GENERAL DATA PROTECTION REGULATION AND DATA PROTECTION ACT 2018

This table contains extracts and summaries of legislation using among other things the headings of paragraphs in the Schedules to the UK Data Protection Act 2018 ('DPA'). After identifying relevant paragraphs in those Schedules, users of this table should always use the DPA links provided to refer to the full text of those paragraphs, in order to identify their precise scope and to identify the 'listed GDPR provisions'. (See Summary of Data Protection Act 2018 for further explanation.)

Item Reference       Article 9 Link
1 9. Article 9 GDPR 9
2 9. Processing of special categories of personal data GDPR 9
3 9.1 1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. GDPR 9
4 9.2 2. Paragraph 1 shall not apply if one of the following applies: GDPR 9
5 9.2(a) (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; GDPR 9
6 9.2(b) (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject; GDPR 9
7 9.2(c) (c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; GDPR 9
8 9.2(d) (d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects; GDPR 9
9 9.2(e) (e) processing relates to personal data which are manifestly made public by the data subject; GDPR 9
10 9.2(f) (f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; GDPR 9
11 9.2(g) (g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; GDPR 9
12 9.2(h) (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3; GDPR 9
13 9.2(i) (i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; GDPR 9
14 9.2(j) (j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. GDPR 9
15 9.3 3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies. GDPR 9
16 9.4 4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. GDPR 9
Item Reference Articles which affect Article 9 Link
Item Reference       Definitions from published guidance which affect Article 9 Link
41 ICO "The claim must have a basis in law, and a formal legally defined process, but it is not just judicial or administrative procedures. This means that you can interpret what is a legal claim quite widely, to cover, for example:
  • all judicial legal claims, in civil law (including contract law) and criminal law. The court procedure does not need to have been started, and it covers out-of-court procedures. It covers formal pre-trial discovery procedures.
  • administrative or regulatory procedures, such as to defend an investigation (or potential investigation) in anti-trust law or financial services regulation, or to seek approval for a merger.
You cannot rely on this exception if there is only the mere possibility that a legal claim or other formal proceedings may be brought in the future."
Guidance
42 EDPB "Under Article 49(1)(e), transfers may take place when 'the transfer is necessary for the establishment, exercise or defense of legal claims'. Recital 111 states that a transfer can be made where it is 'occasional and necessary in relation to a contract or a legal claim, regardless of whether in a judicial procedure or whether in an administrative or any out-of-court procedure, including procedures before regulatory bodies'. This covers a range of activities for example, in the context of a criminal or administrative investigation in a third country (e.g. anti-trust law, corruption, insider trading or similar situations), where the derogation may apply to a transfer of data for the purpose of defending oneself or for obtaining a reduction or waiver of a fine legally foreseen e.g. in anti-trust investigations. As well, data transfers for the purpose of formal pre-trial discovery procedures in civil litigation may fall under this derogation. It can also cover actions by the data exporter to institute procedures in a third country for example commencing litigation or seeking approval for a merger. The derogation cannot be used to justify the transfer of personal data on the grounds of the mere possibility that legal proceedings or formal procedures may be brought in the future.
This derogation can apply to activities carried out by public authorities in the exercise of their public powers (Article 49(3)).
The combination of the terms 'legal claim' and 'procedure' implies that the relevant procedure must have a basis in law, including a formal, legally defined process, but is not necessarily limited to judicial or administrative procedures ('or any out of court procedure'). As a transfer needs to be made in a procedure, a close link is necessary between a data transfer and a specific procedure regarding the situation in question. The abstract applicability of a certain type of procedure would not be sufficient.
Data controllers and data processors need to be aware that national law may also contain so-called 'blocking statutes', prohibiting them from or restricting them in transferring personal data to foreign courts or possibly other foreign official bodies."
Guidance
43 Recitals A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. Guidance
44 ICO "Explicit consent requires a very clear and specific statement of consent. ... Explicit consent must be expressly confirmed in words, rather than by any other positive action." Guidance
45 Art49WP "The GDPR prescribes that a 'statement or clear affirmative action' is a prerequisite for 'regular' consent. As the 'regular' consent requirement in the GDPR is already raised to a higher standard compared to the consent requirement in Directive 95/46/EC, it needs to be clarified what extra efforts a controller should undertake in order to obtain the explicit consent of a data subject in line with the GDPR.
The term explicit refers to the way consent is expressed by the data subject. It means that the data subject must give an express statement of consent. An obvious way to make sure consent is explicit would be to expressly confirm consent in a written statement. Where appropriate, the controller could make sure the written statement is signed by the data subject, in order to remove all possible doubt and potential lack of evidence in the future.
However, such a signed statement is not the only way to obtain explicit consent and, it cannot be said that the GDPR prescribes written and signed statements in all circumstances that require valid explicit consent. For example, in the digital or online context, a data subject may be able to issue the required statement by filling in an electronic form, by sending an email, by uploading a scanned document carrying the signature of the data subject, or by using an electronic signature. In theory, the use of oral statements can also be sufficiently express to obtain valid explicit consent, however, it may be difficult to prove for the controller that all conditions for valid explicit consent were met 47 when the statement was recorded.
An organisation may also obtain explicit consent through a telephone conversation, provided that the information about the choice is fair, intelligible and clear, and it asks for a specific confirmation from the data subject (e.g. pressing a button or providing oral confirmation).
[Examples 17 and 18]
Two stage verification of consent can also be a way to make sure explicit consent is valid. For example, a data subject receives an email notifying them of the controller’s intent to process a record containing medical data. The controller explains in the email that he asks for consent for the use of a specific set of information for a specific purpose. If the data subjects agrees to the use of this data, the controller asks him or her for an email reply containing the statement 'I agree'. After the reply is sent, the data subject receives a verification link that must be clicked, or an SMS message with a verification code, to confirm agreement."
Guidance
Item Reference       Paragraphs in Schedules to Data Protection Act 2018 which affect Article 9 Link
46 1// Special categories of personal data and criminal convictions etc data DPA Sch 1
47 1/1/ Conditions relating to employment, health and research etc

"This condition is met if-
(a) the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, and
(b) when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule)."
DPA Sch 1
48 1/1/1 Employment, social security and social protection DPA Sch 1
49 1/1/2 Health or social care purposes DPA Sch 1
50 1/1/3 Public health

"This condition is met if the processing-
(a) is necessary for reasons of public interest in the area of public health, and
(b) is carried out-
(i by or under the responsibility of a health professional, or
(ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law."
DPA Sch 1
51 1/1/4 Research etc

"This condition is met if the processing-
(a) is necessary for archiving purposes, scientific or historical research purposes or statistical purposes,
(b) is carried out in accordance with Article 89(1) of the GDPR (as supplemented by section 19), and
(c) is in the public interest."
DPA Sch 1
52 1/2/ Substantial public interest conditions DPA Sch 1
53 1/2/5 Requirement for an appropriate policy document when relying on conditions in this Part

"(1) Except as otherwise provided, a condition in this Part of this Schedule is met only if, when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).
(2) See also the additional safeguards in Part 4 of this Schedule."
DPA Sch 1
54 1/2/6 Statutory etc and government purposes

"(1) This condition is met if the processing-
(a) is necessary for a purpose listed in sub-paragraph (2), and
(b)is necessary for reasons of substantial public interest.
(2) Those purposes are-
(a) the exercise of a function conferred on a person by an enactment or rule of law,
(b) the exercise of a function of the Crown, a Minister of the Crown or a government department."
DPA Sch 1
55 1/2/7 Administration of justice and parliamentary purposes

"This condition is met if the processing is necessary-
(a)for the administration of justice, or
(b)for the exercise of a function of either House of Parliament."
DPA Sch 1
56 1/2/8 Equality of opportunity or treatment
Category of personal data: Groups of people (in relation to a category of personal data):
Personal data revealing racial or ethnic origin People of different racial or ethnic origins
Personal data revealing religious or philosophical beliefs People holding different religious or philosophical beliefs
Data concerning health People with different states of physical or mental health
Personal data concerning an individual's sexual orientation People of different sexual orientation
DPA Sch 1
57 1/2/9 Racial and ethnic diversity at senior levels of organisations DPA Sch 1
58 1/2/10 Preventing or detecting unlawful acts DPA Sch 1
59 1/2/11 Protecting the public against dishonesty etc DPA Sch 1
60 1/2/12 Regulatory requirements relating to unlawful acts and dishonesty etc DPA Sch 1
61 1/2/13 Journalism etc in connection with unlawful acts and dishonesty etc DPA Sch 1
62 1/2/14 Preventing fraud

"(1) This condition is met if the processing-
(a) is necessary for the purposes of preventing fraud or a particular kind of fraud, and
(b) consists of-
(i) the disclosure of personal data by a person as a member of an anti-fraud organisation,
(ii)the disclosure of personal data in accordance with arrangements made by an anti-fraud organisation, or
(iii) the processing of personal data disclosed as described in sub-paragraph (i) or (ii).
(2) In this paragraph, "anti-fraud organisation" has the same meaning as in section 68 of the Serious Crime Act 2007. "
DPA Sch 1
63 1/2/15 Suspicion of terrorist financing or money laundering

"This condition is met if the processing is necessary for the purposes of making a disclosure in good faith under either of the following-
(a) section 21CA of the Terrorism Act 2000 (disclosures between certain entities within regulated sector in relation to suspicion of commission of terrorist financing offence or for purposes of identifying terrorist property),
(b) section 339ZB of the Proceeds of Crime Act 2002 (disclosures within regulated sector in relation to suspicion of money laundering)."
DPA Sch 1
64 1/2/16 Support for individuals with a particular disability or medical condition DPA Sch 1
65 1/2/17 Counselling etc DPA Sch 1
66 1/2/18 Safeguarding of children and of individuals at risk DPA Sch 1
67 1/2/19 Safeguarding of economic well-being of certain individuals DPA Sch 1
68 1/2/20 Insurance DPA Sch 1
69 1/2/21 Occupational pensions DPA Sch 1
70 1/2/22 Political parties DPA Sch 1
71 1/2/23 Elected representatives responding to requests DPA Sch 1
72 1/2/24 Disclosure to elected representatives DPA Sch 1
73 1/2/25 Informing elected representatives about prisoners DPA Sch 1
74 1/2/26 Publication of legal judgments

"This condition is met if the processing-
(a) consists of the publication of a judgment or other decision of a court or tribunal, or
(b) is necessary for the purposes of publishing such a judgment or decision."
DPA Sch 1
75 1/2/27 Anti-doping in sport DPA Sch 1
76 1/2/28 Standards of behaviour in sport DPA Sch 1
77 1/4/ Appropriate policy document and additional safeguards DPA Sch 1
78 1/4/38 Application of this Part of this Schedule

"This Part of this Schedule makes provision about the processing of personal data carried out in reliance on a condition in Part 1, 2 or 3 of this Schedule which requires the controller to have an appropriate policy document in place when the processing is carried out."
DPA Sch 1
79 1/4/39 Requirement to have an appropriate policy document in place

"The controller has an appropriate policy document in place in relation to the processing of personal data in reliance on a condition described in paragraph 38 if the controller has produced a document which-
(a) explains the controller's procedures for securing compliance with the principles in Article 5 of the GDPR (principles relating to processing of personal data) in connection with the processing of personal data in reliance on the condition in question, and
(b) explains the controller's policies as regards the retention and erasure of personal data processed in reliance on the condition, giving an indication of how long such personal data is likely to be retained."
DPA Sch 1
80 1/4/40 Additional safeguard: retention of appropriate policy document

"(1) Where personal data is processed in reliance on a condition described in paragraph 38, the controller must during the relevant period-
(a) retain the appropriate policy document,
(b) review and (if appropriate) update it from time to time, and
(c) make it available to the Commissioner, on request, without charge.
(2) "Relevant period", in relation to the processing of personal data in reliance on a condition described in paragraph 38, means a period which-
(a) begins when the controller starts to carry out processing of personal data in reliance on that condition, and
(b) ends at the end of the period of 6 months beginning when the controller ceases to carry out such processing."
DPA Sch 1
81 1/4/41 Additional safeguard: record of processing

"A record maintained by the controller, or the controller's representative, under Article 30 of the GDPR in respect of the processing of personal data in reliance on a condition described in paragraph 38 must include the following information-
(a) which condition is relied on,
(b) how the processing satisfies Article 6 of the GDPR (lawfulness of processing), and
(c) whether the personal data is retained and erased in accordance with the policies described in paragraph 39(b) and, if it is not, the reasons for not following those policies."
DPA Sch 1
82 2/5/ Exemptions etc based on Article 85(2) for reasons of freedom of expression and information DPA Sch 2
83 2/5/26 Journalistic, academic, artistic and literary purposes DPA Sch 2
ICO guidance
Item Reference Sections of the Data Protection Act 2018 which affect Article 9 Link
84 s. Special categories of personal data
85 s. 10 Special categories of personal data and criminal convictions etc data
(1) Subsections (2) and (3) make provision about the processing of personal data described in Article 9(1) of the GDPR (prohibition on processing of special categories of personal data) in reliance on an exception in one of the following points of Article 9(2)—
(a) point (b) (employment, social security and social protection);
(b) point (g) (substantial public interest);
(c) point (h) (health and social care);
(d) point (i) (public health);
(e) point (j) (archiving, research and statistics).
(2) The processing meets the requirement in point (b), (h), (i) or (j) of Article 9(2) of the GDPR for authorisation by, or a basis in, the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1 of Schedule 1.
(3) The processing meets the requirement in point (g) of Article 9(2) of the GDPR for a basis in the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 2 of Schedule 1.
(4) Subsection (5) makes provision about the processing of personal data relating to criminal convictions and offences or related security measures that is not carried out under the control of official authority.
(5) The processing meets the requirement in Article 10 of the GDPR for authorisation by the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1, 2 or 3 of Schedule 1.
(6) The Secretary of State may by regulations—
(a) amend Schedule 1—
(i) by adding or varying conditions or safeguards, and
(ii) by omitting conditions or safeguards added by regulations under this section, and
(b) consequentially amend this section.
(7) Regulations under this section are subject to the affirmative resolution procedure.
DPA s.10
86 s. 11 Special categories of personal data etc: supplementary
(1) For the purposes of Article 9(2)(h) of the GDPR (processing for health or social care purposes etc), the circumstances in which the processing of personal data is carried out subject to the conditions and safeguards referred to in Article 9(3) of the GDPR (obligation of secrecy) include circumstances in which it is carried out—
(a) by or under the responsibility of a health professional or a social work professional, or
(b) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
(2) In Article 10 of the GDPR and section 10, references to personal data relating to criminal convictions and offences or related security measures include personal data relating to—
(a) the alleged commission of offences by the data subject, or
(b) proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.
DPA s.11
87 s. 15 Restrictions on data subject's rights DPA s.15
88 s. 15 Exemptions etc
(1) Schedules 2, 3 and 4 make provision for exemptions from, and restrictions and adaptations of the application of, rules of the GDPR.
(2) In Schedule 2—
(a) Part 1 makes provision adapting or restricting the application of rules contained in Articles 13 to 21 and 34 of the GDPR in specified circumstances, as allowed for by Article 6(3) and Article 23(1) of the GDPR;
(b) Part 2 makes provision restricting the application of rules contained in Articles 13 to 21 and 34 of the GDPR in specified circumstances, as allowed for by Article 23(1) of the GDPR;
(c) Part 3 makes provision restricting the application of Article 15 of the GDPR where this is necessary to protect the rights of others, as allowed for by Article 23(1) of the GDPR;
(d) Part 4 makes provision restricting the application of rules contained in Articles 13 to 15 of the GDPR in specified circumstances, as allowed for by Article 23(1) of the GDPR;
(e) Part 5 makes provision containing exemptions or derogations from Chapters II, III, IV, V and VII of the GDPR for reasons relating to freedom of expression, as allowed for by Article 85(2) of the GDPR;
(f) Part 6 makes provision containing derogations from rights contained in Articles 15, 16, 18, 19, 20 and 21 of the GDPR for scientific or historical research purposes, statistical purposes and archiving purposes, as allowed for by Article 89(2) and (3) of the GDPR.
(3) Schedule 3 makes provision restricting the application of rules contained in Articles 13 to 21 of the GDPR to health, social work, education and child abuse data, as allowed for by Article 23(1) of the GDPR.
(4) Schedule 4 makes provision restricting the application of rules contained in Articles 13 to 21 of the GDPR to information the disclosure of which is prohibited or restricted by an enactment, as allowed for by Article 23(1) of the GDPR.
(5) In connection with the safeguarding of national security and with defence, see Chapter 3 of this Part and the exemption in section 26.
DPA s.15
89 s. 19 Processing for archiving, research and statistical purposes: safeguards
(1) This section makes provision about—
(a) processing of personal data that is necessary for archiving purposes in the public interest,
(b) processing of personal data that is necessary for scientific or historical research purposes, and
(c) processing of personal data that is necessary for statistical purposes.
(2) Such processing does not satisfy the requirement in Article 89(1) of the GDPR for the processing to be subject to appropriate safeguards for the rights and freedoms of the data subject if it is likely to cause substantial damage or substantial distress to a data subject.
(3) Such processing does not satisfy that requirement if the processing is carried out for the purposes of measures or decisions with respect to a particular data subject, unless the purposes for which the processing is necessary include the purposes of approved medical research.
DPA s.19
Item Reference       GDPR Recitals which affect Article 9
90 Recital 20 (20) While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.
91 Recital 33 (33) It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.
92 Recital 51 (51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
93 Recital 52 (52) Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
94 Recital 53 (53) Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.
95 Recital 54 (54) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council (11), namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.
96 Recital 55 (55) Moreover, the processing of personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognised religious associations, is carried out on grounds of public interest.
97 Recital 56 (56) Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.
Item Reference       Related Guidance which affects Article 9
98 ICO guidance on consent under GDPR Guidance
99 Article 29 Working Party Guidelines on consent Guidance
100 The meaning of "legal claims" is considered in ICO guidance on international transfers Guidance
101 The meaning of "legal claims" is considered in EDPB guidance on Article 49 Guidance
102 ICO guidance on Lawfulness, fairness and transparency Guidance
103 ICO guidance on Purpose limitation Guidance
104 ICO guidance on Legal obligation Guidance
105 ICO guidance on Vital interests Guidance
106 ICO guidance on Public task Guidance
107 ICO guidance on Special category data Guidance
Disclaimer - Copyright - Privacy policy