导航
GDPR > 第 9 條. 特殊類型之個人資料處理
下载PDF

第 9 條 GDPR. 特殊類型之個人資料處理

Article 9 GDPR. Processing of special categories of personal data

1. 揭露種族或人種、政治意見、宗教或哲學信仰或貿易聯盟會員之 個人資料、以及基因資料、用以識別自然人之生物特徵識別資料、與 健康相關或與自然人之性生活或性傾向有關個人資料之處理,應予禁 止。

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

指南和案例法 献技

(51) 依其本質對基本權及自由特別敏感之個人資料,因其處理過程 中可能對於基本權及自由造成顯著風險,故值得受到特別保護。該等 個人資料應包括顯示出種族或人種之個人資料,但本規則使用「種族」 乙詞並不代表歐盟承認旨於區別個別種族存在之理論。照片之處理不 應被制式化地認為係特殊類型之個人資料處理,蓋僅有在透過特殊識 別方法之處理而得獨特識別或驗證出當事人時,始得將照片涵蓋於生 物特徵識別資料的定義之下。該等個人資料不得處理,但其處理係本 規則明定之特別情況所允許,且考量到會員國法為使其與本規則規定 之適用相符以遵守其法定義務或符合公共利益執行職務或委託控管 者行使公權力而對於資料保護定有具體規範者,不在此限。除就該等 處理所定之特別要件以外,本規則所定之一般原則及其他規定亦應予 適用,尤其是涉及處理之合法性要件。為特殊類型之個人資料處理所 設一般禁止規定之例外,應予明確規定,包括:資料主體明確同意或 涉及特殊需求之資料處理,尤其是基於實現基本自由之目的而為某些組織或基金會之正當活動所為之處理者。

(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

2. 有下列情形之一者,不適用第 1 項規定:

2. Paragraph 1 shall not apply if one of the following applies:

献技

(52) 於歐盟法或會員國法已有明文且有適當保護措施以保護個人資 料及其他基本權之情況下,為基於公共利益之目的,特別是在勞動法、 包括退休金及安全衛生等社會法領域、監控及警示目的、傳染病及其 他對於健康造成重大威脅之疾病預防及控制所為之個人資料處理,特 殊類型個人資料處理之禁止規定亦應允許例外。基於健康目的,包括 公共衛生及醫療保健服務之管理,特別是為確保醫療保險制度中處理 福利及服務訴求之程序的品質與效益,或是符合公共利益之存檔目的、 科學或歷史研究或統計目的,該等例外規定得以為之。為建構、行使 或防禦法律上之請求而有必要者,不問係於訴訟程序或行政程序或於 法院以外之程序,該等個人資料處理之禁止規定亦應允許例外。

(52) Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

(53) 值得受較高度保護之特殊類型個人資料,於下述情形始得處理 之,亦即:僅有基於與健康相關之目的,且基於全體人類及社會整體 之利益為達成該等目的所必要者,特別是在健康或社會照護服務及系 統之管理,包括為品質控制、管理資訊及一般國內及地方監管健康或 社會照護系統之目的管理及整合國內醫療院所之該等資料之處理,以 及為確保健康或社會照護及跨境醫療保健或健康安全之永續性、為監 控及警示目的或符合公共利益之存檔目的、科學或歷史研究或統計目 的、基於符合公共利益目的之歐盟法或會員國法以及符合公共利益在 公共衛生領域所為之研究。因此,本規則應就涉及健康之該等特殊類 型個人資料之處理,針對特殊需求,為一致性之規範,尤其是該等資 料之處理係為特定醫療相關目的,由因職業持有秘密而負法定保密義 務之人所為之者。歐盟法或會員國法應明文規定具體適當之措施,以 保障個人基本權及其個人資料。會員國應被允許維持或採用進一步規定,包括但不限於關於基因資料、生物特徵識別資訊或與健康相關資訊之個人資料處理。惟該等條款適用於該等個人資料之跨境處理時,不得妨礙個人資料於歐盟境內之自由流通。

(53) Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.

(54) 未取得資料主體同意之特殊類型個人資料處理,於公共衛生領 域基於公共利益之理由可能是有必要的。該等處理應受適當具體措施 之拘束以維護當事人之權利及自由。就此,「公共衛生」應以歐洲議 會及歐盟理事會[11]第 1338/2008 號歐盟規則所作定義而為解釋,亦即 與健康有關之全部要素(即健康狀況),包括疾病與殘疾、對於健康 狀態產生影響之決定性因素、醫療保健之需求、醫療保健之資源分配、 醫療保健之提供及普及性以及醫療保健之開支及財務規劃及致死率 之起因。以公共利益為由所為涉及健康資料之該等處理,不得因其他 目的而由諸如雇主或保險公司及銀行等第三人為處理。

(54) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council [11], namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.

[11] Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (OJ L 354, 31.12.2008, p. 70). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2008:354:TOC

[11] Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (OJ L 354, 31.12.2008, p. 70). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2008:354:TOC

(55) 再者,機關所為個人資料處理係為實現官方所認可之宗教組織 所定符合憲法或國際公法之目標者,應屬具備公共利益之基礎。

(55) Moreover, the processing of personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognised religious associations, is carried out on grounds of public interest.

(56) 凡於選舉活動過程中,會員國內民主制度之運作要求政黨編纂 關於人民政治觀點之個人資料,於建構適當保護措施之情況下,基於 公共利益之理由,該等資料處理得予准許。

(56) Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.

(a) 除歐盟法或會員國法律規定資料主體不得排除第 1 項所定之禁止 外,資料主體已明確同意為一個或多個特定目的處理上開個人資料;

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

專家評論
(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 9(2)(a) GDPR:

7.2.4 Obtain and record consent

Control

The organization should obtain and record consent from PII principals according to the documented processes.

Implementation guidance

The organization should obtain and record consent from PII principals in such a way that it can provide on request details of the consent provided (for example the time that consent was provided, the identification of the PII principal, and the consent statement).


访问全文

相关文章

(b) 為履行義務及行使控管者特定權利之目的,或資料主體在歐盟法 或會員國法或依據會員國法律所定適當保障資料主體之基本權及利 益之團體協約所授權之勞動法及社會安全及社會保護法領域而有必 要之處理;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

專家評論
(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert

(c) 資料主體在身體上或法律上不能給予同意,而為保護資料主體或 他人之重大利益所必要之處理;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

專家評論
(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert

(d) 基金會、協會或任何其他非營利組織,基於政治、哲學、宗教或 工會之目的,就其合法活動過程中所為之處理已做適當保護措施,且 該處理僅涉及該組織之成員或其過去成員,或與該組織目的有關而定 期接觸該組織之人,且該等資料未經資料主體之同意不會對外揭露 者;

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

專家評論
(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert

(e) 資料主體明顯已自行公開之個人資料之處理;

(e) processing relates to personal data which are manifestly made public by the data subject;

專家評論

(EN) The European legislator introduced an exception – for special categories of personal data which are manifestly made public by a person – that seems completely logical at first glance. If a person willingly shares her/his data, it sounds reasonable to allow the processing of these data by third parties. On second thought, many questions come to mind. What does “manifestly” mean? When are data “public”? How to determine if a person intended to make her/his data public?

The exception does not concern all special categories of data publicly available. It applies strictly to data that an individual personally disclosed. It must be a publication that results from a clear and voluntary decision from an individual to disclose information about her/him. It should not be an accidental, inadvertent, involuntary or unintentional disclosure. It should be the result of a free and deliberate decision. The individual must be fully conscious that s/he made her/his data public. Thus, it excludes leaked data, data accessible after a security breach or data shared unintentionally or by inadvertence…


访问全文

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
指南和案例法

(f) 為建構、行使或防禦法律上之請求或法院執行其司法權而有必要 之處理;

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

專家評論
(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert

(g) 尊重資料保護之實質權利,並提供適當及具體之保護措施,以保 護資料主體之基本權及利益,而基於歐盟法或會員國法律且與所追求 目的合比例性之重大公共利益之理由所必要之處理;

(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

專家評論
(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert

(h) 依據歐盟法或會員國法律或基於與健康專業人員所定且受第 3 項 要件及保護措施所拘束之契約,且為預防或職業醫學之目的、為評估 僱員之工作能力、醫療診斷、為提供健康或社會照護或治療或為健康 管理或社會照護系統及服務而有必要之處理;

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

專家評論
(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
指南和案例法

(i) 處理係基於公共衛生領域之公共利益,例如為防止對於健康之跨 境嚴重威脅或為確保醫療保健及醫療產品或醫療設備品質之高標準 與安全性而有必要者,並依據歐盟法或會員國法律規定採取適當及具 體安全措施保護資料主體之權利和自由,尤其是職業秘密;

(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

專家評論
(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
指南和案例法

(j) 尊重資料保護之實質權利,並提供適當及具體之保護措施,以保 護資料主體之基本權及利益,基於歐盟法或會員國法律所定第 89 條 第 1 項規定且與所追求目的合比例性者,為追求公共利益、科學或歷史研究目的或統計目的而有必要之處理;

(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

專家評論
(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
指南和案例法 相关文章

3. 當資料係由基於歐盟法或會員國法或國內主管機構所訂定之規則 受職業秘密之義務所拘束之專業人員或其他人處理或由其負責處理 時,為第 2 項第 h 點所定目的,得處理第 1 項所定之個人資料;

3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4. 會員國得維持或採用進一步規定,包括但不限於關於基因資料、 生物特徵識別資訊或與健康相關資訊之個人資料處理。

4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

專家評論 ISO 27701 献技 指南和案例法 发表评论
專家評論

(EN) Some personal data, because of their sensitive nature, belong to special categories in the General Data Protection Regulation. Processing data mentioned in one of these eight (8) categories poses indeed “significant risks to the fundamental rights and freedoms” of an individual (recital 51). Risks vary depending on the type of data involved. Paragraph one of article 9 enumerates all types of data covered, but they are not readily intelligible. A visual list, broken down into eight points, helps to clarify the scope of the provision and what data are considered “special” by the European regulation:

  1. data disclosing racial or ethnic origin;
  2. data divulging political opinions;
  3. data revealing religious or philosophical beliefs;
  4. data about trade union membership;
  5. genetic data;
  6. biometric data used to identify a person;
  7. data concerning health; and
  8. data relating to a person’s sex life or sexual orientation.

The list must be considered exhaustive as exceptions must be interpreted strictly, so it means that no other exception can be admitted by the Court of Justice of the European Union or by Member States’ legislation. Personal data relating to criminal convictions and offences are not mentioned in this list because they fall under a different legal regime (article 10).

The “special categories of personal data” are treated distinctively mainly to protect individuals from discrimination (recital 71). Their processing might also lead to physical, material or non-material damage, including identity theft, fraud, harm to one’s reputation or breach of professional secrecy (recital 75).

Racial or ethnic origin related data include names, places of birth, native languages, and even extend to the names of an individual’s parents. They are considered sensitive because they may reveal a person’s origin or her/his ethnicity.

Political opinions can be inferred from activities revealing an individual’s political inclination, like membership in a political party, petitions s/he signed or events, meetings or protests s/he attempted. They include information reflecting ideas s/he supports as well as the ones s/he rejects or opposes to.

Data revealing an individual’s practice of a religion or interest in it – like attempting church, buying religious books, participating in religious-related events or demonstrations – may give a glue to a person’s religious affiliation or her/his absence of religious conviction. It is more difficult to determine what philosophical beliefs are. An example taken from an English case law indicates that it is essentially a genuinely held belief that concerns a substantial aspect of human life and behaviour and it is worthy of respect in a democratic society (Grainger Plc v. Nicholson).

The special protection granted to trade union membership information is based on the logic of fundamental rights in the labor environment. It protects individuals from discrimination at work, as a potential consequence of their union activities, and preserves their collective bargaining power among other rights.

Analysis of biological samples provides information about a person’s “inherited or acquired genetic characteristics” [recital 34 and article 4 (13)]. The resulting genetic data may give information about a person’s origin, ethnicity, physiology or health, as some health problems find their cause in abnormalities in the human genome.

Biometric data are information obtained from different measurements of a person’s “physical, physiological or behavioural characteristics” [article 4 (14)]. They serve to uniquely identify an individual, like fingerprints, iris patterns, facial attributes or voice modulation. A photograph is not always classified as biometric data, it is only considered so when its processing reveals characteristics allowing a person to be uniquely identified (recital 51).


访问全文

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 9 GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.


访问全文

献技

(51) 依其本質對基本權及自由特別敏感之個人資料,因其處理過程 中可能對於基本權及自由造成顯著風險,故值得受到特別保護。該等 個人資料應包括顯示出種族或人種之個人資料,但本規則使用「種族」 乙詞並不代表歐盟承認旨於區別個別種族存在之理論。照片之處理不 應被制式化地認為係特殊類型之個人資料處理,蓋僅有在透過特殊識 別方法之處理而得獨特識別或驗證出當事人時,始得將照片涵蓋於生 物特徵識別資料的定義之下。該等個人資料不得處理,但其處理係本 規則明定之特別情況所允許,且考量到會員國法為使其與本規則規定 之適用相符以遵守其法定義務或符合公共利益執行職務或委託控管 者行使公權力而對於資料保護定有具體規範者,不在此限。除就該等 處理所定之特別要件以外,本規則所定之一般原則及其他規定亦應予 適用,尤其是涉及處理之合法性要件。為特殊類型之個人資料處理所 設一般禁止規定之例外,應予明確規定,包括:資料主體明確同意或 涉及特殊需求之資料處理,尤其是基於實現基本自由之目的而為某些組織或基金會之正當活動所為之處理者。

(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

(52) 於歐盟法或會員國法已有明文且有適當保護措施以保護個人資 料及其他基本權之情況下,為基於公共利益之目的,特別是在勞動法、 包括退休金及安全衛生等社會法領域、監控及警示目的、傳染病及其 他對於健康造成重大威脅之疾病預防及控制所為之個人資料處理,特 殊類型個人資料處理之禁止規定亦應允許例外。基於健康目的,包括 公共衛生及醫療保健服務之管理,特別是為確保醫療保險制度中處理 福利及服務訴求之程序的品質與效益,或是符合公共利益之存檔目的、 科學或歷史研究或統計目的,該等例外規定得以為之。為建構、行使 或防禦法律上之請求而有必要者,不問係於訴訟程序或行政程序或於 法院以外之程序,該等個人資料處理之禁止規定亦應允許例外。

(52) Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

(53) 值得受較高度保護之特殊類型個人資料,於下述情形始得處理 之,亦即:僅有基於與健康相關之目的,且基於全體人類及社會整體 之利益為達成該等目的所必要者,特別是在健康或社會照護服務及系 統之管理,包括為品質控制、管理資訊及一般國內及地方監管健康或 社會照護系統之目的管理及整合國內醫療院所之該等資料之處理,以 及為確保健康或社會照護及跨境醫療保健或健康安全之永續性、為監 控及警示目的或符合公共利益之存檔目的、科學或歷史研究或統計目 的、基於符合公共利益目的之歐盟法或會員國法以及符合公共利益在 公共衛生領域所為之研究。因此,本規則應就涉及健康之該等特殊類 型個人資料之處理,針對特殊需求,為一致性之規範,尤其是該等資 料之處理係為特定醫療相關目的,由因職業持有秘密而負法定保密義 務之人所為之者。歐盟法或會員國法應明文規定具體適當之措施,以 保障個人基本權及其個人資料。會員國應被允許維持或採用進一步規定,包括但不限於關於基因資料、生物特徵識別資訊或與健康相關資訊之個人資料處理。惟該等條款適用於該等個人資料之跨境處理時,不得妨礙個人資料於歐盟境內之自由流通。

(53) Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.

(54) 未取得資料主體同意之特殊類型個人資料處理,於公共衛生領 域基於公共利益之理由可能是有必要的。該等處理應受適當具體措施 之拘束以維護當事人之權利及自由。就此,「公共衛生」應以歐洲議 會及歐盟理事會[11]第 1338/2008 號歐盟規則所作定義而為解釋,亦即 與健康有關之全部要素(即健康狀況),包括疾病與殘疾、對於健康 狀態產生影響之決定性因素、醫療保健之需求、醫療保健之資源分配、 醫療保健之提供及普及性以及醫療保健之開支及財務規劃及致死率 之起因。以公共利益為由所為涉及健康資料之該等處理,不得因其他 目的而由諸如雇主或保險公司及銀行等第三人為處理。

(54) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council [11], namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.

[11] Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (OJ L 354, 31.12.2008, p. 70). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2008:354:TOC

[11] Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (OJ L 354, 31.12.2008, p. 70). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2008:354:TOC

(55) 再者,機關所為個人資料處理係為實現官方所認可之宗教組織 所定符合憲法或國際公法之目標者,應屬具備公共利益之基礎。

(55) Moreover, the processing of personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognised religious associations, is carried out on grounds of public interest.

(56) 凡於選舉活動過程中,會員國內民主制度之運作要求政黨編纂 關於人民政治觀點之個人資料,於建構適當保護措施之情況下,基於 公共利益之理由,該等資料處理得予准許。

(56) Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.

指南和案例法 发表评论