scientific research based on public and private registries may provide deeper knowledge of widespread medical conditions, like cardiovascular disease, cancer or depression (recital 157). Archives may also allow researchers to establish long-term correlations between unemployment or education and other life conditions (recital 157). Knowledge-based policy can thus be implemented to offer better social services or to improve the quality of life of the population (recital 157).

The scientific research exception aims at achieving a European research area to encourage the flow of researchers, scientific knowledge and technology [article 179(1) TFEU]. It must be interpreted broadly, according to the GDPR, and it applies to both public-sector and privately funded research (recital 159).

Clinical research undertaken in the public interest and meeting the other criteria of subparagraph (j) should be based on this exception rather than on express consent [subparagraph (a) and Regulation (EU) No 536/2014, article 29], recommends the European Data Protection Board (Opinion 3/2019). It is the safest possible ground as research may be compromised if individuals withdraw their consent while the research is conducted or after.

A classic example is a pharmaceutical company that conducts clinical trials for a new drug. If it relies on explicit consent [subparagraph (a)], it might face awkward consequences. Individuals participating in the trial might change their minds at the last stage of the research and decide to withdraw their consent. That eventuality would jeopardize the whole process and deprive society of the potential benefits of a new drug. Pharmaceutical companies may give additional guarantees by using anonymized or pseudonymized data in the course of their research to reduce the impact on participants and to compensate for the impossibility to withdraw their consent if the scientific research exception is invoked.

Statistical purposes is defined as “any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results” (recital 162). Statistics should be developed, produced and disseminated according to six (6) principles: impartiality, reliability, objectivity, independence, cost-effectiveness, and confidentiality [article 338(2) TFEU].

The collection of stats should result in “aggregate data” and not “personal data”, which means that they should not concern any particular individuals but constitute abstract data concerning a group of anonymized individuals (recital 162). The statistics thus generated cannot be used to make decisions about any targeted individuals (recital 162). Furthermore, confidential information collected for statistical purposes must be protected with appropriate legal and technical safeguards (recital 163).