menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Netherlands) language
Contact our local member in Netherlands mail_outline
Visit the website of Ventoux account_balance

arrow_backPrevious Article
Article 9
Next Articlearrow_forward

Processing of special categories of personal data

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 9 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 9 keyboard_arrow_up

Articles related to article 9

Key words related to article 9

Show the recitals of the Regulation related to article 9 keyboard_arrow_down Hide the recitals of the Regulation related to article 9 keyboard_arrow_up

(33) It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.

(35) Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

(52) Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

(53) Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.

(54) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council, namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.

(55) Moreover, the processing of personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognised religious associations, is carried out on grounds of public interest.

(75) The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

Show the recitals of the Directive related to article 9 keyboard_arrow_down Hide the recitals of the Directive related to article 9 keyboard_arrow_up

(33) Whereas data which are capable by their nature of infringing fundamental freedoms or privacy should not be processed unless the data subject gives his explicit consent; whereas, however, derogations from this prohibition must be explicitly provided for in respect of specific needs, in particular where the processing of these data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy or in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms;

(34) Whereas Member States must also be authorized, when justified by grounds of important public interest, to derogate from the prohibition on processing sensitive categories of data where important reasons of public interest so justify in areas such as public health and social protection - especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system - scientific research and government statistics; whereas it is incumbent on them, however, to provide specific and suitable safeguards so as to protect the fundamental rights and the privacy of individuals;

(35) Whereas, moreover, the processing of personal data by official authorities for achieving aims, laid down in constitutional law or international public law, of officially recognized religious associations is carried out on important grounds of public interest;

(36) Whereas where, in the course of electoral activities, the operation of the democratic system requires in certain Member States that political parties compile data on people's political opinion, the processing of such data may be permitted for reasons of important public interest, provided that appropriate safeguards are established;

The GDPR

Article 9 of the Regulation is based on Article 8 of the Directive, in that it prohibits the processing of sensitive data on the grounds that they deserve specific protection, given the significant risks to the fundamental rights and freedoms inherent in  their processing.

The prohibition covers in general:

- The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership;

- The processing of genetic data and biometric data  in order to identify an individual uniquely ;

- Processing of data concerning health or data concerning sex life or sexual orientation of an individual.

Recital  51  of the Regulations specifies that in case of derogations to the prohibition to process sensitive data, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing.

The concept of "sensitive data" within the meaning of Article 9 of the Regulation has been subject to new developments, given the significant technological developments. So, the prohibition of processing covers, besides the data revealing racial or ethnic origin, political opinions, religion, philosophical beliefs or trade union membership, health or sexual life:

- genetic data: they are defined in Article 4 (13) as personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

- biometric data: they are defined in Article 4 (14) as personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; .

It should be noted that the data concerning health receive a specific definition in Article 4 (15) as personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

The Regulation includes the exceptions already contained in the Directive by sometimes extending or limiting their scope (explicit consent; employment law and social security law provided that the processing is based on a law of the Union or of a member State or a collective agreement, human life safety, non-profit association, data made public by the data subject, finding, defence, exercise or determination of a legal right, preventive medicine or for substantial reasons of public interest).

The Regulation, however, introduces new derogations:

- for processing necessary for reasons of public interest in the field of public health (see Art. 9,  (2)  i), such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

- for processing necessary for archiving in the public interest or scientific or historical research purposes or statistical purposes  in accordance with Article  89  and based on Union or Member State law (see Art. 9, (2), j)). The final version of the Regulation stipulates that the processing should be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

The "sensitive" data referred to in paragraph 1  can be processed for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care within the meaning of Article 9 (2), h), provided that they are processed by or under the responsibility of a professional or by or under the supervision of another person subject to professional secrecy (see Art. 9, (3 )).

Ultimately, the Member States may maintain or introduce more specific provisions; including restrictions regarding genetic, biometric or health-related data (see Article 9 (4)).

The Directive

The first paragraph of article 8 of the Directive provided a general prohibition to process the so-called “sensitive” data, except with data subject’s explicit consent. The paragraph covers the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and of data concerning health or sex life.

The EU legislature had considered that, insofar as these data, by their nature, infringe fundamental freedoms or privacy, they should not be the subject of processing.

This was, however, a relative prohibition. The second paragraph of article 8 of the Directive provided for various exceptions to the general prohibition to process such data.

The first exception to the principle prohibiting processing, for which the data subject has given his or her explicit consent to processing (Art. 8, paragraph 2 a) (see in this regard G29, Opinion 15/2011 on the definition of consent, WP 187).

In addition, several exceptions have been introduced to meet specific needs such as the processing needed to safety of life (Article 8,  2, c)); processing involving data which are made public by the data subject (Article 8, 2, e)); processing necessary for the  establishment, exercise or defence of legal claims (Article 8, 2 e); processing necessary for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services (Art. 8, 3)).

The processing needed for the purposes of complying with the obligations and the specific rights of the controller in the field of employment law (Art. 8, 2, b)).

There is also an exception from the prohibition for processing carried out by a foundation, an association or any other non-profit organization with a political, philosophical, religious or trade-union aim. The exception applies only to the processing of data relating to the members of such organization or the persons being in regular contact with such organization (Art. 8, 2, f)).

The Directive provided, under certain conditions, an exception to the processing of data relating to offences, criminal convictions or security measures (Art. 8, 5). To the extent that the future Regulations provide a specific provision for these cases of processing, we will examine them in more detail in the commentary on Article 9a. 

In addition to the exceptions expressly contained in the Directive, Article 8, paragraph 4 authorised the Member States to lay down additional exemptions for reasons of substantial public interest, either by national law or by decision of the supervisory authority. These additional exemptions must still be notified to the European Commission (Art. 8, paragraph 4).

Potential issues

For different purposes or types of data, the Member States reserve a substantial degree of flexibility in the determination of exceptions which must be based on specific legislation taken by that state. Significant differences may therefore still occur between the states, which undermines the goal of full harmonization of the law on personal data protection pursued by the Regulation.

arrow_back Previous ArticleArticle 9Next Article arrow_forward
arrow_back Previous ArticleArticle 9 Next Article arrow_forward

Summary

European Union

European Union

European data protection board (EDPB)

Guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak - 3/2020 (21 April 2020)

Link

Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (21 April 2020)

Link

Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement (26 April 2023)

Facial recognition technology (FRT) may be used to automatically recognise individuals based on their face. FRT often is based on artificial intelligence such as machine learning technologies. Applications of FRT are increasingly tested and used in various areas, from individual use to private organisations and public administration use. Law enforcement authorities (LEAs) also expect advantagesfrom the use of FRT. It promises solutions to relatively new challenges such as investigations involving a big amount of captured evidence, but also to known problems, in particular with regard to under-staffing for observation and search tasks.

A great deal of the increased interest in FRT is based on the efficiency and scalability of FRT. With these come the disadvantages inherent to the technology and its application – also on a large scale. While there may be thousands of personal data sets analysed atthe push of a button, already slight effects of algorithmic discrimination or misidentification may create high numbers of individuals affected severely in their conduct and daily lives. The sheer size of processing of personal data, and in particular biometric data, is a further key element of FRT, as the processing of personal data constitutes an interference with the fundamental right to protection of personal data according to Article 8 of the Charter of Fundamental Rights of the European Union (the Charter).

The application of FRT of LEAs will – and to some extent already does – have significant implications on individuals and on groups of people, including minorities. These implications will also have considerable effects on the way we live together and on our social and democratic political stability, valuing the high significance of pluralism and political opposition. The right to protection of personal data often is key as a prerequisite to guarantee other fundamental rights. The application of FRT is considerably prone to interfere with fundamental rights beyond the right to protection of personal data.

The EDPB therefore deems it important to contribute to the ongoing integration of FRT in the area of law enforcement covered by the Law Enforcement Directive respectively the national laws transposing it and provide the present guidelines. The guidelines are intended to provide relevant information to lawmakers at EU and national level, as well as for LEAs and their officers when implementing and using FRT-systems. The scope of the guidelines is limited to FRT. However, other forms of processing of personal data based on biometrics by LEAs, especially if processed remotely, may entail similar or additional risks for individuals, groups and society. According to the respective ircumstances, some aspects of these guidelines may serve as a useful source in these cases, as well. Finally, individuals that are interested generally or as data subjects may also find important information, in particular as regards data subjects’ rights.

The guidelines consist of the main document and three annexes. The main document at hand presents the technology and the legal framework applicable. To help identifying some of the major aspects to classify the severity of the interference with fundamental rights to a given field of application, a template can be found in Annex I. LEAs that wish to procure and run a FRT system may find practical guidance in Annex II. Depending on the field of application of FRT, different considerations could be of relevance. A set of hypothetical scenarios and relevant considerations may be found in Annex III.

Link

Retour au sommaire

Article 29 Working Party

Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 - wp251rev.01 (6 february 2018)

(Endorsed by the EDPB)

The General Data Protection Regulation (the GDPR), specifically addresses profiling and automated individual decision-making, including profiling.

Profiling and automated decision-making are used in an increasing number of sectors, both private and public. Banking and finance, healthcare, taxation, insurance, marketing and advertising are just a few examples of the fields where profiling is being carried out more regularly to aid decision-making.

Advances in technology and the capabilities of big data analytics, artificial intelligence and machine learning have made it easier to create profiles and make automated decisions with the potential to significantly impact individuals’ rights and freedoms.

The widespread availability of personal data on the internet and from Internet of Things (IoT) devices, and the ability to find correlations and create links, can allow aspects of an individual’s personality or behaviour, interests and habits to be determined, analysed and predicted.

Profiling and automated decision-making can be useful for individuals and organisations, delivering benefits such as:

  • increased efficiencies; and
  • resource savings.

They have many commercial applications, for example, they can be used to better segment markets and tailor services and products to align with individual needs. Medicine, education, healthcare and transportation can also all benefit from these processes.

However, profiling and automated decision-making can pose significant risks for individuals’ rights and freedoms which require appropriate safeguards.

These processes can be opaque. Individuals might not know that they are being profiled or understand what is involved.

Profiling can perpetuate existing stereotypes and social segregation. It can also lock a person into a specific category and restrict them to their suggested preferences. This can undermine their freedom to choose, for example, certain products or services such as books, music or newsfeeds. In some cases, profiling can lead to inaccurate predictions. In other cases it can lead to denial of services and goods and unjustified discrimination.

The GDPR introduces new provisions to address the risks arising from profiling and automated decision-making, notably, but not limited to, privacy. The purpose of these guidelines is to clarify those provisions.

This document covers:

  • Definitions of profiling and automated decision-making and the GDPR approach to these in general – Chapter II
  • General provisions on profiling and automated decision-making – Chapter III
  • Specific provisions on solely automated decision-making defined in Article 22 - Chapter IV
  • Children and profiling – Chapter V
  • Data protection impact assessments and data protection officers– Chapter VI

The Annexes provide best practice recommendations, building on the experience gained in EU Member States.

The Article 29 Data Protection Working Party (WP29) will monitor the implementation of these guidelines and may complement them with further details as appropriate.

Link

Retour au sommaire
arrow_back Previous Article Article 9 Next Article arrow_forward

Summary

European Union

European Union

CJEU caselaw

C-101/01 (6 November 2003) - Lindqvist

1.    The act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes ‘the processing of personal data wholly or partly by automatic means’ within the meaning of Article 3(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

2.    Such processing of personal data is not covered by any of the exceptions in Article 3(2) of Directive 95/46.

3.    Reference to the fact that an individual has injured her foot and is on half-time on medical grounds constitutes personal data concerning health within the meaning of Article 8(1) of Directive 95/46.

4.    There is no ‘transfer [of data] to a third country’ within the meaning of Article 25 of Directive 95/46 where an individual in a Member State loads personal data onto an internet page which is stored on an internet site on which the page can be consulted and which is hosted by a natural or legal person who is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country.

5.    The provisions of Directive 95/46 do not, in themselves, bring about a restriction which conflicts with the general principles of freedom of expression or other freedoms and rights, which are applicable within the European Union and are enshrined inter alia in Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms signed at Rome on 4 November 1950. It is for the national authorities and courts responsible for applying the national legislation implementing Directive 95/46 to ensure a fair balance between the rights and interests in question, including the fundamental rights protected by the Community legal order.

6.    Measures taken by the Member States to ensure the protection of personal data must be consistent both with the provisions of Directive 95/46 and with its objective of maintaining a balance between freedom of movement of personal data and the protection of private life. However, nothing prevents a Member State from extending the scope of the national legislation implementing the provisions of Directive 95/46 to areas not included in the scope thereof provided that no other provision of Community law precludes it.

Opinion of Advocate general

Judgment of the Court

C-141/12 ; C-372/12 (17 July 2014) - YS e.a.

1.      Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the data relating to an applicant for a residence permit contained in an administrative document, such as the ‘minute’ at issue in the main proceedings, setting out the grounds that the case officer puts forward in support of the draft decision which he is responsible for drawing up in the context of the procedure prior to the adoption of a decision concerning the application for such a permit and, where relevant, the data in the legal analysis contained in that document, are ‘personal data’ within the meaning of that provision, whereas, by contrast, that analysis cannot in itself be so classified.

2.      Article 12(a) of Directive 95/46 and Article 8(2) of the Charter of Fundamental Rights of the European Union must be interpreted as meaning that an applicant for a residence permit has a right of access to all personal data concerning him which are processed by the national administrative authorities within the meaning of Article 2(b) of that directive. For that right to be complied with, it is sufficient that the applicant be in possession of a full summary of those data in an intelligible form, that is to say a form which allows that applicant to become aware of those data and to check that they are accurate and processed in compliance with that directive, so that he may, where relevant, exercise the rights conferred on him by that directive.

3.      Article 41(2)(b) of the Charter of Fundamental Rights of the European Union must be interpreted as meaning that the applicant for a residence permit cannot rely on that provision against the national authorities.

Opinion of Advocate general

Judgment of the Court

C-136/17 (24 September 2019) - GC and Others (De-referencing of sensitive data)

 1.The provisions of Article 8(1) and (5) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the prohibition or restrictions relating to the processing of special categories of personal data, mentioned in those provisions, apply also, subject to the exceptions provided for by the directive, to the operator of a search engine in the context of his responsibilities, powers and capabilities as the controller of the processing carried out in connection with the activity of the search engine, on the occasion of a verification performed by that operator, under the supervision of the competent national authorities, following a request by the data subject.

2.   The provisions of Article 8(1) and (5) of Directive 95/46 must be interpreted as meaning that the operator of a search engine is in principle required by those provisions, subject to the exceptions provided for by the directive, to accede to requests for de-referencing in relation to links to web pages containing personal data falling within the special categories referred to by those provisions.

Article 8(2)(e) of Directive 95/46 must be interpreted as meaning that, pursuant to that article, such an operator may refuse to accede to a request for de-referencing if he establishes that the links at issue lead to content comprising personal data falling within the special categories referred to in Article 8(1) but whose processing is covered by the exception in Article 8(2)(e) of the directive, provided that the processing satisfies all the other conditions of lawfulness laid down by the directive, and unless the data subject has the right under Article 14(a) of the directive to object to that processing on compelling legitimate grounds relating to his particular situation.

The provisions of Directive 95/46 must be interpreted as meaning that, where the operator of a search engine has received a request for de-referencing relating to a link to a web page on which personal data falling within the special categories referred to in Article 8(1) or (5) of Directive 95/46 are published, the operator must, on the basis of all the relevant factors of the particular case and taking into account the seriousness of the interference with the data subject’s fundamental rights to privacy and protection of personal data laid down in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, ascertain, having regard to the reasons of substantial public interest referred to in Article 8(4) of the directive and in compliance with the conditions laid down in that provision, whether the inclusion of that link in the list of results displayed following a search on the basis of the data subject’s name is strictly necessary for protecting the freedom of information of internet users potentially interested in accessing that web page by means of such a search, protected by Article 11 of the Charter.

3.  The provisions of Directive 95/46 must be interpreted as meaning that

  •  first, information relating to legal proceedings brought against an individual and, as the case may be, information relating to an ensuing conviction are data relating to ‘offences’ and ‘criminal convictions’ within the meaning of Article 8(5) of Directive 95/46, and
  •  second, the operator of a search engine is required to accede to a request for de-referencing relating to links to web pages displaying such information, where the information relates to an earlier stage of the legal proceedings in question and, having regard to the progress of the proceedings, no longer corresponds to the current situation, in so far as it is established in the verification of the reasons of substantial public interest referred to in Article 8(4) of Directive 95/46 that, in the light of all the circumstances of the case, the data subject’s fundamental rights guaranteed by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union override the rights of potentially interested internet users protected by Article 11 of the Charter

Opinion of Advocate general 

Judgement of the Court

C-184/20 (1 October 2022), Vyriausioji tarnybinės etikos komisija

1.      Article 7(c) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and point (c) of the first subparagraph of Article 6(1) and Article 6(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read in the light of Articles 7, 8 and 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as precluding national legislation that provides for the publication online of the declaration of private interests that any head of an establishment receiving public funds is required to lodge, in so far as, in particular, that publication concerns name-specific data relating to his or her spouse, cohabitee or partner, or to persons who are close relatives of the declarant, or are known by him or her, liable to give rise to a conflict of interests, or concerns any transaction concluded during the last 12 calendar months the value of which exceeds EUR 3 000.

2.      Article 8(1) of Directive 95/46 and Article 9(1) of Regulation 2016/679 must be interpreted as meaning that the publication, on the website of the public authority responsible for collecting and checking the content of declarations of private interests, of personal data that are liable to disclose indirectly the sexual orientation of a natural person constitutes processing of special categories of personal data, for the purpose of those provisions.

Judgment of the court

Opinion of the advocate general

C-252/21 (4 July 2023), Meta Platforms e.a. (General terms and conditions of use of a social network)

1.      Article 51 et seq. of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as well as Article 4(3) TEU

must be interpreted as meaning that, subject to compliance with its duty of sincere cooperation with the supervisory authorities, a competition authority of a Member State can find, in the context of the examination of an abuse of a dominant position by an undertaking within the meaning of Article 102 TFEU, that that undertaking’s general terms of use relating to the processing of personal data and the implementation thereof are not consistent with that regulation, where that finding is necessary to establish the existence of such an abuse.

In view of this duty of sincere cooperation, the national competition authority cannot depart from a decision by the competent national supervisory authority or the competent lead supervisory authority concerning those general terms or similar general terms. Where it has doubts as to the scope of such a decision, where those terms or similar terms are, simultaneously, under examination by those authorities, or where, in the absence of an investigation or decision by those authorities, the competition authority takes the view that the terms in question are not consistent with Regulation 2016/679, it must consult and seek the cooperation of those supervisory authorities in order to dispel its doubts or to determine whether it must wait for them to take a decision before starting its own assessment. In the absence of any objection on their part or of any reply within a reasonable time, the national competition authority may continue its own investigation;

2.      Article 9(1) of Regulation 2016/679

must be interpreted as meaning that, where the user of an online social network visits websites or apps to which one or more of the categories referred to in that provision relate and, as the case may be, enters information into them when registering or when placing online orders, the processing of personal data by the operator of that online social network, which entails the collection – by means of integrated interfaces, cookies or similar storage technologies – of data from visits to those sites and apps and of the information entered by the user, the linking of all those data with the user’s social network account and the use of those data by that operator, must be regarded as ‘processing of special categories of personal data’ within the meaning of that provision, which is in principle prohibited, subject to the derogations provided for in Article 9(2), where that data processing allows information falling within one of those categories to be revealed, irrespective of whether that information concerns a user of that network or any other natural person;

3.      Article 9(2)(e) of Regulation 2016/679

must be interpreted as meaning that, where the user of an online social network visits websites or apps to which one or more of the categories set out in Article 9(1) of that regulation relate, the user does not manifestly make public, within the meaning of the first of those provisions, the data relating to those visits collected by the operator of that online social network via cookies or similar storage technologies;

Where he or she enters information into such websites or apps or where he or she clicks or taps on buttons integrated into those sites and apps, such as the ‘Like’ or ‘Share’ buttons or buttons enabling the user to identify himself or herself on those sites or apps using login credentials linked to his or her social network user account, his or her telephone number or email address, that user manifestly makes public, within the meaning of Article 9(2)(e), the data thus entered or resulting from the clicking or tapping on those buttons only in the circumstance where he or she has explicitly made the choice beforehand, as the case may be on the basis of individual settings selected with full knowledge of the facts, to make the data relating to him or her publicly accessible to an unlimited number of persons;

4.      Point (b) of the first subparagraph of Article 6(1) of Regulation 2016/679

must be interpreted as meaning that the processing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network from other services of the group to which that operator belongs or from visits by those users to third-party websites or apps, the linking of those data with the social network account of those users and the use of those data, can be regarded as necessary for the performance of a contract to which the data subjects are party, within the meaning of that provision, only on condition that the processing is objectively indispensable for a purpose that is integral to the contractual obligation intended for those users, such that the main subject matter of the contract cannot be achieved if that processing does not occur;

5.      Point (f) of the first subparagraph of Article 6(1) of Regulation 2016/679

must be interpreted as meaning that the processing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network from other services of the group to which that operator belongs or from visits by those users to third-party websites or apps, the linking of those data with the social network account of those users and the use of those data, can be regarded as necessary for the purposes of the legitimate interests pursued by the controller or by a third party, within the meaning of that provision, only on condition that the operator has informed the users from whom the data have been collected of a legitimate interest that is pursued by the data processing, that such processing is carried out only in so far as is strictly necessary for the purposes of that legitimate interest and that it is apparent from a balancing of the opposing interests, having regard to all the relevant circumstances, that the interests or fundamental freedoms and rights of those users do not override that legitimate interest of the controller or of a third party;

6.      Point (c) of the first subparagraph of Article 6(1) of Regulation 2016/679

must be interpreted as meaning that the processing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network from other services of the group to which that operator belongs or from visits by those users to third-party websites or apps, the linking of those data with the social network account of those users and the use of those data, is justified, under that provision, where it is actually necessary for compliance with a legal obligation to which the controller is subject, pursuant to a provision of EU law or the law of the Member State concerned, where that legal basis meets an objective of public interest and is proportionate to the legitimate aim pursued and where that processing is carried out only in so far as is strictly necessary;

7.      Points (d) and (e) of the first subparagraph of Article 6(1) of Regulation 2016/679

must be interpreted as meaning that the processing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network from other services of the group to which that operator belongs or from visits by those users to third-party websites or apps, the linking of those data with the social network account of those users and the use of those data, cannot, in principle and subject to verification by the referring court, be regarded as necessary in order to protect the vital interests of the data subject or of another natural person, within the meaning of point (d), or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, within the meaning of point (e);

8.      Point (a) of the first subparagraph of Article 6(1) and Article 9(2)(a) of Regulation 2016/679

must be interpreted as meaning that the fact that the operator of an online social network holds a dominant position on the market for online social networks does not, as such, preclude the users of such a network from being able validly to consent, within the meaning of Article 4(11) of that regulation, to the processing of their personal data by that operator. This is nevertheless an important factor in determining whether the consent was in fact validly and, in particular, freely given, which it is for that operator to prove.

Décision of the Court

Opinion of the advocate general

C-667/21,  ZQ contre Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts (21 décembre 2023)

(English not available yet)

1)      L’article 9, paragraphe 2, sous h), du règlement (UE) 2016/679 du Parlement européen et du Conseil, du 27 avril 2016, relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la directive 95/46/CE (règlement général sur la protection des données),

doit être interprété en ce sens que :

l’exception prévue à cette disposition est applicable aux situations dans lesquelles un organisme de contrôle médical traite des données concernant la santé de l’un de ses employés en qualité non pas d’employeur, mais de service médical, afin d’apprécier la capacité de travail de cet employé, sous réserve que le traitement concerné satisfasse aux conditions et garanties expressément imposées par ce point h) et par le paragraphe 3 dudit article 9.

2)      L’article 9, paragraphe 3, du règlement 2016/679

doit être interprété en ce sens que :

le responsable d’un traitement de données concernant la santé, fondé sur l’article 9, paragraphe 2, sous h), de ce règlement, n’est pas tenu, en vertu de ces dispositions, de garantir qu’aucun collègue de la personne concernée ne peut accéder aux données se rapportant à l’état de santé de celle‑ci. Toutefois, une telle obligation peut s’imposer au responsable d’un tel traitement soit en vertu d’une réglementation adoptée par un État membre sur la base de l’article 9, paragraphe 4, dudit règlement, soit au titre des principes d’intégrité et de confidentialité énoncés à l’article 5, paragraphe 1, sous f), du même règlement et concrétisés à l’article 32, paragraphe 1, sous a) et b), de celui-ci.

3)      L’article 9, paragraphe 2, sous h), et l’article 6, paragraphe 1, du règlement 2016/679

doivent être interprétés en ce sens que :

un traitement de données concernant la santé fondé sur cette première disposition doit, afin d’être licite, non seulement respecter les exigences découlant de celle‑ci, mais aussi remplir au moins l’une des conditions de licéité énoncées à cet article 6, paragraphe 1.

4)      L’article 82, paragraphe 1, du règlement 2016/679

doit être interprété en ce sens que :

le droit à réparation prévu à cette disposition remplit une fonction compensatoire, en ce qu’une réparation pécuniaire fondée sur ladite disposition doit permettre de compenser intégralement le préjudice concrètement subi du fait de la violation de ce règlement, et non une fonction dissuasive ou punitive.

5)      L’article 82 du règlement 2016/679

doit être interprété en ce sens que :

d’une part, l’engagement de la responsabilité du responsable du traitement est subordonné à l’existence d’une faute commise par celui‑ci, laquelle est présumée à moins que ce dernier prouve que le fait qui a provoqué le dommage ne lui est nullement imputable, et, d’autre part, cet article 82 ne requiert pas que le degré de gravité de cette faute soit pris en compte lors de la fixation du montant des dommages‑intérêts alloués en réparation d’un préjudice moral sur le fondement de cette disposition.

Decision of the Court (FR)

Opinion of the advocate general
 

C-204/21 (5 June 2023) - Commission / Pologne (Indépendance et vie privée des juges)

1.      Declares that by conferring on the Disciplinary Chamber of the Sąd Najwyższy (Supreme Court, Poland), whose independence and impartiality are not guaranteed, jurisdiction to hear and determine cases having a direct impact on the status of judges and trainee judges and the performance of their office, such as, on the one hand, applications for authorisation to initiate criminal proceedings against judges and trainee judges or to detain them and, on the other hand, cases relating to employment and social security law that concern judges of the Sąd Najwyższy (Supreme Court) and cases relating to the compulsory retirement of those judges, the Republic of Poland has failed to fulfil its obligations under the second subparagraph of Article 19(1) TEU;

2.      Declares that by adopting and maintaining in force points 2 and 3 of Article 107(1) of the ustawa – Prawo o ustroju sądów powszechnych (Law relating to the organisation of the ordinary courts) of 27 July 2001, as amended by the ustawa o zmianie ustawy – Prawo o ustroju sądów powszechnych, ustawy o Sądzie Najwyższym oraz niektórych innych ustaw (Law amending the Law relating to the organisation of the ordinary courts, the Law on the Supreme Court and certain other laws) of 20 December 2019, and of points 1 to 3 of Article 72(1) of the ustawa o Sądzie Najwyższym (Law on the Supreme Court) of 8 December 2017, as amended by that law of 20 December 2019, which allow the examination of compliance with the EU requirements relating to an independent and impartial tribunal previously established by law to be classified as a disciplinary offence, the Republic of Poland has failed to fulfil its obligations under the second subparagraph of Article 19(1) TEU, read in conjunction with Article 47 of the Charter of Fundamental Rights of the European Union, and under Article 267 TFEU;

3.      Declares that by adopting and maintaining in force Article 42a(1) and (2) and Article 55(4) of the Law relating to the organisation of the ordinary courts, as amended by the abovementioned law of 20 December 2019, Article 26(3) and Article 29(2) and (3) of the Law on the Supreme Court, as amended by that law of 20 December 2019, Article 5(1a) and (1b) of the ustawa – Prawo o ustroju sądów administracyjnych (Law relating to the organisation of the administrative courts) of 25 July 2002, as amended by the law of 20 December 2019, and Article 8 of the law of 20 December 2019, prohibiting any national court from verifying compliance with the requirements stemming from EU law relating to the guarantee of an independent and impartial tribunal previously established by law, the Republic of Poland has failed to fulfil its obligations under the second subparagraph of Article 19(1) TEU, read in conjunction with Article 47 of the Charter of Fundamental Rights, and under the principle of the primacy of EU law;

4.      Declares that by adopting and maintaining in force Article 26(2) and (4) to (6) and Article 82(2) to (5) of the Law on the Supreme Court, as amended by the abovementioned law of 20 December 2019, and Article 10 of the law of 20 December 2019, which establish the exclusive jurisdiction of the Izba Kontroli Nadzwyczajnej i Spraw Publicznych (Extraordinary Review and Public Affairs Chamber) of the Sąd Najwyższy (Supreme Court) to examine complaints and questions of law concerning the lack of independence of a court or a judge, the Republic of Poland has failed to fulfil its obligations under the second subparagraph of Article 19(1) TEU, read in conjunction with Article 47 of the Charter, and under Article 267 TFEU and the principle of the primacy of EU law;

5.      Declares that by adopting and maintaining in force Article 88a of the amended Law relating to the organisation of the ordinary courts, as amended by the law of 20 December 2019, Article 45(3) of the Law on the Supreme Court, as amended by the law of 20 December 2019, and Article 8(2) of the Law relating to the organisation of the administrative courts, as amended by the law of 20 December 2019, the Republic of Poland has infringed the right to respect for private life and the right to protection of personal data, guaranteed by Article 7 and Article 8(1) of the Charter of Fundamental Rights and by points (c) and (e) of the first subparagraph of Article 6(1), Article 6(3) and Article 9(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

6.      Dismisses the action as to the remainder;

7.      Orders the Republic of Poland to bear its own costs and to pay those incurred by the European Commission, including those relating to the proceedings for interim relief;

8.      Orders the Kingdom of Belgium, the Kingdom of Denmark, the Kingdom of the Netherlands, the Republic of Finland, and the Kingdom of Sweden to bear their own costs.

Judgment of the Court 
Opinion of Advocate General 

C-446/21 (4 October 2024)  - Schrems (Communication de données au grand public)

1.      Article 5(1)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that the principle of data minimisation provided for therein precludes any personal data obtained by a controller, such as the operator of an online social network platform, from the data subject or third parties and collected either on or outside that platform, from being aggregated, analysed and processed for the purposes of targeted advertising without restriction as to time and without distinction as to type of data.

2.      Article 9(2)(e) of Regulation 2016/679

must be interpreted as meaning that the fact that a person has made a statement about his or her sexual orientation on the occasion of a panel discussion open to the public does not authorise the operator of an online social network platform to process other data relating to that person’s sexual orientation, obtained, as the case may be, outside that platform using partner third-party websites and apps, with a view to aggregating and analysing those data, in order to offer that person personalised advertising.

Judgment of the Court 
Opinion of Advocate General 

C-21/23 (4 October 2024 ) - Lindenapotheke

1.      The provisions of Chapter VIII of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as not precluding national legislation which, alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing that regulation and the remedies available to data subjects, confers on competitors of the person allegedly responsible for an infringement of the laws protecting personal data standing to bring proceedings against that person, by means of an action before the civil courts, for infringements of that regulation and on the basis of the prohibition of unfair commercial practices.

2.      Article 8(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and Article 9(1) of Regulation 2016/679,

must be interpreted as meaning that, in a situation where the operator of a pharmacy markets pharmacy-only medicinal products on an online platform, the information which the customers of that operator enter when ordering the medicinal products online, such as their name, the delivery address and the details required for individualising the medicinal products, constitutes data concerning health, within the meaning of those provisions, even where the sale of those medicinal products does not require a prescription.

Judgment of the Court 
Opinion of Advocate General 

C-492/23 (2 December 2025) - Russmedia Digital and Inform Media Press

1. Article 5(2) and Articles 24 to 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as meaning that the operator of an online marketplace, as controller, within the meaning of Article 4(7) of that regulation, of the personal data contained in advertisements published on its online marketplace, is required, before the publication of the advertisements and by means of appropriate technical and organisational measures,

– to identify the advertisements that contain sensitive data in terms of Article 9(1) of that regulation,

– to verify whether the user advertiser preparing to place such an advertisement is the person whose sensitive data appear in that advertisement and, if this is not the case,

– to refuse publication of that advertisement, unless that user advertiser can demonstrate that the data subject has given his or her explicit consent to the data in question being published on that online marketplace, within the meaning of Article 9(2)(a), or that one of the other exceptions provided for in Article 9(2)(b) to (j) is satisfied.

2. Article 32 of Regulation 2016/679 must be interpreted as meaning that the operator of an online marketplace, as controller, within the meaning of Article 4(7) of that regulation, of the personal data contained in advertisements published on its online marketplace, is required to implement appropriate technical and organisational security measures in order to prevent advertisements published there and containing sensitive data, in terms of Article 9(1) of that regulation, from being copied and unlawfully published on other websites. 

Opinion of the Advocate General

Judgment of the Court

 

Retour au sommaire Retour au sommaire
arrow_back Previous Article Article 9 Next Article arrow_forward
Regulation
1e 2e

Art. 9

1.   Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

2.   Paragraph 1 shall not apply if one of the following applies:

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

(e) processing relates to personal data which are manifestly made public by the data subject;

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

3.   Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4.   Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.-
1st proposal close

Art. 9

1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited.

2. Paragraph 1 shall not apply where:

(a) the data subject has given consent to the processing of those personal data, subject to the conditions laid down in Articles 7 and 8, except where Union law or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; or

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law in so far as it is authorised by Union law or Member State law providing for adequate safeguards; or

(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; or

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or

(e) the processing relates to personal data which are manifestly made public by the data subject; or

(f) processing is necessary for the establishment, exercise or defence of legal claims; or

(g) processing is necessary for the performance of a task carried out in the public interest, on the basis of Union law, or Member State law which shall provide for suitable measures to safeguard the data subject's legitimate interests; or

(h) processing of data concerning health is necessary for health purposes and subject to the conditions and safeguards referred to in Article 81; or

(i) processing is necessary for historical, statistical or scientific research purposes subject to the conditions and safeguards referred to in Article 83; or

(j) processing of data relating to criminal convictions or related security measures is carried out either under the control of official authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards. A complete register of criminal convictions shall be kept only under the control of official authority.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria, conditions and appropriate safeguards for the processing of the special categories of personal data referred to in paragraph 1 and the exemptions laid down in paragraph 2.

 
2nd proposal close

Art 9

1. The processing of personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life (…) shall be prohibited.

2. Paragraph 1 shall not apply if one of the following applies (…)
(a) the data subject has given explicit consent to the processing of those personal data (…), except where Union law or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; or

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union law or Member State law or a collective agreement pursuant to Member State law providing for adequate safeguards;  or

(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent ; or

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non- profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or

(e) the processing relates to personal data which are manifestly made public by the data subject (...); or

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity ; or

(g) processing is necessary for (...) reasons of public interest, on the basis of Union law or Member State law which shall provide for suitable and specific measures to safeguard the data subject's legitimate interests; or

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union law or Member State law or pursuant to contract with a health  professional and subject to the conditions and safeguards referred to in paragraph 4 ; or

(ha) (...);

(hb) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality  and safety of health care and of medicinal products or medical devices, on the basis of Union law or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject; or

(i) processing is necessary for archiving purposes in the public interest or

historical, statistical or scientific (...) purposes and subject to the conditions and safeguards laid down in Union or Member State law, including those referred to in Article 83.

(j) (...)

3. (...)

4. Personal data referred to in paragraph 1 may on the basis of Union or Member State law be processed for the purposes referred to in point (h) (...) of paragraph 2 when those data are processed by or under the responsibility of a (...) professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4a. (...).

5. Member States may maintain or introduce more specific provisions with regard to genetic data or health data. This includes the possibility for Member States to (...) introduce further conditions for the processing of these data.
Directive close

Art. 8

1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.

2. Paragraph 1 shall not apply where:

(a) the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject's giving his consent; or

(b) processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorized by national law providing for adequate safeguards; or

(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or

(d) processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; or

(e) the processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims.

3. Paragraph 1 shall not apply where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.

4. Subject to the provision of suitable safeguards, Member States may, for reasons of substantial public interest, lay down exemptions in addition to those laid down in paragraph 2 either by national law or by decision of the supervisory authority.

5. Processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of official authority, or if suitable specific safeguards are provided under national law, subject to derogations which may be granted by the Member State under national provisions providing suitable specific safeguards. However, a complete register of criminal convictions may be kept only under the control of official authority.

Member States may provide that data relating to administrative sanctions or judgements in civil cases shall also be processed under the control of official authority.

6. Derogations from paragraph 1 provided for in paragraphs 4 and 5 shall be notified to the Commission.

7. Member States shall determine the conditions under which a national identification number or any other identifier of general application may be processed.
Netherlands
compare_arrows

Uitvoeringswet Algemene verordening gegevensbescherming

 

Artikel 22

1 Overeenkomstig artikel 9, eerste lid, van de verordening zijn verwerking van persoonsgegevens waaruit ras of etnische afkomst, politieke opvattingen, religieuze of levensbeschouwelijke overtuigingen, of het lidmaatschap van een vakbond blijken, en verwerking van genetische gegevens, biometrische gegevens met het oog op de unieke identificatie van een persoon, of gegevens over gezondheid, of gegevens met betrekking tot iemands seksueel gedrag of seksuele gerichtheid verboden.

2 Overeenkomstig artikel 9, tweede lid, onderdelen a, c, d, e en f, van de verordening is het verbod om bijzondere categorieën van persoonsgegevens te verwerken niet van toepassing, indien:

a. de betrokkene uitdrukkelijke toestemming heeft gegeven voor de verwerking van die persoonsgegevens voor een of meer welbepaalde doeleinden;

b. de verwerking noodzakelijk is ter bescherming van de vitale belangen van de betrokkene of van een andere natuurlijke persoon, indien de betrokkene fysiek of juridisch niet in staat is zijn toestemming te geven;

c. de verwerking wordt verricht door een stichting, een vereniging of een andere instantie zonder winstoogmerk die op politiek, levensbeschouwelijk, godsdienstig of vakbondsgebied werkzaam is, in het kader van haar gerechtvaardigde activiteiten en met passende waarborgen, mits de verwerking uitsluitend betrekking heeft op de leden of de voormalige leden van de instantie of op personen die in verband met haar doeleinden regelmatig contact met haar onderhouden, en de persoonsgegevens niet zonder de toestemming van de betrokkenen buiten die instantie worden verstrekt;

d. de verwerking betrekking heeft op persoonsgegevens die kennelijk door de betrokkene openbaar zijn gemaakt; of

e. de verwerking noodzakelijk is voor de instelling, uitoefening of onderbouwing van een rechtsvordering, of wanneer gerechten handelen in het kader van hun rechtsbevoegdheid.

 

Artikel 23

Gelet op artikel 9, tweede lid, onderdeel g, van de verordening, is het verbod om bijzondere categorieën van persoonsgegevens te verwerken niet van toepassing, indien:

a. de verwerking noodzakelijk is ter voldoening aan een volkenrechtelijke verplichting;

b. de gegevens worden verwerkt door de Autoriteit persoonsgegevens of een ombudsman als bedoeld in artikel 9:17 van de Algemene wet bestuursrecht, en voor zover de verwerking noodzakelijk is voor de uitvoering van de hun wettelijk opgedragen taken, onder voorwaarde dat bij die uitvoering is voorzien in zodanige waarborgen dat de persoonlijke levenssfeer van de betrokkene niet onevenredig wordt geschaad; of

c. de verwerking noodzakelijk is in aanvulling op de verwerking van persoonsgegevens van strafrechtelijke aard voor de doeleinden waarvoor deze gegevens worden verwerkt.

 

Artikel 24 

Gelet op artikel 9, tweede lid, onderdeel j, van de verordening, is het verbod om bijzondere categorieën van persoonsgegevens te verwerken niet van toepassing, indien:

a. de verwerking noodzakelijk is met het oog op wetenschappelijk of historisch onderzoek of statistische doeleinden overeenkomstig artikel 89, eerste lid, van de verordening;

b. het onderzoek, bedoeld in onderdeel a, een algemeen belang dient;

c. het vragen van uitdrukkelijke toestemming onmogelijk blijkt of een onevenredige inspanning kost; en

d. bij de uitvoering is voorzien in zodanige waarborgen dat de persoonlijke levenssfeer van de betrokkene niet onevenredig wordt geschaad.

 

Artikel 25

Gelet op artikel 9, tweede lid, onderdeel g, van de verordening, is het verbod om persoonsgegevens te verwerken waaruit ras of etnische afkomst blijkt, niet van toepassing, indien de verwerking geschiedt:

a. met het oog op de identificatie van de betrokkene, en slechts voor zover de verwerking voor dat doel onvermijdelijk is; of

b. met het doel personen van een bepaalde etnische of culturele minderheidsgroep een bevoorrechte positie toe te kennen teneinde feitelijke nadelen, verband houdende met de grond ras of etnische afkomst, op te heffen of te verminderen, en slechts voor zover:

1°.de verwerking voor dat doel noodzakelijk is;

2°.de gegevens betrekking hebben op het geboorteland van de betrokkene, diens ouders of diens grootouders, dan wel op andere, bij wet vastgestelde criteria op grond waarvan op objectieve wijze vastgesteld kan worden of iemand tot een bepaalde etnische of culturele minderheidsgroep behoort; en

3°.de betrokkene tegen de verwerking geen schriftelijk bezwaar heeft gemaakt.

 

Artikel 26

Gelet op artikel 9, tweede lid, onderdeel g, van de verordening, is het verbod om persoonsgegevens te verwerken waaruit politieke opvattingen blijken, niet van toepassing, indien de verwerking geschiedt met het oog op de eisen die met betrekking tot politieke opvattingen in redelijkheid kunnen worden gesteld in verband met de vervulling van functies in bestuursorganen en adviescolleges.

 

Artikel 27

1 Gelet op artikel 9, tweede lid, onderdeel g, van de verordening, is het verbod om persoonsgegevens te verwerken waaruit religieuze of levensbeschouwelijke overtuigingen blijken, niet van toepassing, indien de verwerking geschiedt door andere instellingen dan de instellingen, bedoeld in artikel 22, tweede lid, onderdeel c, en voor zover de verwerking noodzakelijk is met het oog op de geestelijke verzorging van de betrokkene, tenzij deze daartegen schriftelijk bezwaar heeft gemaakt.

2 In de gevallen, bedoeld in het eerste lid, worden geen persoonsgegevens aan derden verstrekt zonder toestemming van de betrokkene.

 

Artikel 28

1 Gelet op artikel 9, tweede lid, onderdeel g, van de verordening, is het verbod om genetische gegevens te verwerken niet van toepassing, indien deze verwerking plaatsvindt met betrekking tot de betrokkene bij wie de desbetreffende gegevens zijn verkregen.

2 In andere gevallen dan bedoeld in het eerste lid, is het verbod om genetische gegevens te verwerken uitsluitend niet van toepassing, indien:

a.een zwaarwegend geneeskundig belang prevaleert; of

b.de verwerking noodzakelijk is ten behoeve van wetenschappelijk onderzoek dat een algemeen belang dient of ten behoeve van statistiek, indien:

1°.de betrokkene uitdrukkelijke toestemming heeft gegeven; en

2°.bij de uitvoering is voorzien in zodanige waarborgen dat de persoonlijke levenssfeer van de betrokkene niet onevenredig wordt geschaad.

3 Toestemming als bedoeld in het tweede lid, onderdeel b, is niet vereist, indien het vragen van uitdrukkelijke toestemming onmogelijk blijkt of een onevenredige inspanning vergt.

 

Artikel 29

Gelet op artikel 9, tweede lid, onderdeel g, van de verordening, is het verbod om biometrische gegevens met het oog op de unieke identificatie van een persoon te verwerken niet van toepassing, indien de verwerking noodzakelijk is voor authenticatie of beveiligingsdoeleinden.

 

Artikel 30

1 Gelet op artikel 9, tweede lid, onderdeel b, van de verordening, is het verbod om gegevens over gezondheid te verwerken niet van toepassing, indien de verwerking geschiedt door bestuursorganen, pensioenfondsen, werkgevers of instellingen die te hunnen behoeve werkzaam zijn, en voor zover de verwerking noodzakelijk is voor:

a. een goede uitvoering van wettelijke voorschriften, pensioenregelingen of collectieve arbeidsovereenkomsten die voorzien in aanspraken die afhankelijk zijn van de gezondheidstoestand van de betrokkene; of

b. de re-integratie of begeleiding van werknemers of uitkeringsgerechtigden in verband met ziekte of arbeidsongeschiktheid.

2 Gelet op artikel 9, tweede lid, onderdeel g, van de verordening, is het verbod om gegevens over gezondheid te verwerken niet van toepassing, indien de verwerking geschiedt door:

a. scholen, voor zover de verwerking met het oog op de speciale begeleiding van leerlingen of het treffen van bijzondere voorzieningen in verband met hun gezondheidstoestand noodzakelijk is;

b. een reclasseringsinstelling, een bijzondere reclasseringsambtenaar, de raad voor de kinderbescherming, de gecertificeerde instelling, bedoeld in artikel 1.1 van de Jeugdwet, of de rechtspersoon, bedoeld in artikel 256, eerste lid, of artikel 302, tweede lid, van Boek 1 van het Burgerlijk Wetboek, voor zover de verwerking noodzakelijk is voor de uitvoering van de aan hen opgedragen wettelijke taken; of

c. Onze Minister en Onze Minister van Justitie en Veiligheid voor zover de verwerking in verband met de tenuitvoerlegging van vrijheidsbenemende maatregelen noodzakelijk is.

3 Gelet op artikel 9, tweede lid, onderdeel h, van de verordening, is het verbod om gegevens over gezondheid te verwerken niet van toepassing indien de verwerking geschiedt door:

a. hulpverleners, instellingen of voorzieningen voor gezondheidszorg of maatschappelijke dienstverlening, voor zover de verwerking noodzakelijk is met het oog op een goede behandeling of verzorging van de betrokkene dan wel het beheer van de betreffende instelling of beroepspraktijk; of

b. verzekeraars als bedoeld in artikel 1:1 van de Wet op het financieel toezicht of financiële dienstverleners die bemiddelen in verzekeringen als bedoeld in artikel 1:1 van die wet, voor zover de verwerking noodzakelijk is voor:

1°. de beoordeling van het door de verzekeraar te verzekeren risico en de betrokkene geen bezwaar heeft gemaakt; of

2°. de uitvoering van de overeenkomst van verzekering dan wel het assisteren bij het beheer en de uitvoering van de verzekering.

4 Indien toepassing wordt gegeven aan het eerste, tweede of derde lid, worden de gegevens alleen verwerkt door personen die uit hoofde van ambt, beroep of wettelijk voorschrift dan wel krachtens een overeenkomst tot geheimhouding zijn verplicht. Indien de verwerkingsverantwoordelijke persoonlijk gegevens verwerkt en op hem niet reeds uit hoofde van ambt, beroep of wettelijk voorschrift een geheimhoudingsplicht rust, is hij verplicht tot geheimhouding van de gegevens, behoudens voor zover de wet hem tot mededeling verplicht of uit zijn taak de noodzaak voortvloeit dat de gegevens worden meegedeeld aan anderen die krachtens het eerste, tweede of derde lid bevoegd zijn tot verwerking daarvan.

5 Het verbod om andere bijzondere categorieën van persoonsgegevens te verwerken is niet van toepassing, indien de verwerking noodzakelijk is in aanvulling op de verwerking van gegevens over gezondheid, bedoeld in het derde lid, aanhef en onderdeel a, met het oog op een goede behandeling of verzorging van de betrokkene.

6 Bij algemene maatregel van bestuur kunnen omtrent de toepassing van het eerste lid en het derde lid, aanhef en onderdeel b, nadere regels worden gesteld.

 
arrow_back Previous ArticleArticle 9 Next Article arrow_forward
close

2016 - www.itiplaw.eu.