menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Netherlands) language
Contact our local member in Netherlands mail_outline
Visit the website of Ventoux account_balance

arrow_backPrevious Article
Article 9
Next Articlearrow_forward

Processing of special categories of personal data

Official
Texts Guidelines
& Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 9 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 9 keyboard_arrow_up

Articles related to article 9

Key words related to article 9

Show the recitals of the Regulation related to article 9 keyboard_arrow_down Hide the recitals of the Regulation related to article 9 keyboard_arrow_up

(33) It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.

(35) Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council (9) to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

(52) Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

(53) Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.

(54) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council (11), namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.

(55) Moreover, the processing of personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognised religious associations, is carried out on grounds of public interest.

(75) The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

Show the recitals of the Directive related to article 9 keyboard_arrow_down Hide the recitals of the Directive related to article 9 keyboard_arrow_up

(33) Whereas data which are capable by their nature of infringing fundamental freedoms or privacy should not be processed unless the data subject gives his explicit consent; whereas, however, derogations from this prohibition must be explicitly provided for in respect of specific needs, in particular where the processing of these data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy or in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms;

(34) Whereas Member States must also be authorized, when justified by grounds of important public interest, to derogate from the prohibition on processing sensitive categories of data where important reasons of public interest so justify in areas such as public health and social protection - especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system - scientific research and government statistics; whereas it is incumbent on them, however, to provide specific and suitable safeguards so as to protect the fundamental rights and the privacy of individuals;

(35) Whereas, moreover, the processing of personal data by official authorities for achieving aims, laid down in constitutional law or international public law, of officially recognized religious associations is carried out on important grounds of public interest;

(36) Whereas where, in the course of electoral activities, the operation of the democratic system requires in certain Member States that political parties compile data on people's political opinion, the processing of such data may be permitted for reasons of important public interest, provided that appropriate safeguards are established;

The GDPR

Article 9 of the Regulation is based on Article 8 of the Directive, in that it prohibits the processing of sensitive data on the grounds that they deserve specific protection, given the significant risks to the fundamental rights and freedoms inherent in  their processing.

The prohibition covers in general:

- The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership;

- The processing of genetic data and biometric data  in order to identify an individual uniquely ;

- Processing of data concerning health or data concerning sex life or sexual orientation of an individual.

Recital  51  of the Regulations specifies that in case of derogations to the prohibition to process sensitive data, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing.

The concept of "sensitive data" within the meaning of Article 9 of the Regulation has been subject to new developments, given the significant technological developments. So, the prohibition of processing covers, besides the data revealing racial or ethnic origin, political opinions, religion, philosophical beliefs or trade union membership, health or sexual life:

- genetic data: they are defined in Article 4 (13) as personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

- biometric data: they are defined in Article 4 (14) as personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; .

It should be noted that the data concerning health receive a specific definition in Article 4 (15) as personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

The Regulation includes the exceptions already contained in the Directive by sometimes extending or limiting their scope (explicit consent; employment law and social security law provided that the processing is based on a law of the Union or of a member State or a collective agreement, human life safety, non-profit association, data made public by the data subject, finding, defence, exercise or determination of a legal right, preventive medicine or for substantial reasons of public interest).

The Regulation, however, introduces new derogations:

- for processing necessary for reasons of public interest in the field of public health (see Art. 9,  (2)  i), such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

- for processing necessary for archiving in the public interest or scientific or historical research purposes or statistical purposes  in accordance with Article  89  and based on Union or Member State law (see Art. 9, (2), j)). The final version of the Regulation stipulates that the processing should be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

The "sensitive" data referred to in paragraph 1  can be processed for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care within the meaning of Article 9 (2), h), provided that they are processed by or under the responsibility of a professional or by or under the supervision of another person subject to professional secrecy (see Art. 9, (3 )).

Ultimately, the Member States may maintain or introduce more specific provisions; including restrictions regarding genetic, biometric or health-related data (see Article 9 (4)).

The Directive

The first paragraph of article 8 of the Directive provided a general prohibition to process the so-called “sensitive” data, except with data subject’s explicit consent. The paragraph covers the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and of data concerning health or sex life.

The EU legislature had considered that, insofar as these data, by their nature, infringe fundamental freedoms or privacy, they should not be the subject of processing.

This was, however, a relative prohibition. The second paragraph of article 8 of the Directive provided for various exceptions to the general prohibition to process such data.

The first exception to the principle prohibiting processing, for which the data subject has given his or her explicit consent to processing (Art. 8, paragraph 2 a) (see in this regard G29, Opinion 15/2011 on the definition of consent, WP 187).

In addition, several exceptions have been introduced to meet specific needs such as the processing needed to safety of life (Article 8,  2, c)); processing involving data which are made public by the data subject (Article 8, 2, e)); processing necessary for the  establishment, exercise or defence of legal claims (Article 8, 2 e); processing necessary for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services (Art. 8, 3)).

The processing needed for the purposes of complying with the obligations and the specific rights of the controller in the field of employment law (Art. 8, 2, b)).

There is also an exception from the prohibition for processing carried out by a foundation, an association or any other non-profit organization with a political, philosophical, religious or trade-union aim. The exception applies only to the processing of data relating to the members of such organization or the persons being in regular contact with such organization (Art. 8, 2, f)).

The Directive provided, under certain conditions, an exception to the processing of data relating to offences, criminal convictions or security measures (Art. 8, 5). To the extent that the future Regulations provide a specific provision for these cases of processing, we will examine them in more detail in the commentary on Article 9a. 

In addition to the exceptions expressly contained in the Directive, Article 8, paragraph 4 authorised the Member States to lay down additional exemptions for reasons of substantial public interest, either by national law or by decision of the supervisory authority. These additional exemptions must still be notified to the European Commission (Art. 8, paragraph 4).

Potential issues

For different purposes or types of data, the Member States reserve a substantial degree of flexibility in the determination of exceptions which must be based on specific legislation taken by that state. Significant differences may therefore still occur between the states, which undermines the goal of full harmonization of the law on personal data protection pursued by the Regulation.

arrow_back Previous ArticleArticle 9Next Article arrow_forward
arrow_back Previous ArticleArticle 9 Next Article arrow_forward

Group 29

Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (6 february 2018)

(Endorsed by the EDPB)

The General Data Protection Regulation (the GDPR), specifically addresses profiling and automated individual decision-making, including profiling.

Profiling and automated decision-making are used in an increasing number of sectors, both private and public. Banking and finance, healthcare, taxation, insurance, marketing and advertising are just a few examples of the fields where profiling is being carried out more regularly to aid decision-making.

Advances in technology and the capabilities of big data analytics, artificial intelligence and machine learning have made it easier to create profiles and make automated decisions with the potential to significantly impact individuals’ rights and freedoms.

The widespread availability of personal data on the internet and from Internet of Things (IoT) devices, and the ability to find correlations and create links, can allow aspects of an individual’s personality or behaviour, interests and habits to be determined, analysed and predicted.

Profiling and automated decision-making can be useful for individuals and organisations, delivering benefits such as:

  • increased efficiencies; and
  • resource savings.

They have many commercial applications, for example, they can be used to better segment markets and tailor services and products to align with individual needs. Medicine, education, healthcare and transportation can also all benefit from these processes.

However, profiling and automated decision-making can pose significant risks for individuals’ rights and freedoms which require appropriate safeguards.

These processes can be opaque. Individuals might not know that they are being profiled or understand what is involved.

Profiling can perpetuate existing stereotypes and social segregation. It can also lock a person into a specific category and restrict them to their suggested preferences. This can undermine their freedom to choose, for example, certain products or services such as books, music or newsfeeds. In some cases, profiling can lead to inaccurate predictions. In other cases it can lead to denial of services and goods and unjustified discrimination.

The GDPR introduces new provisions to address the risks arising from profiling and automated decision-making, notably, but not limited to, privacy. The purpose of these guidelines is to clarify those provisions.

This document covers:

  • Definitions of profiling and automated decision-making and the GDPR approach to these in general – Chapter II
  • General provisions on profiling and automated decision-making – Chapter III
  • Specific provisions on solely automated decision-making defined in Article 22 - Chapter IV
  • Children and profiling – Chapter V
  • Data protection impact assessments and data protection officers– Chapter VI

The Annexes provide best practice recommendations, building on the experience gained in EU Member States.

The Article 29 Data Protection Working Party (WP29) will monitor the implementation of these guidelines and may complement them with further details as appropriate.

Link

CJEU caselaw

C-101/01 (6 November 2003)

1.    The act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes ‘the processing of personal data wholly or partly by automatic means’ within the meaning of Article 3(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

2.    Such processing of personal data is not covered by any of the exceptions in Article 3(2) of Directive 95/46.

3.    Reference to the fact that an individual has injured her foot and is on half-time on medical grounds constitutes personal data concerning health within the meaning of Article 8(1) of Directive 95/46.

4.    There is no ‘transfer [of data] to a third country’ within the meaning of Article 25 of Directive 95/46 where an individual in a Member State loads personal data onto an internet page which is stored on an internet site on which the page can be consulted and which is hosted by a natural or legal person who is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country.

5.    The provisions of Directive 95/46 do not, in themselves, bring about a restriction which conflicts with the general principles of freedom of expression or other freedoms and rights, which are applicable within the European Union and are enshrined inter alia in Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms signed at Rome on 4 November 1950. It is for the national authorities and courts responsible for applying the national legislation implementing Directive 95/46 to ensure a fair balance between the rights and interests in question, including the fundamental rights protected by the Community legal order.

6.    Measures taken by the Member States to ensure the protection of personal data must be consistent both with the provisions of Directive 95/46 and with its objective of maintaining a balance between freedom of movement of personal data and the protection of private life. However, nothing prevents a Member State from extending the scope of the national legislation implementing the provisions of Directive 95/46 to areas not included in the scope thereof provided that no other provision of Community law precludes it.

Opinion of Advocate general

Judgment of the Court

C-141/12 ; C-372/12 (17 July 2014)

1.      Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the data relating to an applicant for a residence permit contained in an administrative document, such as the ‘minute’ at issue in the main proceedings, setting out the grounds that the case officer puts forward in support of the draft decision which he is responsible for drawing up in the context of the procedure prior to the adoption of a decision concerning the application for such a permit and, where relevant, the data in the legal analysis contained in that document, are ‘personal data’ within the meaning of that provision, whereas, by contrast, that analysis cannot in itself be so classified.

2.      Article 12(a) of Directive 95/46 and Article 8(2) of the Charter of Fundamental Rights of the European Union must be interpreted as meaning that an applicant for a residence permit has a right of access to all personal data concerning him which are processed by the national administrative authorities within the meaning of Article 2(b) of that directive. For that right to be complied with, it is sufficient that the applicant be in possession of a full summary of those data in an intelligible form, that is to say a form which allows that applicant to become aware of those data and to check that they are accurate and processed in compliance with that directive, so that he may, where relevant, exercise the rights conferred on him by that directive.

3.      Article 41(2)(b) of the Charter of Fundamental Rights of the European Union must be interpreted as meaning that the applicant for a residence permit cannot rely on that provision against the national authorities.

Opinion of Advocate general

Judgment of the Court

arrow_back Previous ArticleArticle 9 Next Article arrow_forward
Regulation
1e 2e

Art. 9

1.   Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

2.   Paragraph 1 shall not apply if one of the following applies:

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

(e) processing relates to personal data which are manifestly made public by the data subject;

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

3.   Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4.   Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.-
1st proposal close

Art. 9

1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited.

2. Paragraph 1 shall not apply where:

(a) the data subject has given consent to the processing of those personal data, subject to the conditions laid down in Articles 7 and 8, except where Union law or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; or

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law in so far as it is authorised by Union law or Member State law providing for adequate safeguards; or

(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; or

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or

(e) the processing relates to personal data which are manifestly made public by the data subject; or

(f) processing is necessary for the establishment, exercise or defence of legal claims; or

(g) processing is necessary for the performance of a task carried out in the public interest, on the basis of Union law, or Member State law which shall provide for suitable measures to safeguard the data subject's legitimate interests; or

(h) processing of data concerning health is necessary for health purposes and subject to the conditions and safeguards referred to in Article 81; or

(i) processing is necessary for historical, statistical or scientific research purposes subject to the conditions and safeguards referred to in Article 83; or

(j) processing of data relating to criminal convictions or related security measures is carried out either under the control of official authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards. A complete register of criminal convictions shall be kept only under the control of official authority.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria, conditions and appropriate safeguards for the processing of the special categories of personal data referred to in paragraph 1 and the exemptions laid down in paragraph 2.

 
2nd proposal close

Art 9

1. The processing of personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life (…) shall be prohibited.

2. Paragraph 1 shall not apply if one of the following applies (…)
(a) the data subject has given explicit consent to the processing of those personal data (…), except where Union law or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; or

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union law or Member State law or a collective agreement pursuant to Member State law providing for adequate safeguards;  or

(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent ; or

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non- profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or

(e) the processing relates to personal data which are manifestly made public by the data subject (...); or

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity ; or

(g) processing is necessary for (...) reasons of public interest, on the basis of Union law or Member State law which shall provide for suitable and specific measures to safeguard the data subject's legitimate interests; or

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union law or Member State law or pursuant to contract with a health  professional and subject to the conditions and safeguards referred to in paragraph 4 ; or

(ha) (...);

(hb) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality  and safety of health care and of medicinal products or medical devices, on the basis of Union law or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject; or

(i) processing is necessary for archiving purposes in the public interest or

historical, statistical or scientific (...) purposes and subject to the conditions and safeguards laid down in Union or Member State law, including those referred to in Article 83.

(j) (...)

3. (...)

4. Personal data referred to in paragraph 1 may on the basis of Union or Member State law be processed for the purposes referred to in point (h) (...) of paragraph 2 when those data are processed by or under the responsibility of a (...) professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4a. (...).

5. Member States may maintain or introduce more specific provisions with regard to genetic data or health data. This includes the possibility for Member States to (...) introduce further conditions for the processing of these data.
Directive close

Art. 8

1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.

2. Paragraph 1 shall not apply where:

(a) the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject's giving his consent; or

(b) processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorized by national law providing for adequate safeguards; or

(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or

(d) processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; or

(e) the processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims.

3. Paragraph 1 shall not apply where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.

4. Subject to the provision of suitable safeguards, Member States may, for reasons of substantial public interest, lay down exemptions in addition to those laid down in paragraph 2 either by national law or by decision of the supervisory authority.

5. Processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of official authority, or if suitable specific safeguards are provided under national law, subject to derogations which may be granted by the Member State under national provisions providing suitable specific safeguards. However, a complete register of criminal convictions may be kept only under the control of official authority.

Member States may provide that data relating to administrative sanctions or judgements in civil cases shall also be processed under the control of official authority.

6. Derogations from paragraph 1 provided for in paragraphs 4 and 5 shall be notified to the Commission.

7. Member States shall determine the conditions under which a national identification number or any other identifier of general application may be processed.
Netherlands
compare_arrows

Section 22 GDPR Implementation Law. Prohibition on processing special categories of personal data
and general exemptions under the Regulation

1. In accordance with Article 9(1) of the Regulation, the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of
genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited.
2. In accordance with Article 9(2)(a), (c), (d), (e) and (f) of the Regulation, the prohibition on processing special categories of personal data does not apply if:
a. the data subject has given explicit consent to the processing of those personal data for one or more specified purposes;
b. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
c. processing is carried out by a foundation, association or any other not-forprofit body with a political, philosophical, religious or trade union aim in the course of its legitimate activities and with appropriate safeguards, and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
d. processing relates to personal data which are manifestly made public by the data subject; or
e. processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

Section 23 GDPR Implementation Law. General exceptions under national law

Having regard to Article 9(2)(g) of the Regulation, the prohibition on processing special categories of personal data does not apply if:
a. processing is necessary to comply with an obligation under international law;
b. the data are processed by the Dutch Data Protection Authority or an ombudsman as referred to in Section 9:17 of the General Administrative Law Act, and in so far as processing is necessary for the performance of thetasks entrusted to them by law, provided that safeguards have been put in place for that performance such that the data subject’s privacy is not disproportionately compromised; or
c. processing is necessary in addition to the processing of personal data relating to criminal law matters for the purposes for which such data are processed.

Section 24 GDPR Implementation Law. Exceptions for scientific or historical research or statistical purposes

Having regard to Article 9(2)(j) of the Regulation, the prohibition on processing special categories of personal data does not apply if:
a. processing is necessary for scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation;
b. the research referred to in a. serves a public interest;
c. it is impossible or would involve a disproportionate effort to request express consent; and
d. safeguards have been put in place for the processing such that the data subject’s privacy is not disproportionately compromised.

Section 25 GDPR Implementation Law. Exceptions for the processing of personal data revealing racial
or ethnic origin

Having regard to Article 9(2)(g) of the Regulation, the prohibition on processing personal data revealing racial or ethnic origin does not apply if such processing is carried out:
a. to identify the data subject and only in so far as such processing is unavoidable for that purpose; or
b. with the purpose of conferring a preferential position on persons of a certain ethnic or cultural minority group in order to eliminate or reduce the actual disadvantages connected with race or ethnicity, and only in so far as:
1°. processing is necessary for that purpose;
2°. the data relate to the country of birth of the data subject, his or her parents or grandparents, or to other criteria set by law on the basis of which it can objectively be determined whether a person belongs to a certain ethnic or cultural minority group; and
3°. the data subject has not objected to the processing in writing.

Section 26 GDPR Implementation Law. Exceptions for the processing of personal data revealing
political opinions for the performance of public duties

Having regard to Article 9(2)(g) of the Regulation, the prohibition on processing personal data revealing political opinions does not apply if the processing is carried out with a view to requirements on political opinions that may reasonably be imposed in connection with the performance of duties in administrative bodies and on advisory boards.

Section 27 GDPR Implementation Law. Exceptions for the processing of personal data revealing
religious or philosophical beliefs for spiritual care

1. Having regard to Article 9(2)(g) of the Regulation, the prohibition on processing personal data revealing religious or philosophical beliefs does not apply if the processing is carried out by institutions other than institutions as referred to in Section 22(2)(c), and in so far as the processing is necessary for the purpose of providing spiritual care to the data subject, unless he or she has objected to this in writing.
2. In the cases referred to in subsection 1, no personal data may be disclosed to third parties without the data subject’s consent.

Section 28 GDPR Implementation Law. Exceptions for genetic data

1. Having regard to Article 9(2)(g) of the Regulation, the prohibition on processing genetic data does not apply if such processing is carried out in relation to the data subject from whom the data concerned have been collected.
2. In cases other than those referred to in subsection 1, the prohibition on processing genetic data does not apply if:
a. a substantial medical interest prevails; or
b. the processing is needed for scientific research that serves a public interest or for statistical purposes if:
1°. the data subject has given his or her express consent; and
2°. safeguards have been put in place for the processing such that the data subject’s privacy is not disproportionately compromised.
3. Consent as referred to in subsection 2(b) is not required if it proves impossible or would involve a disproportionate effort to request express consent.

Section 29 GDPR Implementation Law. Exceptions for biometric data

Having regard to Article 9(2)(g) of the Regulation, the prohibition on processing biometric data for the purpose of uniquely identifying a natural person does not apply if the processing is necessary for authentication or security purposes.

Section 30 GDPR Implementation Law. Exceptions for data concerning health

1. Having regard to Article 9(2)(b) of the Regulation, the prohibition on processing data concerning health does not apply if the processing is carried out by administrative bodies, pension funds, employers or institutions that perform activities on their behalf in so far as this is necessary for:
a. proper compliance with legal requirements, pension schemes or collective employment contracts that provide entitlements which depend on the data subject’s health status; or
b. the reintegration or support of employees or recipients of welfare benefits in connection with illness or disability.
2. Having regard to Article 9(2)(g) of the Regulation, the prohibition on processing data concerning health does not apply if the processing is carried out by:
a. schools in so far as the processing is necessary with a view to special support for pupils or making special arrangements in connection with their health status;
b. an institution of rehabilitation, a special probation officer, the Child Care and Protection Board, the certified body referred to in Section 1.1 of the Youth Act, or the legal person referred to in Article 256(1) or Article 302(2) of Book 1 of the Civil Code, in so far as the processing is necessary for the performance of the statutory duties assigned to them; or
c. the Minister and the Minister of Justice and Security in so far as the processing is necessary for the enforcement of measures involving the deprivation of liberty.
3. Having regard to Article 9(2)(h) of the Regulation, the prohibition on processing data concerning health does not apply if the processing is carried out by:
a. healthcare providers, institutions or health care or social services facilities in so far as the processing is necessary for the proper treatment or care of the data subject or for the management of the institution or professional practice concerned; or
b. insurers as referred to in Section 1:1 of the Financial Supervision Act or financial service providers who provide insurance brokerage services as referred to in Section 1:1 of that act, in so far as the processing is necessary
to:

1°. assess the risk to be insured by the insurer and the data subject has not
made any objection; or
2°. perform the insurance agreement or to assist in the management and
implementation of the insurance.

4. If subsection 1, 2 or 3 applies, the data are only processed by persons who have an obligation of secrecy by virtue of an office, profession or legal requirement or pursuant to a contract. If the controller processes data personally and he or she is not already subject to an obligation of secrecy by virtue of an office, profession or legal requirement, he or she is obliged to maintain secrecy with regard to the data, save in so far as he or she is obliged to disclose them by law or his or her responsibilities require that they be disclosed to others who are authorised to process them pursuant to subsection 1, 2 or 3.
5. The prohibition on processing other special categories of personal data does not apply if the processing is necessary in addition to the processing of personal data concerning health referred to in subsection 3, opening lines and (a), for the proper treatment or care of the data subject. 6. Further rules may be issued regarding the application of subsections 1 and 3, opening lines and (b), by order in council.
arrow_back Previous ArticleArticle 9 Next Article arrow_forward
close

2016 - www.itiplaw.eu.