Article 9
Processing of special categories of personal data

Official
Texts
Guidelines Caselaw Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 9 keyboard_arrow_down Hide the recitals of the Regulation related to article 9 keyboard_arrow_up

(33) It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.

(35) Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

(52) Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

(53) Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.

(54) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council, namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.

(55) Moreover, the processing of personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognised religious associations, is carried out on grounds of public interest.

(75) The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

Show the recitals of the Directive related to article 9 keyboard_arrow_down Hide the recitals of the Directive related to article 9 keyboard_arrow_up

(33) Whereas data which are capable by their nature of infringing fundamental freedoms or privacy should not be processed unless the data subject gives his explicit consent; whereas, however, derogations from this prohibition must be explicitly provided for in respect of specific needs, in particular where the processing of these data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy or in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms;

(34) Whereas Member States must also be authorized, when justified by grounds of important public interest, to derogate from the prohibition on processing sensitive categories of data where important reasons of public interest so justify in areas such as public health and social protection - especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system - scientific research and government statistics; whereas it is incumbent on them, however, to provide specific and suitable safeguards so as to protect the fundamental rights and the privacy of individuals;

(35) Whereas, moreover, the processing of personal data by official authorities for achieving aims, laid down in constitutional law or international public law, of officially recognized religious associations is carried out on important grounds of public interest;

(36) Whereas where, in the course of electoral activities, the operation of the democratic system requires in certain Member States that political parties compile data on people's political opinion, the processing of such data may be permitted for reasons of important public interest, provided that appropriate safeguards are established;

The GDPR

Article 9 of the Regulation is based on Article 8 of the Directive, in that it prohibits the processing of sensitive data on the grounds that they deserve specific protection, given the significant risks to the fundamental rights and freedoms inherent in  their processing.

The prohibition covers in general:

- The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership;

- The processing of genetic data and biometric data  in order to identify an individual uniquely ;

- Processing of data concerning health or data concerning sex life or sexual orientation of an individual.

Recital  51  of the Regulations specifies that in case of derogations to the prohibition to process sensitive data, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing.

The concept of "sensitive data" within the meaning of Article 9 of the Regulation has been subject to new developments, given the significant technological developments. So, the prohibition of processing covers, besides the data revealing racial or ethnic origin, political opinions, religion, philosophical beliefs or trade union membership, health or sexual life:

- genetic data: they are defined in Article 4 (13) as personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

- biometric data: they are defined in Article 4 (14) as personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; .

It should be noted that the data concerning health receive a specific definition in Article 4 (15) as personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

The Regulation includes the exceptions already contained in the Directive by sometimes extending or limiting their scope (explicit consent; employment law and social security law provided that the processing is based on a law of the Union or of a member State or a collective agreement, human life safety, non-profit association, data made public by the data subject, finding, defence, exercise or determination of a legal right, preventive medicine or for substantial reasons of public interest).

The Regulation, however, introduces new derogations:

- for processing necessary for reasons of public interest in the field of public health (see Art. 9,  (2)  i), such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

- for processing necessary for archiving in the public interest or scientific or historical research purposes or statistical purposes  in accordance with Article  89  and based on Union or Member State law (see Art. 9, (2), j)). The final version of the Regulation stipulates that the processing should be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

The "sensitive" data referred to in paragraph 1  can be processed for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care within the meaning of Article 9 (2), h), provided that they are processed by or under the responsibility of a professional or by or under the supervision of another person subject to professional secrecy (see Art. 9, (3 )).

Ultimately, the Member States may maintain or introduce more specific provisions; including restrictions regarding genetic, biometric or health-related data (see Article 9 (4)).

The Directive

The first paragraph of article 8 of the Directive provided a general prohibition to process the so-called “sensitive” data, except with data subject’s explicit consent. The paragraph covers the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and of data concerning health or sex life.

The EU legislature had considered that, insofar as these data, by their nature, infringe fundamental freedoms or privacy, they should not be the subject of processing.

This was, however, a relative prohibition. The second paragraph of article 8 of the Directive provided for various exceptions to the general prohibition to process such data.

The first exception to the principle prohibiting processing, for which the data subject has given his or her explicit consent to processing (Art. 8, paragraph 2 a) (see in this regard G29, Opinion 15/2011 on the definition of consent, WP 187).

In addition, several exceptions have been introduced to meet specific needs such as the processing needed to safety of life (Article 8,  2, c)); processing involving data which are made public by the data subject (Article 8, 2, e)); processing necessary for the  establishment, exercise or defence of legal claims (Article 8, 2 e); processing necessary for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services (Art. 8, 3)).

The processing needed for the purposes of complying with the obligations and the specific rights of the controller in the field of employment law (Art. 8, 2, b)).

There is also an exception from the prohibition for processing carried out by a foundation, an association or any other non-profit organization with a political, philosophical, religious or trade-union aim. The exception applies only to the processing of data relating to the members of such organization or the persons being in regular contact with such organization (Art. 8, 2, f)).

The Directive provided, under certain conditions, an exception to the processing of data relating to offences, criminal convictions or security measures (Art. 8, 5). To the extent that the future Regulations provide a specific provision for these cases of processing, we will examine them in more detail in the commentary on Article 9a. 

In addition to the exceptions expressly contained in the Directive, Article 8, paragraph 4 authorised the Member States to lay down additional exemptions for reasons of substantial public interest, either by national law or by decision of the supervisory authority. These additional exemptions must still be notified to the European Commission (Art. 8, paragraph 4).

Potential issues

For different purposes or types of data, the Member States reserve a substantial degree of flexibility in the determination of exceptions which must be based on specific legislation taken by that state. Significant differences may therefore still occur between the states, which undermines the goal of full harmonization of the law on personal data protection pursued by the Regulation.

Summary

European Union

European Union

European data protection board (EDPB)

Guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak - 3/2020 (21 April 2020)

Link

Retour au sommaire

Article 29 Working Party

Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 - wp251rev.01 (6 february 2018)

(Endorsed by the EDPB)

The General Data Protection Regulation (the GDPR), specifically addresses profiling and automated individual decision-making, including profiling.

Profiling and automated decision-making are used in an increasing number of sectors, both private and public. Banking and finance, healthcare, taxation, insurance, marketing and advertising are just a few examples of the fields where profiling is being carried out more regularly to aid decision-making.

Advances in technology and the capabilities of big data analytics, artificial intelligence and machine learning have made it easier to create profiles and make automated decisions with the potential to significantly impact individuals’ rights and freedoms.

The widespread availability of personal data on the internet and from Internet of Things (IoT) devices, and the ability to find correlations and create links, can allow aspects of an individual’s personality or behaviour, interests and habits to be determined, analysed and predicted.

Profiling and automated decision-making can be useful for individuals and organisations, delivering benefits such as:

  • increased efficiencies; and
  • resource savings.

They have many commercial applications, for example, they can be used to better segment markets and tailor services and products to align with individual needs. Medicine, education, healthcare and transportation can also all benefit from these processes.

However, profiling and automated decision-making can pose significant risks for individuals’ rights and freedoms which require appropriate safeguards.

These processes can be opaque. Individuals might not know that they are being profiled or understand what is involved.

Profiling can perpetuate existing stereotypes and social segregation. It can also lock a person into a specific category and restrict them to their suggested preferences. This can undermine their freedom to choose, for example, certain products or services such as books, music or newsfeeds. In some cases, profiling can lead to inaccurate predictions. In other cases it can lead to denial of services and goods and unjustified discrimination.

The GDPR introduces new provisions to address the risks arising from profiling and automated decision-making, notably, but not limited to, privacy. The purpose of these guidelines is to clarify those provisions.

This document covers:

  • Definitions of profiling and automated decision-making and the GDPR approach to these in general – Chapter II
  • General provisions on profiling and automated decision-making – Chapter III
  • Specific provisions on solely automated decision-making defined in Article 22 - Chapter IV
  • Children and profiling – Chapter V
  • Data protection impact assessments and data protection officers– Chapter VI

The Annexes provide best practice recommendations, building on the experience gained in EU Member States.

The Article 29 Data Protection Working Party (WP29) will monitor the implementation of these guidelines and may complement them with further details as appropriate.

Link

Retour au sommaire

Summary

European Union

European Union

CJEU caselaw

C-101/01 (6 November 2003) - Lindqvist

1.    The act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes ‘the processing of personal data wholly or partly by automatic means’ within the meaning of Article 3(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

2.    Such processing of personal data is not covered by any of the exceptions in Article 3(2) of Directive 95/46.

3.    Reference to the fact that an individual has injured her foot and is on half-time on medical grounds constitutes personal data concerning health within the meaning of Article 8(1) of Directive 95/46.

4.    There is no ‘transfer [of data] to a third country’ within the meaning of Article 25 of Directive 95/46 where an individual in a Member State loads personal data onto an internet page which is stored on an internet site on which the page can be consulted and which is hosted by a natural or legal person who is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country.

5.    The provisions of Directive 95/46 do not, in themselves, bring about a restriction which conflicts with the general principles of freedom of expression or other freedoms and rights, which are applicable within the European Union and are enshrined inter alia in Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms signed at Rome on 4 November 1950. It is for the national authorities and courts responsible for applying the national legislation implementing Directive 95/46 to ensure a fair balance between the rights and interests in question, including the fundamental rights protected by the Community legal order.

6.    Measures taken by the Member States to ensure the protection of personal data must be consistent both with the provisions of Directive 95/46 and with its objective of maintaining a balance between freedom of movement of personal data and the protection of private life. However, nothing prevents a Member State from extending the scope of the national legislation implementing the provisions of Directive 95/46 to areas not included in the scope thereof provided that no other provision of Community law precludes it.

Opinion of Advocate general

Judgment of the Court

C-141/12 ; C-372/12 (17 July 2014) - YS e.a.

1.      Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the data relating to an applicant for a residence permit contained in an administrative document, such as the ‘minute’ at issue in the main proceedings, setting out the grounds that the case officer puts forward in support of the draft decision which he is responsible for drawing up in the context of the procedure prior to the adoption of a decision concerning the application for such a permit and, where relevant, the data in the legal analysis contained in that document, are ‘personal data’ within the meaning of that provision, whereas, by contrast, that analysis cannot in itself be so classified.

2.      Article 12(a) of Directive 95/46 and Article 8(2) of the Charter of Fundamental Rights of the European Union must be interpreted as meaning that an applicant for a residence permit has a right of access to all personal data concerning him which are processed by the national administrative authorities within the meaning of Article 2(b) of that directive. For that right to be complied with, it is sufficient that the applicant be in possession of a full summary of those data in an intelligible form, that is to say a form which allows that applicant to become aware of those data and to check that they are accurate and processed in compliance with that directive, so that he may, where relevant, exercise the rights conferred on him by that directive.

3.      Article 41(2)(b) of the Charter of Fundamental Rights of the European Union must be interpreted as meaning that the applicant for a residence permit cannot rely on that provision against the national authorities.

Opinion of Advocate general

Judgment of the Court

C-136/17 (24 September 2019) - GC and Others (De-referencing of sensitive data)

 1.The provisions of Article 8(1) and (5) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the prohibition or restrictions relating to the processing of special categories of personal data, mentioned in those provisions, apply also, subject to the exceptions provided for by the directive, to the operator of a search engine in the context of his responsibilities, powers and capabilities as the controller of the processing carried out in connection with the activity of the search engine, on the occasion of a verification performed by that operator, under the supervision of the competent national authorities, following a request by the data subject.

2.   The provisions of Article 8(1) and (5) of Directive 95/46 must be interpreted as meaning that the operator of a search engine is in principle required by those provisions, subject to the exceptions provided for by the directive, to accede to requests for de-referencing in relation to links to web pages containing personal data falling within the special categories referred to by those provisions.

Article 8(2)(e) of Directive 95/46 must be interpreted as meaning that, pursuant to that article, such an operator may refuse to accede to a request for de-referencing if he establishes that the links at issue lead to content comprising personal data falling within the special categories referred to in Article 8(1) but whose processing is covered by the exception in Article 8(2)(e) of the directive, provided that the processing satisfies all the other conditions of lawfulness laid down by the directive, and unless the data subject has the right under Article 14(a) of the directive to object to that processing on compelling legitimate grounds relating to his particular situation.

The provisions of Directive 95/46 must be interpreted as meaning that, where the operator of a search engine has received a request for de-referencing relating to a link to a web page on which personal data falling within the special categories referred to in Article 8(1) or (5) of Directive 95/46 are published, the operator must, on the basis of all the relevant factors of the particular case and taking into account the seriousness of the interference with the data subject’s fundamental rights to privacy and protection of personal data laid down in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, ascertain, having regard to the reasons of substantial public interest referred to in Article 8(4) of the directive and in compliance with the conditions laid down in that provision, whether the inclusion of that link in the list of results displayed following a search on the basis of the data subject’s name is strictly necessary for protecting the freedom of information of internet users potentially interested in accessing that web page by means of such a search, protected by Article 11 of the Charter.

3.  The provisions of Directive 95/46 must be interpreted as meaning that

  •  first, information relating to legal proceedings brought against an individual and, as the case may be, information relating to an ensuing conviction are data relating to ‘offences’ and ‘criminal convictions’ within the meaning of Article 8(5) of Directive 95/46, and
  •  second, the operator of a search engine is required to accede to a request for de-referencing relating to links to web pages displaying such information, where the information relates to an earlier stage of the legal proceedings in question and, having regard to the progress of the proceedings, no longer corresponds to the current situation, in so far as it is established in the verification of the reasons of substantial public interest referred to in Article 8(4) of Directive 95/46 that, in the light of all the circumstances of the case, the data subject’s fundamental rights guaranteed by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union override the rights of potentially interested internet users protected by Article 11 of the Charter

Opinion of Advocate general 

Judgement of the Court

C-184/20 (1 October 2022), Vyriausioji tarnybinės etikos komisija

1.      Article 7(c) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and point (c) of the first subparagraph of Article 6(1) and Article 6(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read in the light of Articles 7, 8 and 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as precluding national legislation that provides for the publication online of the declaration of private interests that any head of an establishment receiving public funds is required to lodge, in so far as, in particular, that publication concerns name-specific data relating to his or her spouse, cohabitee or partner, or to persons who are close relatives of the declarant, or are known by him or her, liable to give rise to a conflict of interests, or concerns any transaction concluded during the last 12 calendar months the value of which exceeds EUR 3 000.

2.      Article 8(1) of Directive 95/46 and Article 9(1) of Regulation 2016/679 must be interpreted as meaning that the publication, on the website of the public authority responsible for collecting and checking the content of declarations of private interests, of personal data that are liable to disclose indirectly the sexual orientation of a natural person constitutes processing of special categories of personal data, for the purpose of those provisions.

Judgment of the court

Opinion of the advocate general

C-252/21 (4 July 2023), Meta Platforms e.a. (General terms and conditions of use of a social network)

1.      Article 51 et seq. of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as well as Article 4(3) TEU

must be interpreted as meaning that, subject to compliance with its duty of sincere cooperation with the supervisory authorities, a competition authority of a Member State can find, in the context of the examination of an abuse of a dominant position by an undertaking within the meaning of Article 102 TFEU, that that undertaking’s general terms of use relating to the processing of personal data and the implementation thereof are not consistent with that regulation, where that finding is necessary to establish the existence of such an abuse.

In view of this duty of sincere cooperation, the national competition authority cannot depart from a decision by the competent national supervisory authority or the competent lead supervisory authority concerning those general terms or similar general terms. Where it has doubts as to the scope of such a decision, where those terms or similar terms are, simultaneously, under examination by those authorities, or where, in the absence of an investigation or decision by those authorities, the competition authority takes the view that the terms in question are not consistent with Regulation 2016/679, it must consult and seek the cooperation of those supervisory authorities in order to dispel its doubts or to determine whether it must wait for them to take a decision before starting its own assessment. In the absence of any objection on their part or of any reply within a reasonable time, the national competition authority may continue its own investigation;

2.      Article 9(1) of Regulation 2016/679

must be interpreted as meaning that, where the user of an online social network visits websites or apps to which one or more of the categories referred to in that provision relate and, as the case may be, enters information into them when registering or when placing online orders, the processing of personal data by the operator of that online social network, which entails the collection – by means of integrated interfaces, cookies or similar storage technologies – of data from visits to those sites and apps and of the information entered by the user, the linking of all those data with the user’s social network account and the use of those data by that operator, must be regarded as ‘processing of special categories of personal data’ within the meaning of that provision, which is in principle prohibited, subject to the derogations provided for in Article 9(2), where that data processing allows information falling within one of those categories to be revealed, irrespective of whether that information concerns a user of that network or any other natural person;

3.      Article 9(2)(e) of Regulation 2016/679

must be interpreted as meaning that, where the user of an online social network visits websites or apps to which one or more of the categories set out in Article 9(1) of that regulation relate, the user does not manifestly make public, within the meaning of the first of those provisions, the data relating to those visits collected by the operator of that online social network via cookies or similar storage technologies;

Where he or she enters information into such websites or apps or where he or she clicks or taps on buttons integrated into those sites and apps, such as the ‘Like’ or ‘Share’ buttons or buttons enabling the user to identify himself or herself on those sites or apps using login credentials linked to his or her social network user account, his or her telephone number or email address, that user manifestly makes public, within the meaning of Article 9(2)(e), the data thus entered or resulting from the clicking or tapping on those buttons only in the circumstance where he or she has explicitly made the choice beforehand, as the case may be on the basis of individual settings selected with full knowledge of the facts, to make the data relating to him or her publicly accessible to an unlimited number of persons;

4.      Point (b) of the first subparagraph of Article 6(1) of Regulation 2016/679

must be interpreted as meaning that the processing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network from other services of the group to which that operator belongs or from visits by those users to third-party websites or apps, the linking of those data with the social network account of those users and the use of those data, can be regarded as necessary for the performance of a contract to which the data subjects are party, within the meaning of that provision, only on condition that the processing is objectively indispensable for a purpose that is integral to the contractual obligation intended for those users, such that the main subject matter of the contract cannot be achieved if that processing does not occur;

5.      Point (f) of the first subparagraph of Article 6(1) of Regulation 2016/679

must be interpreted as meaning that the processing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network from other services of the group to which that operator belongs or from visits by those users to third-party websites or apps, the linking of those data with the social network account of those users and the use of those data, can be regarded as necessary for the purposes of the legitimate interests pursued by the controller or by a third party, within the meaning of that provision, only on condition that the operator has informed the users from whom the data have been collected of a legitimate interest that is pursued by the data processing, that such processing is carried out only in so far as is strictly necessary for the purposes of that legitimate interest and that it is apparent from a balancing of the opposing interests, having regard to all the relevant circumstances, that the interests or fundamental freedoms and rights of those users do not override that legitimate interest of the controller or of a third party;

6.      Point (c) of the first subparagraph of Article 6(1) of Regulation 2016/679

must be interpreted as meaning that the processing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network from other services of the group to which that operator belongs or from visits by those users to third-party websites or apps, the linking of those data with the social network account of those users and the use of those data, is justified, under that provision, where it is actually necessary for compliance with a legal obligation to which the controller is subject, pursuant to a provision of EU law or the law of the Member State concerned, where that legal basis meets an objective of public interest and is proportionate to the legitimate aim pursued and where that processing is carried out only in so far as is strictly necessary;

7.      Points (d) and (e) of the first subparagraph of Article 6(1) of Regulation 2016/679

must be interpreted as meaning that the processing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network from other services of the group to which that operator belongs or from visits by those users to third-party websites or apps, the linking of those data with the social network account of those users and the use of those data, cannot, in principle and subject to verification by the referring court, be regarded as necessary in order to protect the vital interests of the data subject or of another natural person, within the meaning of point (d), or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, within the meaning of point (e);

8.      Point (a) of the first subparagraph of Article 6(1) and Article 9(2)(a) of Regulation 2016/679

must be interpreted as meaning that the fact that the operator of an online social network holds a dominant position on the market for online social networks does not, as such, preclude the users of such a network from being able validly to consent, within the meaning of Article 4(11) of that regulation, to the processing of their personal data by that operator. This is nevertheless an important factor in determining whether the consent was in fact validly and, in particular, freely given, which it is for that operator to prove.

Décision of the Court

Opinion of the advocate general

C-667/21,  ZQ contre Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts (21 décembre 2023)

(English not available yet)

1)      L’article 9, paragraphe 2, sous h), du règlement (UE) 2016/679 du Parlement européen et du Conseil, du 27 avril 2016, relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la directive 95/46/CE (règlement général sur la protection des données),

doit être interprété en ce sens que :

l’exception prévue à cette disposition est applicable aux situations dans lesquelles un organisme de contrôle médical traite des données concernant la santé de l’un de ses employés en qualité non pas d’employeur, mais de service médical, afin d’apprécier la capacité de travail de cet employé, sous réserve que le traitement concerné satisfasse aux conditions et garanties expressément imposées par ce point h) et par le paragraphe 3 dudit article 9.

2)      L’article 9, paragraphe 3, du règlement 2016/679

doit être interprété en ce sens que :

le responsable d’un traitement de données concernant la santé, fondé sur l’article 9, paragraphe 2, sous h), de ce règlement, n’est pas tenu, en vertu de ces dispositions, de garantir qu’aucun collègue de la personne concernée ne peut accéder aux données se rapportant à l’état de santé de celle‑ci. Toutefois, une telle obligation peut s’imposer au responsable d’un tel traitement soit en vertu d’une réglementation adoptée par un État membre sur la base de l’article 9, paragraphe 4, dudit règlement, soit au titre des principes d’intégrité et de confidentialité énoncés à l’article 5, paragraphe 1, sous f), du même règlement et concrétisés à l’article 32, paragraphe 1, sous a) et b), de celui-ci.

3)      L’article 9, paragraphe 2, sous h), et l’article 6, paragraphe 1, du règlement 2016/679

doivent être interprétés en ce sens que :

un traitement de données concernant la santé fondé sur cette première disposition doit, afin d’être licite, non seulement respecter les exigences découlant de celle‑ci, mais aussi remplir au moins l’une des conditions de licéité énoncées à cet article 6, paragraphe 1.

4)      L’article 82, paragraphe 1, du règlement 2016/679

doit être interprété en ce sens que :

le droit à réparation prévu à cette disposition remplit une fonction compensatoire, en ce qu’une réparation pécuniaire fondée sur ladite disposition doit permettre de compenser intégralement le préjudice concrètement subi du fait de la violation de ce règlement, et non une fonction dissuasive ou punitive.

5)      L’article 82 du règlement 2016/679

doit être interprété en ce sens que :

d’une part, l’engagement de la responsabilité du responsable du traitement est subordonné à l’existence d’une faute commise par celui‑ci, laquelle est présumée à moins que ce dernier prouve que le fait qui a provoqué le dommage ne lui est nullement imputable, et, d’autre part, cet article 82 ne requiert pas que le degré de gravité de cette faute soit pris en compte lors de la fixation du montant des dommages‑intérêts alloués en réparation d’un préjudice moral sur le fondement de cette disposition.

Decision of the Court (FR)

Opinion of the advocate general

Retour au sommaire Retour au sommaire
Regulation
1e 2e

Art. 9

1.   Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

2.   Paragraph 1 shall not apply if one of the following applies:

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

(e) processing relates to personal data which are manifestly made public by the data subject;

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

3.   Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4.   Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.-

1st proposal close

Art. 9

1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited.

2. Paragraph 1 shall not apply where:

(a) the data subject has given consent to the processing of those personal data, subject to the conditions laid down in Articles 7 and 8, except where Union law or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; or

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law in so far as it is authorised by Union law or Member State law providing for adequate safeguards; or

(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; or

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or

(e) the processing relates to personal data which are manifestly made public by the data subject; or

(f) processing is necessary for the establishment, exercise or defence of legal claims; or

(g) processing is necessary for the performance of a task carried out in the public interest, on the basis of Union law, or Member State law which shall provide for suitable measures to safeguard the data subject's legitimate interests; or

(h) processing of data concerning health is necessary for health purposes and subject to the conditions and safeguards referred to in Article 81; or

(i) processing is necessary for historical, statistical or scientific research purposes subject to the conditions and safeguards referred to in Article 83; or

(j) processing of data relating to criminal convictions or related security measures is carried out either under the control of official authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards. A complete register of criminal convictions shall be kept only under the control of official authority.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria, conditions and appropriate safeguards for the processing of the special categories of personal data referred to in paragraph 1 and the exemptions laid down in paragraph 2.

 

2nd proposal close

Art 9

1. The processing of personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life (…) shall be prohibited.

2. Paragraph 1 shall not apply if one of the following applies (…)
(a) the data subject has given explicit consent to the processing of those personal data (…), except where Union law or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; or

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union law or Member State law or a collective agreement pursuant to Member State law providing for adequate safeguards;  or

(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent ; or

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non- profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or

(e) the processing relates to personal data which are manifestly made public by the data subject (...); or

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity ; or

(g) processing is necessary for (...) reasons of public interest, on the basis of Union law or Member State law which shall provide for suitable and specific measures to safeguard the data subject's legitimate interests; or

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union law or Member State law or pursuant to contract with a health  professional and subject to the conditions and safeguards referred to in paragraph 4 ; or

(ha) (...);

(hb) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality  and safety of health care and of medicinal products or medical devices, on the basis of Union law or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject; or

(i) processing is necessary for archiving purposes in the public interest or

historical, statistical or scientific (...) purposes and subject to the conditions and safeguards laid down in Union or Member State law, including those referred to in Article 83.

(j) (...)

3. (...)

4. Personal data referred to in paragraph 1 may on the basis of Union or Member State law be processed for the purposes referred to in point (h) (...) of paragraph 2 when those data are processed by or under the responsibility of a (...) professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4a. (...).

5. Member States may maintain or introduce more specific provisions with regard to genetic data or health data. This includes the possibility for Member States to (...) introduce further conditions for the processing of these data.

Directive close

Art. 8

1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.

2. Paragraph 1 shall not apply where:

(a) the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject's giving his consent; or

(b) processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorized by national law providing for adequate safeguards; or

(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or

(d) processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; or

(e) the processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims.

3. Paragraph 1 shall not apply where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.

4. Subject to the provision of suitable safeguards, Member States may, for reasons of substantial public interest, lay down exemptions in addition to those laid down in paragraph 2 either by national law or by decision of the supervisory authority.

5. Processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of official authority, or if suitable specific safeguards are provided under national law, subject to derogations which may be granted by the Member State under national provisions providing suitable specific safeguards. However, a complete register of criminal convictions may be kept only under the control of official authority.

Member States may provide that data relating to administrative sanctions or judgements in civil cases shall also be processed under the control of official authority.

6. Derogations from paragraph 1 provided for in paragraphs 4 and 5 shall be notified to the Commission.

7. Member States shall determine the conditions under which a national identification number or any other identifier of general application may be processed.

Article 9
Sensitive Data
Sensitive data may be processed only:
(a) if the data subject has given his express consent to the processing. When giving his consent, the data subject must be provided with the information about what purpose of processing, what personal data, which controller and what period of time the consent is being given for. The controller must be able to prove the existence of the consent of data subject to personal data processing during the whole period of processing. The controller is obliged to instruct in advance the data subject of his rights pursuant to Articles 12 and 21,
(b) if it is necessary in order to preserve life or health of the data subject or some other person or to eliminate imminent serious danger to their property, if his consent cannot be obtained, in particular, due to physical, mental or legal incapacity, or if the data subject is missing or for similar reasons. The controller shall be obliged to terminate data processing as soon as the above mentioned reasons cease to exist and must liquidate the data, unless the data subject gives his consent to further processing.
(c) if the processing in question is in relation with ensuring health services, public health protection, health insurance, and the exercise of public administration in the field of health sector pursuant to a special Act, or it is related to assessment of health in other cases provided by a special Act,
(d) if the processing is necessary to keep the obligations and rights of the controller responsible for processing in the field of labour law and employment provided by a special Act,
(e) if the processing pursue political, philosophical, religious or trade-union aims and is carried out within the scope of legitimate activity of a civil association, foundation or other legal person of non-profit nature (hereinafter referred to as the "association"), and which relates only to members of the association or persons with whom the association is in recurrent contact related to legitimate activity of the association, and the personal data are not disclosed without the consent of data subject,
(f) if the data processed pursuant to a special Act are necessary to employ sickness insurance, pension insurance (security), state social support and other state social security benefits, social services, social care, assistance in material need and social and legal protection of children, and if, at the same time, the protection of these data is ensured in accordance with the law,
(g) if the processing concerns personal data published by the data subject,
(h) if the processing is necessary to secure and exercise legal claims,
(ch) if they are processed exclusively for archival purposes pursuant to a special Act, or
(i) if it is the processing under special acts regulating prevention, investigation, detection of criminal activities, prosecution of criminal offences and search for persons.

close