Articolul 9 📖 GDPR. Prelucrarea de categorii speciale de date cu caracter personal

Articolul 9 GDPR. Prelucrarea de categorii speciale de date cu caracter personal

Article 9 GDPR. Processing of special categories of personal data

(1) Se interzice prelucrarea de date cu caracter personal care dezvăluie originea rasială sau etnică, opiniile politice, confesiunea religioasă sau convingerile filozofice sau apartenența la sindicate și prelucrarea de date genetice, de date biometrice pentru identificarea unică a unei persoane fizice, de date privind sănătatea sau de date privind viața sexuală sau orientarea sexuală ale unei persoane fizice.

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

Orientările & Case Law Considerentele

Orientările & Case Law

(EN)

Documents

Article 29 Working Party, Opinion 2/2012 on Facial Recognition in Online and Mobile Services (2012).

Article 29 Working Party, Opinion 3/2012 on Developments in Biometric Technologies (2012).

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

EDPB, Guidelines 8/2020 on the targeting of social media users (2020):

If a social media provider or a targeter uses observed data to categorise users as having certain religious, philosophical or political beliefs-regardless of whether the categorization is correct/true or not-this categorisation of the user must obviously be seen as processing of special category of personal data in this context. As long as the categorisation enables targeting based on special category data, it does not matter how the category is labelled.

EDPB, Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR (2020).

Financial transactions can reveal sensitive information about individual data subject, including those related to special categories of personal data. For example, political opinions and religious beliefs may be revealed by donations made to political parties or organisations, churches or parishes. Trade union membership may be revealed by the deduction of an annual membership fee from a person’s bank account. Personal data concerning health may be gathered from analysing medical bills paid by a data subject. Finally, information on certain purchases may reveal information concerning a person’s sex life or sexual orientation.

Moreover, through the sum of financial transactions, different kinds of behavioural patterns could be revealed, including special categories of personal data and additional services that are facilitated by account information services might rely on profiling as defined by article 4 (4) of the GDPR. Therefore, the chances are considerable that a service provider processing information on financial transactions of data subjects also processes special categories of personal data.

Considerentele

(51) Datele cu caracter personal care sunt, prin natura lor, deosebit de sensibile în ceea ce privește drepturile și libertățile fundamentale necesită o protecție specifică, deoarece contextul prelucrării acestora ar putea genera riscuri considerabile la adresa drepturilor și libertăților fundamentale. Aceste date cu caracter personal ar trebui să includă datele cu caracter personal care dezvăluie originea rasială sau etnică, utilizarea termenului „origine rasială” în prezentul regulament neimplicând o acceptare de către Uniune a teoriilor care urmăresc să stabilească existența unor rase umane separate. Prelucrarea fotografiilor nu ar trebui să fie considerată în mod sistematic ca fiind o prelucrare de categorii speciale de date cu caracter personal, întrucât fotografiile intră sub incidența definiției datelor biometrice doar în cazurile în care sunt prelucrate prin mijloace tehnice specifice care permit identificarea unică sau autentificarea unei persoane fizice. Asemenea date cu caracter personal nu ar trebui prelucrate, cu excepția cazului în care prelucrarea este permisă în cazuri specifice prevăzute de prezentul regulament, ținând seama de faptul că dreptul statelor membre poate prevedea dispoziții specifice cu privire la protecția datelor în scopul adaptării aplicării normelor din prezentul regulament în vederea respectării unei obligații legale sau a îndeplinirii unei sarcini care servește unui interes public sau care rezultă din exercitarea autorității publice cu care este învestit operatorul. Pe lângă cerințele specifice pentru o astfel de prelucrare, ar trebui să se aplice principiile generale și alte norme prevăzute de prezentul regulament, în special în ceea ce privește condițiile pentru prelucrarea legală. Ar trebui prevăzute în mod explicit derogări de la interdicția generală de prelucrare a acestor categorii speciale de date cu caracter personal, printre altele atunci când persoana vizată își dă consimțământul explicit sau în ceea ce privește nevoile specifice în special atunci când prelucrarea este efectuată în cadrul unor activități legitime de către anumite asociații sau fundații al căror scop este de a permite exercitarea libertăților fundamentale.

(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

(2) Alineatul (1) nu se aplică în următoarele situații:

2. Paragraph 1 shall not apply if one of the following applies:

Considerentele

(52) Derogarea de la interdicția privind prelucrarea categoriilor speciale de date cu caracter personal ar trebui să fie permisă, de asemenea, în cazul în care dreptul Uniunii sau dreptul intern prevede acest lucru și ar trebui să facă obiectul unor garanții adecvate, astfel încât să fie protejate datele cu caracter personal și alte drepturi fundamentale, atunci când acest lucru se justifică din motive de interes public, în special în cazul prelucrării datelor cu caracter personal în domeniul legislației privind ocuparea forței de muncă, protecția socială, inclusiv pensiile, precum și în scopuri de securitate, supraveghere și alertă în materie de sănătate, pentru prevenirea sau controlul bolilor transmisibile și a altor amenințări grave la adresa sănătății. Această derogare poate fi acordată în scopuri medicale, inclusiv sănătatea publică și gestionarea serviciilor de asistență medicală, în special în vederea asigurării calității și eficienței din punctul de vedere al costurilor ale procedurilor utilizate pentru soluționarea cererilor de prestații și servicii în cadrul sistemului de asigurări de sănătate, sau în scopuri de arhivare în interes public, în scopuri de cercetare științifică sau istorică ori în scopuri statistice. De asemenea, prelucrarea unor asemenea date cu caracter personal ar trebui permisă, printr-o derogare, atunci când este necesară pentru constatarea, exercitarea sau apărarea unui drept în justiție, indiferent dacă are loc în cadrul unei proceduri în fața unei instanțe sau în cadrul unei proceduri administrative sau a unei proceduri extrajudiciare.

(52) Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

(53) Categoriile speciale de date cu caracter personal care necesită un nivel mai ridicat de protecție ar trebui prelucrate doar în scopuri legate de sănătate atunci când este necesar pentru realizarea acestor scopuri în beneficiul persoanelor fizice și al societății în general, în special în contextul gestionării serviciilor și sistemelor de sănătate sau de asistență socială, inclusiv prelucrarea acestor date de către autoritățile de management și de către autoritățile centrale naționale din domeniul sănătății în scopul controlului calității, furnizării de informații de gestiune și al supravegherii generale a sistemului de sănătate sau de asistență socială la nivel național și local, precum și în contextul asigurării continuității asistenței medicale sau sociale și a asistenței medicale transfrontaliere ori în scopuri de securitate, supraveghere și alertă în materie de sănătate ori în scopuri de arhivare în interes public, în scopuri de cercetare științifică sau istorică ori în scopuri statistice în temeiul dreptului Uniunii sau al dreptului intern, care trebuie să urmărească un obiectiv de interes public, precum și în cazul studiilor realizate în interes public în domeniul sănătății publice. Prin urmare, prezentul regulament ar trebui să prevadă condiții armonizate pentru prelucrarea categoriilor speciale de date cu caracter personal privind sănătatea, în ceea ce privește nevoile specifice, în special atunci când prelucrarea acestor date este efectuată în anumite scopuri legate de sănătate de către persoane care fac obiectul unei obligații legale de a păstra secretul profesional. Dreptul Uniunii sau dreptul intern ar trebui să prevadă măsuri specifice și adecvate pentru a proteja drepturile fundamentale și datele cu caracter personal ale persoanelor fizice. Statele membre ar trebui să aibă posibilitatea de a menține sau de a introduce condiții suplimentare, inclusiv restricții, în ceea ce privește prelucrarea datelor genetice, a datelor biometrice sau a datelor privind sănătatea. Totuși, acest lucru nu ar trebui să împiedice libera circulație a datelor cu caracter personal în cadrul Uniunii atunci când aceste condiții se aplică prelucrării transfrontaliere a unor astfel de date.

(53) Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.

(54) Prelucrarea categoriilor speciale de date cu caracter personal poate fi necesară din motive de interes public în domeniile sănătății publice, fără consimțământul persoanei vizate. O astfel de prelucrare ar trebui condiționată de măsuri adecvate și specifice destinate să protejeze drepturile și libertățile persoanelor fizice. În acest context, conceptul de „sănătate publică” ar trebui interpretat astfel cum este definit în Regulamentul (CE) nr. 1338/2008 al Parlamentului European și al Consiliului [11], și anume toate elementele referitoare la sănătate și anume starea de sănătate, inclusiv morbiditatea sau handicapul, factorii determinanți care au efect asupra stării de sănătate, necesitățile în domeniul asistenței medicale, resursele alocate asistenței medicale, furnizarea asistenței medicale și asigurarea accesului universal la aceasta, precum și cheltuielile și sursele de finanțare în domeniul sănătății și cauzele mortalității. Această prelucrare a datelor privind sănătatea din motive de interes public nu ar trebui să ducă la prelucrarea acestor date în alte scopuri de către părți terțe, cum ar fi angajatorii sau societățile de asigurări și băncile.

(54) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council [11], namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.

_{[11] Regulamentul (CE) nr. 1338/2008 al Parlamentului European și al Consiliului din 16 decembrie 2008 privind statisticile comunitare referitoare la sănătatea publică, precum și la sănătatea și siguranța la locul de muncă (JO L 354, 31.12.2008, p. 70). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2008:354:TOC}

_{[11] Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (OJ L 354, 31.12.2008, p. 70). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2008:354:TOC}

(55) În plus, prelucrarea datelor cu caracter personal de către autoritățile publice în vederea realizării obiectivelor prevăzute de dreptul constituțional sau de dreptul internațional public, ale asociațiilor religioase recunoscute oficial se efectuează din motive de interes public.

(55) Moreover, the processing of personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognised religious associations, is carried out on grounds of public interest.

(56) În cazul în care, în cadrul activităților electorale, funcționarea sistemului democratic necesită, într-un stat membru, ca partidele politice să colecteze date cu caracter personal privind opiniile politice ale persoanelor, prelucrarea unor astfel de date poate fi permisă din motive de interes public, cu condiția să se prevadă garanțiile corespunzătoare.

(56) Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.

(a) persoana vizată și-a dat consimțământul explicit pentru prelucrarea acestor date cu caracter personal pentru unul sau mai multe scopuri specifice, cu excepția cazului în care dreptul Uniunii sau dreptul intern prevede ca interdicția prevăzută la alineatul (1) să nu poată fi ridicată prin consimțământul persoanei vizate;

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

Comentariu ISO 27701 Conexiuni

Comentariu

(EN) The first exception is based on “explicit consent”. Article 9 consent differs from the general notion of consent of article 6 in one important aspect: it must be explicitly provided by the person concerned. It means that the consent must be freely given, specific, informed, and unambiguous, under the definition of article 4 (11), and, in addition to these requirements, it must be “explicit”.

What form of consent is considered “explicit” and thus valid under article 9? The sensitive nature of the data involved entails a consent that goes beyond the regular “statement or clear affirmative action” [article 4 (11)] on the part of the data subject. It means that s/he must give “an express statement of consent” (Guidelines on Consent), even in the case where services are provided on a contractual basis. An explicit consent is needed because there is no contract based exceptions in article 9 (2) a controller can rely on.

The Guidelines on Consent suggest that a written statement or even a signed written statement may be required, even though the GDPR does not prescribe such a form of consent. A signed consent may be relevant if health data are collected, for example, in the context of services offered by a private clinic or a convalescent home. A plastic surgeon may need to gather information about a client’s health condition or share medical information to seek a second opinion from one of her/his colleagues. The managers of a convalescent home will have to gather information about a future pensionary’s health condition to arrange the appropriate services needed during her/his stay.

A signed written statement is not as practical in the digital or online environment. How can a person consent if, for example, s/he buys a plane ticket online and requires special medical assistance at boarding time, during the flight or at her/his arrival at destination? A valid consent will also be difficult to obtain if a person places an online order for buying special eyewear as the seller has to collect health-related information about her/his vision and share it with the manufacturer.

Simply following a link or ticking a box might be regarded as an insufficient consent in these examples. The Guidelines on Consent recommend other forms of consent, like filling in an electronic form, using an electronic signature, recording an oral statement or proceeding with a two-step verification (ticking a box in a form and confirming the consent by email afterward, for example).

Article 9 prescribes that a person must consent “for one or more specified purposes”. The requirement goes beyond the “specific” quality of consent required by article 4 (11). Purposes must be clearly specified, which implies that the consent must be tied to specific data or precise categories of data that the controller will be allowed to process.

You must always remember that the GDPR is not a complete statement on the state of the law on data protection in a particular Member State, and it is particularly true here because there is an exception to the exception. Consent is an invalid basis to process special categories of personal data if a Member State prohibits the lifting of the prohibition for processing special categories of personal data by an individual in its national legislation, as the GDPR allows it.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 9(2)(a) GDPR:

7.2.4 Obtain and record consent

Control

The organization should obtain and record consent from PII principals according to the documented processes.

Implementation guidance

The organization should obtain and record consent from PII principals in such a way that it can provide on request details of the consent provided (for example the time that consent was provided, the identification of the PII principal, and the consent statement).

…

Conectare
pentru a accesa textul integral

Conexiuni

Guidelines on consent under Regulation 2016/679

OBTAINING EXPLICIT CONSENT

93. The term explicit refers to the way consent is expressed by the data subject. It means that the data subject must give an express statement of consent. An obvious way to make sure consent is explicit would be to expressly confirm consent in a written statement. Where appropriate, the controller could make sure the written statement is signed by the data subject, in order to remove all possible doubt and potential lack of evidence in the future.[47]

_{[47] See also WP29 Opinion 15/2011, on the definition of consent (WP 187), p. 25.}

94. However, such a signed statement is not the only way to obtain explicit consent and, it cannot be said that the GDPR prescribes written and signed statements in all circumstances that require valid explicit consent. For example, in the digital or online context, a data subject may be able to issue the required statement by filling in an electronic form, by sending an email, by uploading a scanned document carrying the signature of the data subject, or by using an electronic signature. In theory, the use of oral statements can also be sufficiently express to obtain valid explicit consent, however, it may be difficult to prove for the controller that all conditions for valid explicit consent were met when the statement was recorded.

95. An organisation may also obtain explicit consent through a telephone conversation, provided that the information about the choice is fair, intelligible and clear, and it asks for a specific confirmation from the data subject (e.g. pressing a button or providing oral confirmation).

(b) prelucrarea este necesară în scopul îndeplinirii obligațiilor și al exercitării unor drepturi specifice ale operatorului sau ale persoanei vizate în domeniul ocupării forței de muncă și al securității sociale și protecției sociale, în măsura în care acest lucru este autorizat de dreptul Uniunii sau de dreptul intern ori de un acord colectiv de muncă încheiat în temeiul dreptului intern care prevede garanții adecvate pentru drepturile fundamentale și interesele persoanei vizate;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

Comentariu

(EN) Processing of special categories of personal data in the field of employment, social security, and social protection law is possible only if it is “necessary” (read about the necessity and proportionality principles in the general commentary below) and it satisfies two other conditions:

it is authorised by the European Union or Member State law or a collective agreement; and
there are appropriate safeguards in place to protect the fundamental rights and interests of individuals.

The European regulation essentially refers to the legislation of the Member States to acknowledge the existence of exceptions and verify if individuals’ fundamental rights are preserved. Therefore, there are no general rules applicable to the entire Union and the exception can only be understood on a State by State basis. The controller has to invoke a specific legal provision authorizing the processing of personal data in the context of employment, social security or social protection law.

Member States may allow employers to collect personal data in order to provide health insurance policies to their employees, maintain records of sick, maternity or paternity leaves, deduct union dues from payslips or provide special working conditions or environment to persons with disabilities. They can also authorize insurers, for example, to process health data for paying accidents or invalidity indemnities to employees.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

(c) prelucrarea este necesară pentru protejarea intereselor vitale ale persoanei vizate sau ale unei alte persoane fizice, atunci când persoana vizată se află în incapacitate fizică sau juridică de a-și da consimțământul;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

Comentariu

(EN) According to article 9 2) (c), processing of special categories of personal data is allowed if it is “necessary” (read about the necessity and proportionality principles in the general commentary below) to protect a person’s vital interests or third parties’ ones. The vital interests exception is similar to article 6 1) (d) lawful basis to process data except that it applies only if you cannot obtain a person’s consent.

The scope of the exception is limited as it concerns only the protection of a “vital interest” of a person, that is to say, “an interest which is essential for [her/his] life” (recital 46). It includes threats to the physical integrity or life of a person or a third person. In other words, it must be a matter of life and death even though recital 46 seems to widen the scope of the exception. It suggests that it may also apply to humanitarian situations such as monitoring epidemics or providing relief for natural or man-made disasters.

The second condition limits drastically the scope of the vital interests exception: it may be invoked only if the individual is physically or legally incapable of giving consent. It can be the case if a person is unconscious, for example, or is unable to consent because of her/his legal status, like a minor or an adult under guardianship or trusteeship. You should ask for explicit consent, according to paragraph 2 a) of article 9, whenever it is possible. You cannot rely on the vital interests exception as an alternative option if a person is able to consent and has refused to do so.

Essentially, the vital interests exception is useful for medical emergency situations. If a person has suffered a life-threatening injury, for example, the medical staff may need her/his medical history to decide on the proper treatment. As the person is unable to offer her/his consent, the hospital needs a legal basis to process her/his health data and the vital interests exception might prove useful. It can also be convenient in cases of epidemics. It may be impossible for all infected individuals to consent in a timely manner to allow medical staff to gather data in order to prevent the spread of the epidemic and, in doing so, to protect third parties’ vital interests.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

(d) prelucrarea este efectuată în cadrul activităților lor legitime și cu garanții adecvate de către o fundație, o asociație sau orice alt organism fără scop lucrativ și cu specific politic, filozofic, religios sau sindical, cu condiția ca prelucrarea să se refere numai la membrii sau la foștii membri ai organismului respectiv sau la persoane cu care acesta are contacte permanente în legătură cu scopurile sale și ca datele cu caracter personal să nu fie comunicate terților fără consimțământul persoanelor vizate;

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

Comentariu

(EN) The General Data Protection Regulation contains a circumscribed exception for the processing of special categories of personal data by the following types of organizations:

associations;
foundations; and
other not-for-profit bodies.

The list appears to be closed and limited to these exact types of organizations, excluding any other types. As the legal status of charity, nonprofit, and philanthropy organizations is not uniform in the European Union, one should not attach too much importance to the name of the concerned body. The word “other” confirms that the list is illustrative and the exact nature of the organization depends on the legal form and structure the Member States give them.

It is more a question of the aims or goals of the organization than of its exact denomination, as it must pursue one of the following objectives

political;
philosophical;
religious; or
trade union.

The list refers to a limited number of activities and it cannot be extended beyond. Political parties, worship organizations or trade unions are clearly targeted. The philosophical aim category is not as easy to define. An organization devoted to environmental, vegan or anti-speciesism questions may qualify as pursuing a philosophical goal depending on a Member State law. How far that category may be expanded will depend on the Court of Justice of the European Union interpretation of the provision.

These organizations must process special categories of personal data only in the course of their “legitimate activities”. It means that the processing must be directly connected to the political, philosophical, religious or trade union activities of the organization. An association, a foundation or any other not-for-profit body cannot invoke that exception to process special categories of personal data that are not closely related to its core activities in accordance with its purposes and powers set out in its governing charter.

The GDPR requires that organizations handle special categories of personal data with appropriate safeguards. It is not clear what exactly the legislator had in mind by adopting this additional condition. It clearly implies that proper security measures should be in place to protect the processed data due to their sensitive nature. Data must also be accessible only to the persons who need to deal with them to achieve the organizations’ aims.

It follows logically that the personal data cannot be disclosed outside the organization, although article 9 2) (d) allows such divulgation with the consent of the concerned individuals. The body cannot share its membership list, for example, with other organizations unless it obtained its members’ consent. I do not see any legal impediment prohibiting the selling of that same list to finance the organization’s activities if its members consent to the divulgation of their personal data. The organization will also have to seek consent to name any individual members in a fundraiser campaign or an annual report, for example.

The scope of the exception is limited to processing special categories of personal data concerning an organization’s i) members, ii) former members or iii) individuals who have “regular contact” with it in connection with its goals. It excludes the organization’s employees or prospective members before they join the organization, but it may include partners, contributors or regular beneficiaries of the organization’s services who are not formally members of it.

It is a self-evident exception to the general rule that special categories of personal data cannot be processed as it allows organizations that owe their existence solely to the pursuit of one of the goals mentioned to process data essential to their operation. How would a political party exist if it cannot process the political opinions of their partisans? It is the same with trade unions that have to deal with data concerning their members or churches that have to process data revealing their believers’ religious beliefs in the course of their regular activities (see article 91).

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

(e) prelucrarea se referă la date cu caracter personal care sunt făcute publice în mod manifest de către persoana vizată;

(e) processing relates to personal data which are manifestly made public by the data subject;

Comentariu Orientările & Case Law

Comentariu

(EN) The European legislator introduced an exception – for special categories of personal data which are manifestly made public by a person – that seems completely logical at first glance. If a person willingly shares her/his data, it sounds reasonable to allow the processing of these data by third parties. On second thought, many questions come to mind. What does “manifestly” mean? When are data “public”? How to determine if a person intended to make her/his data public?

The exception does not concern all special categories of data publicly available. It applies strictly to data that an individual personally disclosed. It must be a publication that results from a clear and voluntary decision from an individual to disclose information about her/him. It should not be an accidental, inadvertent, involuntary or unintentional disclosure. It should be the result of a free and deliberate decision. The individual must be fully conscious that s/he made her/his data public. Thus, it excludes leaked data, data accessible after a security breach or data shared unintentionally or by inadvertence…

…

Conectare
pentru a accesa textul integral

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

Orientările & Case Law

(EN) EDPB, Guidelines 8/2020 on the targeting of social media users (2020):

The word “manifestly” implies that there must be a high threshold for relying on this exemption.The EDPB notes that the presence of a single element may not always be sufficient to establish that the data have been “manifestly” made public by the data subject. In practice,a combination of the following or other elements may need to be considered for controllers to demonstrate that the data subject has clearly manifested the intention to make the data public, and a case-by-case assessment is needed. The following elements may be relevant to help inform this assessment:

the default settings of the social media platform (i.e. whether the data subject took a specific action to change these default private settings into public ones); or

the nature of the social media platform (i.e. whether this platform is intrinsically linked with the idea of connecting with close acquaintances of the data subject or creating intimate relations (such as online dating platforms), or if it is meant to provide a wider scope of interpersonal relations, such as professional relations, or microblogging, etc… ; or

the accessibility of the page where the sensitive data is published (i.e. whether the information is publically accessible or if, for instance, the creation of an account is necessary before accessing the information); or

the visibility of the information where the data subject is informed of the public nature of the information that they publish (i.e. whether there is for example a continuous banner on the page, or whether the button for publishing informs the data subject that the information will be made public…); or

if the data subject has published the sensitive data himself/herself, or whether instead the data has been published by a third party (e.g. a photo published by a friend which reveals sensitive data) or inferred.

The EDPB notes that the presence of a single element may not always be sufficient to establish that the data have been “manifestly” made public by the data subject. In practice,a combination of these or other elements may need to be considered for controllers to demonstrate that the data subject has clearly manifested the intention to make the data public.

(f) prelucrarea este necesară pentru constatarea, exercitarea sau apărarea unui drept în instanță sau ori de câte ori instanțele acționează în exercițiul funcției lor judiciare;

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

Comentariu

(EN) The legal exception comprises two distinct parts, as it applies to:

processing necessary for establishing, exercising or defending a legal claim, and
courts acting in their judicial capacity.

1) The legal claim exception, in the context of article 9, is broad and is not limited to pending legal proceedings. It applies to ongoing legal claims along with prospective ones. A person may have to share personal data in order to obtain legal advice, to report a situation that may potentially lead to a legal claim or to prepare future proceedings, even if no procedures have been filed in court yet. It might concern administrative or court proceedings, as well as out-of-court procedures (recital 52).

The keyword in paragraph 2) (f) is “necessary” (read about the necessity principle in the general commentary below): the use of personal information must be necessary to establish, exercise or defend legal rights. It still needs to be defined what necessary means in the context of the GDPR. A reference to the general necessity principle in European Union law should lead to justifying the use of personal data for the legal claim exception based on objective evidence. There must be a substantial connection between the processing and the data processed in the context of a specific case.

The use of personal data should also be proportionate (read about the proportionality principle in the general commentary below): it should not go beyond what is necessary to achieve the objective pursued. Data used must be adequate and relevant “for the establishment, exercise or defence of legal claims” and their use should be limited to what is needed. In other words, it means that you should not use more data than what is necessary to proceed.

An example of using personal data before any legal proceedings have been initiated is if you have to report an accident to your insurer. Your insurer will eventually have to deal with data concerning your health or the health of other persons implicated in the accident. It does not mean that a claim will be brought before the court and if so, that it will not be settled before any proceedings take place.

I may cite another typical example, concerning this time the establishment of a defence to an actual legal claim. Your employee is suing you after that an accident has occurred in the workplace. You will have to share the details of the accident, including information in your possession about the injuries your employee has suffered, with your lawyer. As these data are considered health-related information, you will have to invoke paragraph 2) (f) exception.

2) The second part of the legal exception concerns courts acting in their judicial capacity. The exception is necessary to preserve the independence of justice (recital 20), which also ensures compliance with legal guarantees provided for by European and national rights and freedoms instruments. The GDPR does not specify the scope of the expression “courts […] acting in their judicial capacity”, except that it includes the decision-making process (recital 20).

Article 9 mentions only “courts”, but recital 97 seems to extend the exception to “independent judicial authorities”. Even if it is not the case, the interpretation of the term “court” may lead to such an extension. It raises questions in consequence for many existing procedures lead by quasi-judicial bodies, like arbitrators, arbitration tribunals or public administrative agencies. They conduct proceedings, during which the rights and freedoms of the parties involved must be guaranteed, they determine facts, they interpret the law, and they have powers of adjudication much like any courts of law.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

(g) prelucrarea este necesară din motive de interes public major, în baza dreptului Uniunii sau a dreptului intern, care este proporțional cu obiectivul urmărit, respectă esența dreptului la protecția datelor și prevede măsuri corespunzătoare și specifice pentru protejarea drepturilor fundamentale și a intereselor persoanei vizate;

(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

Comentariu

(EN) The substantial public interest exception is characterized by the number of conditions attached to it and therefore its limited scope:

Processing must be necessary;
It must be based on a Union or Member State law; and
The Union or Member State law itself must:
- be proportionate to the goal pursued;
- respect the essence of the right to data protection; and
- guarantee suitable and specific measures to safeguard the fundamental rights and the interests of individuals concerned.

The terms “substantial public interest” are not defined in the General Data Protection Regulation. As the exception refers to the Union or Member State law, article 9 2) (g) gives a margin of appreciation to the national jurisdictions to decide locally what is of “substantial public interest”. A “substantial” public interest clearly requires a higher standard than simple public interest. If the latter refers to the public good and what is in the best interests of the society, the former must have to do with a real and tangible interest, an interest of considerable importance. A substantial public interest may be related to the exercise of fundamental rights and freedoms, like organizing the electoral process, or the maintenance of order and security, like fighting terrorism.

The Data Protection Act 2018, for example, recognizes twenty-three (23) cases where a substantial public interest is involved in the United Kingdom. Exceptions range from the administration of justice to safeguarding of children at risk, and extend to equality of opportunity, anti-doping in sport or publication of legal decisions. It is hard to distinguish in these examples what is in the general public interest and what is based on “substantial” public interest.

The substantial public interest exception does not apply to special categories of personal data which already benefit from an exception under article 9, like public health [paragraph 2, sub-paragraph (i)]. It is sometimes tricky though to decide which exception is applicable. One must refer to the specifics of the case and examine the facts attentively to decide what would be the best legal basis to process special categories of personal data.

Political parties may be required by a Member State’s legislation to compile personal data on individuals’ political opinions in the course of the electoral process based on the substantial public interest exception (recital 56). It differs from the foundation, association or not-for-profit body exception [article 9 2) (d)] in one aspect: the compilation is required by law and is not done as part of a political party’s main activities. It also exempts the organization from obtaining its members’ consent to divulge the collected personal data to the appropriate authorities.

I was asked recently about the proper legal basis to process data about students with disabilities. A school needs to collect and use these data to offer children services adapted to their learning capacity. Information about disabilities should be considered health-related data and thus special categories of personal data. They cannot be processed unless there is a specific exception that can be invoked.

It does not seem to be possible to rely on the public health exception [see paragraph 2, sub-paragraph (i) comment] to satisfy that request. If the Member State’s legislation in which the school operates provides for an exception to process special categories of personal data for the education of children with disabilities, the substantial public interest exception would be an appropriate legal basis. As it might be possible to get explicit consent [paragraph 2, sub-paragraph (a)] to process such data, that option should also be explored in the circumstances. The school will then have to respect the other requirements set in article 9 2) (g).

I already discussed the necessity principle in the general commentary below, and I would refer readers to it, as well as the proportionality principle that Union or Member State law must respect. The European or national text must also uphold the “essence of the right to data protection” and offer “suitable and specific measures” to protect the rights and interests of individuals concerned. It is therefore essential for the local authorities to comply with the Charter of Fundamental Rights of the European Union (article 8) and the principles set out in the GDPR.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

(h) prelucrarea este necesară în scopuri legate de medicina preventivă sau a muncii, de evaluarea capacității de muncă a angajatului, de stabilirea unui diagnostic medical, de furnizarea de asistență medicală sau socială sau a unui tratament medical sau de gestionarea sistemelor și serviciilor de sănătate sau de asistență socială, în temeiul dreptului Uniunii sau al dreptului intern sau în temeiul unui contract încheiat cu un cadru medical și sub rezerva respectării condițiilor și garanțiilor prevăzute la alineatul (3);

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

Comentariu Orientările & Case Law

Comentariu

(EN) Article 9 2) (h) provides for exceptions to processing data related to medical and social care, which must be necessary (read about the necessity principle in the general commentary below) for:

preventive medicine;
occupational medicine;
assessing the working capacity of employees;
medical diagnosis;
provision of health or social care or treatment; or
management of health or social care systems.

It is a list of self-explanatory exceptions and they do not need more exemplification except for the assessing the working capacity of employees exception. It does not overlap with the employment, social security and social protection law exception [sub-paragraph (b)] as it does not concern sensitive data about employees in general, but exclusively data necessary to assess the capacity of an employee to perform her/his job. The assessment can be performed through, for example, drug testing, physical tests or medical exams. The goal is to find out if the person is apt to work in a position that requires specific abilities or a particular health condition.

As it is often the case with the GDPR, the legal basis for the exception is to be sought in the Union or Member State law. Knowledge of the European legislation is not enough, you also have to understand the national law of the concerned Member State. The legal basis for the medical and social care exception may equally be found in a contract with a health professional if some conditions and safeguards are respected.

Paragraph 3 of article 9 states that the exception is applicable, if based on a contract with a health professional, only if data are processed by a person who is bound by professional secrecy. The conditions and obligations linked to the secrecy can be enumerated in a European Union or national law or established by a national competent body. The definition of health professionals is also left to the Member States. It may include any professionals subject to a duty of confidentiality, like doctors, dentists, nurses, opticians, physiotherapists or social workers.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

Orientările & Case Law

(EN) EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

(i) prelucrarea este necesară din motive de interes public în domeniul sănătății publice, cum ar fi protecția împotriva amenințărilor transfrontaliere grave la adresa sănătății sau asigurarea de standarde ridicate de calitate și siguranță a asistenței medicale și a medicamentelor sau a dispozitivelor medicale, în temeiul dreptului Uniunii sau al dreptului intern, care prevede măsuri adecvate și specifice pentru protejarea drepturilor și libertăților persoanei vizate, în special a secretului profesional; sau

(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

Comentariu Orientările & Case Law

Comentariu

(EN) The difference between the medical and social care [subparagraph (h)] and the public health exceptions is not that obvious and both exceptions may overlap in some cases. The first exception applies to the processing of sensitive data for preventive medicine, for example, whereas the second one affects cross-border threats to health. It is not impossible that the same set of data may be used in one case as well the other for the exact same purpose.

The perimeter of article 9 2) (i) is apparently well delimited: it applies to the processing of sensitive data, without the explicit consent of an individual based on subparagraph (a) (recital 54), that are necessary (read about the necessity principle in the general commentary below) for reasons of public interest in the area of public health. Public interest refers to the public good and what is in the best interests of a group of individuals or the society as a whole (recital 53). A personal interest is not enough to justify the application of this exception and once data have been processed under this subparagraph, they cannot be shared with third parties, like employers, insurers or banks (recital 54).

Public health is exemplified in article 9 2) (i) itself, but it offers a non-exhaustive list of possible uses. It includes the protection against serious cross-border threats to health and insurance of high standards of quality and safety of health care, medicinal products or medical devices. It encompasses, for example, data necessary to study or fight epidemics or to plan a vaccination program.

Public health is further defined as “all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality” [Regulation (EC) No 1338/2008]. Some aspects of that definition are undoubtedly covered by the medical and social care exception [subparagraph (h)], as management of health or social care systems.

As it is often the case with the GDPR, the legal basis for the exception is to be sought in the Union or Member State law. Knowledge of the European legislation is not enough, you also have to understand the national law of the concerned Member State. Member States may maintain or introduce further conditions and limitations than those provided for in article 9 2) (i) [article 9 (4) and recital 53]. They should furthermore guarantee individuals’ fundamental rights and the protection of their personal data by law (recitals 53 and 54).

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

Orientările & Case Law

(EN)

Legislation

Regulation (EC) No 1338/2008 on Community Statistics on Public Health and Health and Safety at Work, OJEU L 354, 31 December 2008, p. 70.

Documents

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

(j) prelucrarea este necesară în scopuri de arhivare în interes public, în scopuri de cercetare științifică sau istorică ori în scopuri statistice, în conformitate cu articolul 89 alineatul (1), în baza dreptului Uniunii sau a dreptului intern, care este proporțional cu obiectivul urmărit, respectă esența dreptului la protecția datelor și prevede măsuri corespunzătoare și specifice pentru protejarea drepturilor fundamentale și a intereselor persoanei vizate.

(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Comentariu Orientările & Case Law Conexiuni

Comentariu

(EN) Exceptions under article 9 2) (j) cover a wide range of interests and they might prove essential for the whole society and future generations. They concern four (4) different spheres:

Archives;
Scientific research;
Historical research; and
Statistical.

The archiving, research, and statistics exception must respect a list of conditions:

Processing must be necessary;
It must be based on a Union or Member State law; and
The Union or Member State law itself must:
- be proportionate to the goal pursued;
- respect the essence of the right to data protection; and
- guarantee suitable and specific measures to safeguard the fundamental rights and the interests of individuals concerned.

I’ve already discussed the necessity principle in the general commentary below, and I would refer readers to it, as well as the proportionality principle that Union or Member State law must respect. The European or national legal text must also uphold the “essence of the right to data protection” and offer “suitable and specific measures” to protect the rights and interests of individuals concerned. It is therefore essential for the local authorities to comply with the Charter of Fundamental Rights of the European Union (article 8) and the principles set out in the GDPR. Article 89 provides for more specifics on the safeguards and derogations relating to the processing of sensitive data in the context of the archiving, research, and statistics exception, and I invite you to read my comment relating to that provision.

As for the archiving exception, you must further demonstrate that the processing is in the public interest. A personal, corporate or financial interest is not enough to justify the application of this exception, you must be able to demonstrate that you are processing special categories of personal data for the public good and in the best interests of a group of individuals or the society as a whole (recital 53).

Archives concern public authorities, as well as public or private bodies that “have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records” (recital 158). Cold case murder investigations, for example, may justify the archiving of sensitive data in the public interest. Collecting information about political behavior under former totalitarian state regimes or related to genocide and crimes against humanity constitutes a further example (recital 158). Archived data may be used after for different purposes, among them is scientific research (recital 162).

Scientific research based on public and private registries may provide deeper knowledge of widespread medical conditions, like cardiovascular disease, cancer or depression (recital 157). Archives may also allow researchers to establish long-term correlations between unemployment or education and other life conditions (recital 157). Knowledge-based policy can thus be implemented to offer better social services or to improve the quality of life of the population (recital 157).

The scientific research exception aims at achieving a European research area to encourage the flow of researchers, scientific knowledge and technology [article 179(1) TFEU]. It must be interpreted broadly, according to the GDPR, and it applies to both public-sector and privately funded research (recital 159).

Clinical research undertaken in the public interest and meeting the other criteria of subparagraph (j) should be based on this exception rather than on express consent [subparagraph (a) and Regulation (EU) No 536/2014, article 29], recommends the European Data Protection Board (Opinion 3/2019). It is the safest possible ground as research may be compromised if individuals withdraw their consent while the research is conducted or after.

A classic example is a pharmaceutical company that conducts clinical trials for a new drug. If it relies on explicit consent [subparagraph (a)], it might face awkward consequences. Individuals participating in the trial might change their minds at the last stage of the research and decide to withdraw their consent. That eventuality would jeopardize the whole process and deprive society of the potential benefits of a new drug. Pharmaceutical companies may give additional guarantees by using anonymized or pseudonymized data in the course of their research to reduce the impact on participants and to compensate for the impossibility to withdraw their consent if the scientific research exception is invoked.

Statistical purposes is defined as “any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results” (recital 162). Statistics should be developed, produced and disseminated according to six (6) principles: impartiality, reliability, objectivity, independence, cost-effectiveness, and confidentiality [article 338(2) TFEU].

The collection of stats should result in “aggregate data” and not “personal data”, which means that they should not concern any particular individuals but constitute abstract data concerning a group of anonymized individuals (recital 162). The statistics thus generated cannot be used to make decisions about any targeted individuals (recital 162). Furthermore, confidential information collected for statistical purposes must be protected with appropriate legal and technical safeguards (recital 163).

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

Orientările & Case Law

(EN)

Document

EDPB, Opinion 3/2019 Concerning the Questions and Answers on the Interplay Between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR) (art. 70.1.b)) (2019).

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

Legislation

Regulation (EU) No 536/2014 on Clinical Trials on Medicinal Products for Human Use, OJEU L 158, 27 May 2014, p. 1.

Conexiuni

Articolul 89 GDPR. Garanții și derogări privind prelucrarea în scopuri de arhivare în interes public, în scopuri de cercetare științifică sau istorică ori în scopuri statistice

Article 89 GDPR. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

(1) Prelucrarea în scopuri de arhivare în interes public, în scopuri de cercetare științifică sau istorică ori în scopuri statistice are loc cu condiția existenței unor garanții corespunzătoare, în conformitate cu prezentul regulament, pentru drepturile și libertățile persoanelor vizate. Respectivele garanții asigură faptul că au fost instituite măsuri tehnice și organizatorice necesare pentru a se asigura, în special, respectarea principiului reducerii la minimum a datelor. Respectivele măsuri pot include pseudonimizarea, cu condiția ca respectivele scopuri să fie îndeplinite în acest mod. Atunci când respectivele scopuri pot fi îndeplinite printr-o prelucrare ulterioară care nu permite sau nu mai permite identificarea persoanelor vizate, scopurile respective sunt îndeplinite în acest mod.

1. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

[…]

Guidelines on consent under Regulation 2016/679

Scientific research

153. Recital 33 seems to bring some flexibility to the degree of specification and granularity of consent in the context of scientific research. Recital 33 states: “It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.”

(3) Datele cu caracter personal menționate la alineatul (1) pot fi prelucrate în scopurile menționate la alineatul (2) litera (h) în cazul în care datele respective sunt prelucrate de către un profesionist supus obligației de păstrare a secretului profesional sau sub responsabilitatea acestuia, în temeiul dreptului Uniunii sau al dreptului intern sau în temeiul normelor stabilite de organisme naționale competente sau de o altă persoană supusă, de asemenea, unei obligații de confidențialitate în temeiul dreptului Uniunii sau al dreptului intern ori al normelor stabilite de organisme naționale competente.

3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

(4) Statele membre pot menține sau introduce condiții suplimentare, inclusiv restricții, în ceea ce privește prelucrarea de date genetice, date biometrice sau date privind sănătatea.

4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

Regulamentul general privind protecția datelor

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.

Comentariu ISO 27701 Considerentele Orientările & Case Law Lasa un comentariu

Comentariu

(EN) Some personal data, because of their sensitive nature, belong to special categories in the General Data Protection Regulation. Processing data mentioned in one of these eight (8) categories poses indeed “significant risks to the fundamental rights and freedoms” of an individual (recital 51). Risks vary depending on the type of data involved. Paragraph one of article 9 enumerates all types of data covered, but they are not readily intelligible. A visual list, broken down into eight points, helps to clarify the scope of the provision and what data are considered “special” by the European regulation:

data disclosing racial or ethnic origin;
data divulging political opinions;
data revealing religious or philosophical beliefs;
data about trade union membership;
genetic data;
biometric data used to identify a person;
data concerning health; and
data relating to a person’s sex life or sexual orientation.

…

Conectare
pentru a accesa textul integral

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 9 GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.

…

Conectare
pentru a accesa textul integral

Considerentele

Orientările & Case Law

(EN)

Documents

Article 29 Working Party, Opinion 2/2010 on behavioural advertising (2010):

Any possible targeting of data subjects based on sensitive information opens the possibility of abuse. Furthermore, given the sensitivity of such information and the possible awkward situations which may arise if individuals receive advertising that reveals, for example, sexual preferences or political activity, offering/using interest categories that would reveal sensitive data should be discouraged.

In this context, the only available legal ground that would legitimize the data processing would be explicit, separate prior opt-in consent. The requirement for a separate, affirmative prior indication of the data subjects’ agreement means that in no case would an opt-out consent mechanism meet the requirement of the law. It also means that such consent could not be obtained through browser settings. To lawfully collect and process this type of information, ad network providers would have to set up mechanisms to obtain explicit prior consent, separate from other consent obtained for processing in general.

EDPB, Assessing the Necessity of Measures That Limit the Fundamental Right to the Protection of Personal Data: A Toolkit (2017).

WP29, Opinion on data processing at work (2017).

European Commission, Commission Guidance on the application of Union data protection law in the electoral context, A contribution from the European Commission to the Leaders’ meeting in Salzburg on 19-20 September 2018.

EDPB, Guidelines on Assessing the Proportionality of Measures That Limit the Fundamental Rights to Privacy and to the Protection of Personal Data (2019).

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

EDPB, Guidelines 8/2020 on the targeting of social media users (2020).

EDPB, Guidelines 3/2020 on the Processing of Data Concerning Health for the Purpose of Scientific Research in the Context of the Covid-19 Outbreak (2020).

EDPB, Guidelines 3/2019 on Processing of Personal Data through Video Devices (2020).

European Commission, Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection Brussels (2020).

EDPB, Guidelines 02/2021 on Virtual Voice Assistants (2021).