Art. 9
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies:
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
(e) processing relates to personal data which are manifestly made public by the data subject;
(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.-
|
Art. 9
1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited.
2. Paragraph 1 shall not apply where:
(a) the data subject has given consent to the processing of those personal data, subject to the conditions laid down in Articles 7 and 8, except where Union law or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; or
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law in so far as it is authorised by Union law or Member State law providing for adequate safeguards; or
(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; or
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or
(e) the processing relates to personal data which are manifestly made public by the data subject; or
(f) processing is necessary for the establishment, exercise or defence of legal claims; or
(g) processing is necessary for the performance of a task carried out in the public interest, on the basis of Union law, or Member State law which shall provide for suitable measures to safeguard the data subject's legitimate interests; or
(h) processing of data concerning health is necessary for health purposes and subject to the conditions and safeguards referred to in Article 81; or
(i) processing is necessary for historical, statistical or scientific research purposes subject to the conditions and safeguards referred to in Article 83; or
(j) processing of data relating to criminal convictions or related security measures is carried out either under the control of official authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards. A complete register of criminal convictions shall be kept only under the control of official authority.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria, conditions and appropriate safeguards for the processing of the special categories of personal data referred to in paragraph 1 and the exemptions laid down in paragraph 2.
|
Art 9
1. The processing of personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life (…) shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies (…)
(a) the data subject has given explicit consent to the processing of those personal data (…), except where Union law or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; or
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union law or Member State law or a collective agreement pursuant to Member State law providing for adequate safeguards; or
(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent ; or
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non- profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or
(e) the processing relates to personal data which are manifestly made public by the data subject (...); or
(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity ; or
(g) processing is necessary for (...) reasons of public interest, on the basis of Union law or Member State law which shall provide for suitable and specific measures to safeguard the data subject's legitimate interests; or
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union law or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 4 ; or
(ha) (...);
(hb) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union law or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject; or
(i) processing is necessary for archiving purposes in the public interest or
historical, statistical or scientific (...) purposes and subject to the conditions and safeguards laid down in Union or Member State law, including those referred to in Article 83.
(j) (...)
3. (...)
4. Personal data referred to in paragraph 1 may on the basis of Union or Member State law be processed for the purposes referred to in point (h) (...) of paragraph 2 when those data are processed by or under the responsibility of a (...) professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
4a. (...).
5. Member States may maintain or introduce more specific provisions with regard to genetic data or health data. This includes the possibility for Member States to (...) introduce further conditions for the processing of these data.
|
Art. 8
1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
2. Paragraph 1 shall not apply where:
(a) the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject's giving his consent; or
(b) processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorized by national law providing for adequate safeguards; or
(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or
(d) processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; or
(e) the processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims.
3. Paragraph 1 shall not apply where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.
4. Subject to the provision of suitable safeguards, Member States may, for reasons of substantial public interest, lay down exemptions in addition to those laid down in paragraph 2 either by national law or by decision of the supervisory authority.
5. Processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of official authority, or if suitable specific safeguards are provided under national law, subject to derogations which may be granted by the Member State under national provisions providing suitable specific safeguards. However, a complete register of criminal convictions may be kept only under the control of official authority.
Member States may provide that data relating to administrative sanctions or judgements in civil cases shall also be processed under the control of official authority.
6. Derogations from paragraph 1 provided for in paragraphs 4 and 5 shall be notified to the Commission.
7. Member States shall determine the conditions under which a national identification number or any other identifier of general application may be processed.
|
Section 22 GDPR Implementation Law. Prohibition on processing special categories of personal data
and general exemptions under the Regulation
1. In accordance with Article 9(1) of the Regulation, the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of
genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited.
2. In accordance with Article 9(2)(a), (c), (d), (e) and (f) of the Regulation, the prohibition on processing special categories of personal data does not apply if:
a. the data subject has given explicit consent to the processing of those personal data for one or more specified purposes;
b. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
c. processing is carried out by a foundation, association or any other not-forprofit body with a political, philosophical, religious or trade union aim in the course of its legitimate activities and with appropriate safeguards, and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
d. processing relates to personal data which are manifestly made public by the data subject; or
e. processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
Section 23 GDPR Implementation Law. General exceptions under national law
Having regard to Article 9(2)(g) of the Regulation, the prohibition on processing special categories of personal data does not apply if:
a. processing is necessary to comply with an obligation under international law;
b. the data are processed by the Dutch Data Protection Authority or an ombudsman as referred to in Section 9:17 of the General Administrative Law Act, and in so far as processing is necessary for the performance of thetasks entrusted to them by law, provided that safeguards have been put in place for that performance such that the data subject’s privacy is not disproportionately compromised; or
c. processing is necessary in addition to the processing of personal data relating to criminal law matters for the purposes for which such data are processed.
Section 24 GDPR Implementation Law. Exceptions for scientific or historical research or statistical purposes
Having regard to Article 9(2)(j) of the Regulation, the prohibition on processing special categories of personal data does not apply if:
a. processing is necessary for scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation;
b. the research referred to in a. serves a public interest;
c. it is impossible or would involve a disproportionate effort to request express consent; and
d. safeguards have been put in place for the processing such that the data subject’s privacy is not disproportionately compromised.
Section 25 GDPR Implementation Law. Exceptions for the processing of personal data revealing racial
or ethnic origin
Having regard to Article 9(2)(g) of the Regulation, the prohibition on processing personal data revealing racial or ethnic origin does not apply if such processing is carried out:
a. to identify the data subject and only in so far as such processing is unavoidable for that purpose; or
b. with the purpose of conferring a preferential position on persons of a certain ethnic or cultural minority group in order to eliminate or reduce the actual disadvantages connected with race or ethnicity, and only in so far as:
1°. processing is necessary for that purpose;
2°. the data relate to the country of birth of the data subject, his or her parents or grandparents, or to other criteria set by law on the basis of which it can objectively be determined whether a person belongs to a certain ethnic or cultural minority group; and
3°. the data subject has not objected to the processing in writing.
Section 26 GDPR Implementation Law. Exceptions for the processing of personal data revealing
political opinions for the performance of public duties
Having regard to Article 9(2)(g) of the Regulation, the prohibition on processing personal data revealing political opinions does not apply if the processing is carried out with a view to requirements on political opinions that may reasonably be imposed in connection with the performance of duties in administrative bodies and on advisory boards.
Section 27 GDPR Implementation Law. Exceptions for the processing of personal data revealing
religious or philosophical beliefs for spiritual care
1. Having regard to Article 9(2)(g) of the Regulation, the prohibition on processing personal data revealing religious or philosophical beliefs does not apply if the processing is carried out by institutions other than institutions as referred to in Section 22(2)(c), and in so far as the processing is necessary for the purpose of providing spiritual care to the data subject, unless he or she has objected to this in writing.
2. In the cases referred to in subsection 1, no personal data may be disclosed to third parties without the data subject’s consent.
Section 28 GDPR Implementation Law. Exceptions for genetic data
1. Having regard to Article 9(2)(g) of the Regulation, the prohibition on processing genetic data does not apply if such processing is carried out in relation to the data subject from whom the data concerned have been collected.
2. In cases other than those referred to in subsection 1, the prohibition on processing genetic data does not apply if:
a. a substantial medical interest prevails; or
b. the processing is needed for scientific research that serves a public interest or for statistical purposes if:
1°. the data subject has given his or her express consent; and
2°. safeguards have been put in place for the processing such that the data subject’s privacy is not disproportionately compromised.
3. Consent as referred to in subsection 2(b) is not required if it proves impossible or would involve a disproportionate effort to request express consent.
Section 29 GDPR Implementation Law. Exceptions for biometric data
Having regard to Article 9(2)(g) of the Regulation, the prohibition on processing biometric data for the purpose of uniquely identifying a natural person does not apply if the processing is necessary for authentication or security purposes.
Section 30 GDPR Implementation Law. Exceptions for data concerning health
1. Having regard to Article 9(2)(b) of the Regulation, the prohibition on processing data concerning health does not apply if the processing is carried out by administrative bodies, pension funds, employers or institutions that perform activities on their behalf in so far as this is necessary for:
a. proper compliance with legal requirements, pension schemes or collective employment contracts that provide entitlements which depend on the data subject’s health status; or
b. the reintegration or support of employees or recipients of welfare benefits in connection with illness or disability.
2. Having regard to Article 9(2)(g) of the Regulation, the prohibition on processing data concerning health does not apply if the processing is carried out by:
a. schools in so far as the processing is necessary with a view to special support for pupils or making special arrangements in connection with their health status;
b. an institution of rehabilitation, a special probation officer, the Child Care and Protection Board, the certified body referred to in Section 1.1 of the Youth Act, or the legal person referred to in Article 256(1) or Article 302(2) of Book 1 of the Civil Code, in so far as the processing is necessary for the performance of the statutory duties assigned to them; or
c. the Minister and the Minister of Justice and Security in so far as the processing is necessary for the enforcement of measures involving the deprivation of liberty.
3. Having regard to Article 9(2)(h) of the Regulation, the prohibition on processing data concerning health does not apply if the processing is carried out by:
a. healthcare providers, institutions or health care or social services facilities in so far as the processing is necessary for the proper treatment or care of the data subject or for the management of the institution or professional practice concerned; or
b. insurers as referred to in Section 1:1 of the Financial Supervision Act or financial service providers who provide insurance brokerage services as referred to in Section 1:1 of that act, in so far as the processing is necessary
to:
1°. assess the risk to be insured by the insurer and the data subject has not
made any objection; or
2°. perform the insurance agreement or to assist in the management and
implementation of the insurance.
4. If subsection 1, 2 or 3 applies, the data are only processed by persons who have an obligation of secrecy by virtue of an office, profession or legal requirement or pursuant to a contract. If the controller processes data personally and he or she is not already subject to an obligation of secrecy by virtue of an office, profession or legal requirement, he or she is obliged to maintain secrecy with regard to the data, save in so far as he or she is obliged to disclose them by law or his or her responsibilities require that they be disclosed to others who are authorised to process them pursuant to subsection 1, 2 or 3.
5. The prohibition on processing other special categories of personal data does not apply if the processing is necessary in addition to the processing of personal data concerning health referred to in subsection 3, opening lines and (a), for the proper treatment or care of the data subject. 6. Further rules may be issued regarding the application of subsections 1 and 3, opening lines and (b), by order in council.
|