| Item | Reference | Article 9 | Link | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | 9. | Article 9 | GDPR 9 | ||||||||||
| 2 | 9. | Processing of special categories of personal data | GDPR 9 | ||||||||||
| 3 | 9.1 | 1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. | GDPR 9 | ||||||||||
| 4 | 9.2 | 2. Paragraph 1 shall not apply if one of the following applies: | GDPR 9 | ||||||||||
| 5 | 9.2(a) | (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; | GDPR 9 | ||||||||||
| 6 | 9.2(b) | (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject; | GDPR 9 | ||||||||||
| 7 | 9.2(c) | (c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; | GDPR 9 | ||||||||||
| 8 | 9.2(d) | (d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects; | GDPR 9 | ||||||||||
| 9 | 9.2(e) | (e) processing relates to personal data which are manifestly made public by the data subject; | GDPR 9 | ||||||||||
| 10 | 9.2(f) | (f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; | GDPR 9 | ||||||||||
| 11 | 9.2(g) | (g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; | GDPR 9 | ||||||||||
| 12 | 9.2(h) | (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3; | GDPR 9 | ||||||||||
| 13 | 9.2(i) | (i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; | GDPR 9 | ||||||||||
| 14 | 9.2(j) | (j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. | GDPR 9 | ||||||||||
| 15 | 9.3 | 3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies. | GDPR 9 | ||||||||||
| 16 | 9.4 | 4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. | GDPR 9 | ||||||||||
| Item | Reference | Articles which affect Article 9 | Link | ||||||||||
| 17 | 4.(1) | (1) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; | GDPR 4 | ||||||||||
| 18 | 4.(2) | (2) 'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; | GDPR 4 | ||||||||||
| 19 | 4.(7) | (7) 'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; | GDPR 4 | ||||||||||
| 20 | 4.(11) | (11) 'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; | GDPR 4 | ||||||||||
| 21 | 4.(13) | (13) 'genetic data' means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question; | GDPR 4 | ||||||||||
| 22 | 4.(14) | (14) 'biometric data' means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; | GDPR 4 | ||||||||||
| 23 | 4.(15) | (15) 'data concerning health' means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status; | GDPR 4 | ||||||||||
| 24 | 6.1 | 1. Processing shall be lawful only if and to the extent that at least one of the following applies: | GDPR 6 | ||||||||||
| 25 | 6.1(a) | (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; | GDPR 6 | ||||||||||
| 26 | 7. | Conditions for consent | GDPR 7 | ||||||||||
| 27 | 7.1 | 1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. | GDPR 7 | ||||||||||
| 28 | 7.2 | 2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. | GDPR 7 | ||||||||||
| 29 | 7.3 | 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. | GDPR 7 | ||||||||||
| 30 | 7.4 | 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. | GDPR 7 | ||||||||||
| 31 | 13.2 | 2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: | GDPR 13 | ||||||||||
| 32 | 13.2(c) | (c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; | GDPR 13 | ||||||||||
| 33 | 14.2 | 2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject: | GDPR 14 | ||||||||||
| 34 | 14.2(d) | (d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; | GDPR 14 | ||||||||||
| 35 | 22.4 | 4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place. | GDPR 22 | ||||||||||
| 36 | 30.5 | 5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10. | GDPR 30 | ||||||||||
| 37 | 35.3 | 3. A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of: | GDPR 35 | ||||||||||
| 38 | 35.3(b) | (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or | GDPR 35 | ||||||||||
| 39 | 37.1 | 1. The controller and the processor shall designate a data protection officer in any case where: | GDPR 37 | ||||||||||
| 40 | 37.1(c) | (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. | GDPR 37 | ||||||||||
| Item | Reference | Definitions from published guidance which affect Article 9 | Link | ||||||||||
| 41 | ICO | "The claim must have a basis in law, and a formal legally defined process, but it is not just judicial or administrative procedures. This means that you can interpret what is a legal claim quite widely, to cover, for example:
|
Guidance | ||||||||||
| 42 | EDPB | "Under Article 49(1)(e), transfers may take place when 'the transfer is necessary for the establishment, exercise or defense of legal claims'. Recital 111 states that a transfer can be made where it is 'occasional and necessary in relation to a contract or a legal claim, regardless of whether in a judicial procedure or whether in an administrative or any out-of-court procedure, including procedures before regulatory bodies'. This covers a range of activities for example, in the context of a criminal or administrative investigation in a third country (e.g. anti-trust law, corruption, insider trading or similar situations), where the derogation may apply to a transfer of data for the purpose of defending oneself or for obtaining a reduction or waiver of a fine legally foreseen e.g. in anti-trust investigations. As well, data transfers for the purpose of formal pre-trial discovery procedures in civil litigation may fall under this derogation. It can also cover actions by the data exporter to institute procedures in a third country for example commencing litigation or seeking approval for a merger. The derogation cannot be used to justify the transfer of personal data on the grounds of the mere possibility that legal proceedings or formal procedures may be brought in the future. This derogation can apply to activities carried out by public authorities in the exercise of their public powers (Article 49(3)). The combination of the terms 'legal claim' and 'procedure' implies that the relevant procedure must have a basis in law, including a formal, legally defined process, but is not necessarily limited to judicial or administrative procedures ('or any out of court procedure'). As a transfer needs to be made in a procedure, a close link is necessary between a data transfer and a specific procedure regarding the situation in question. The abstract applicability of a certain type of procedure would not be sufficient. Data controllers and data processors need to be aware that national law may also contain so-called 'blocking statutes', prohibiting them from or restricting them in transferring personal data to foreign courts or possibly other foreign official bodies." |
Guidance | ||||||||||
| 43 | Recitals | A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. | Guidance | ||||||||||
| 44 | ICO | "Explicit consent requires a very clear and specific statement of consent. ... Explicit consent must be expressly confirmed in words, rather than by any other positive action." | Guidance | ||||||||||
| 45 | Art49WP | "The GDPR prescribes that a 'statement or clear affirmative action' is a prerequisite for 'regular' consent. As the 'regular' consent requirement in the GDPR is already raised to a higher standard compared to the consent requirement in Directive 95/46/EC, it needs to be clarified what extra efforts a controller should undertake in order to obtain the explicit consent of a data subject in line with the GDPR. The term explicit refers to the way consent is expressed by the data subject. It means that the data subject must give an express statement of consent. An obvious way to make sure consent is explicit would be to expressly confirm consent in a written statement. Where appropriate, the controller could make sure the written statement is signed by the data subject, in order to remove all possible doubt and potential lack of evidence in the future. However, such a signed statement is not the only way to obtain explicit consent and, it cannot be said that the GDPR prescribes written and signed statements in all circumstances that require valid explicit consent. For example, in the digital or online context, a data subject may be able to issue the required statement by filling in an electronic form, by sending an email, by uploading a scanned document carrying the signature of the data subject, or by using an electronic signature. In theory, the use of oral statements can also be sufficiently express to obtain valid explicit consent, however, it may be difficult to prove for the controller that all conditions for valid explicit consent were met 47 when the statement was recorded. An organisation may also obtain explicit consent through a telephone conversation, provided that the information about the choice is fair, intelligible and clear, and it asks for a specific confirmation from the data subject (e.g. pressing a button or providing oral confirmation). [Examples 17 and 18] Two stage verification of consent can also be a way to make sure explicit consent is valid. For example, a data subject receives an email notifying them of the controller’s intent to process a record containing medical data. The controller explains in the email that he asks for consent for the use of a specific set of information for a specific purpose. If the data subjects agrees to the use of this data, the controller asks him or her for an email reply containing the statement 'I agree'. After the reply is sent, the data subject receives a verification link that must be clicked, or an SMS message with a verification code, to confirm agreement." |
Guidance | ||||||||||
| 46 | ICO | "When is processing 'necessary'? Many of the lawful bases for processing depend on the processing being “necessary”. This does not mean that processing has to be absolutely essential. However, it must be more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means, or by processing less data. It is not enough to argue that processing is necessary because you have chosen to operate your business in a particular way. The question is whether the processing is objectively necessary for the stated purpose, not whether it is a necessary part of your chosen methods." |
Guidance | ||||||||||
| Item | Reference | Paragraphs in Schedules to Data Protection Act 2018 which affect Article 9 | Link | ||||||||||
| 47 | 1// | Special categories of personal data and criminal convictions etc data | DPA Sch 1
|
||||||||||
| 48 | 1/1/ | Conditions relating to employment, health and research etc "This condition is met if- (a) the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, and (b) when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule)." |
DPA Sch 1
|
||||||||||
| 49 | 1/1/1 | Employment, social security and social protection | DPA Sch 1
|
||||||||||
| 50 | 1/1/2 | Health or social care purposes | DPA Sch 1
|
||||||||||
| 51 | 1/1/3 | Public health "This condition is met if the processing- (a) is necessary for reasons of public interest in the area of public health, and (b) is carried out- (i by or under the responsibility of a health professional, or (ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law." |
DPA Sch 1
|
||||||||||
| 52 | 1/1/4 | Research etc "This condition is met if the processing- (a) is necessary for archiving purposes, scientific or historical research purposes or statistical purposes, (b) is carried out in accordance with Article 89(1) of the GDPR (as supplemented by section 19), and (c) is in the public interest." |
DPA Sch 1
|
||||||||||
| 53 | 1/2/ | Substantial public interest conditions | DPA Sch 1
|
||||||||||
| 54 | 1/2/5 | Requirement for an appropriate policy document when relying on conditions in this Part "(1) Except as otherwise provided, a condition in this Part of this Schedule is met only if, when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule). (2) See also the additional safeguards in Part 4 of this Schedule." |
DPA Sch 1
|
||||||||||
| 55 | 1/2/6 | Statutory etc and government purposes "(1) This condition is met if the processing- (a) is necessary for a purpose listed in sub-paragraph (2), and (b)is necessary for reasons of substantial public interest. (2) Those purposes are- (a) the exercise of a function conferred on a person by an enactment or rule of law, (b) the exercise of a function of the Crown, a Minister of the Crown or a government department." |
DPA Sch 1
|
||||||||||
| 56 | 1/2/7 | Administration of justice and parliamentary purposes "This condition is met if the processing is necessary- (a)for the administration of justice, or (b)for the exercise of a function of either House of Parliament." |
DPA Sch 1
|
||||||||||
| 57 | 1/2/8 | Equality of opportunity or treatment
|
DPA Sch 1
|
||||||||||
| 58 | 1/2/9 | Racial and ethnic diversity at senior levels of organisations | DPA Sch 1
|
||||||||||
| 59 | 1/2/10 | Preventing or detecting unlawful acts | DPA Sch 1
|
||||||||||
| 60 | 1/2/11 | Protecting the public against dishonesty etc | DPA Sch 1
|
||||||||||
| 61 | 1/2/12 | Regulatory requirements relating to unlawful acts and dishonesty etc | DPA Sch 1
|
||||||||||
| 62 | 1/2/13 | Journalism etc in connection with unlawful acts and dishonesty etc | DPA Sch 1
|
||||||||||
| 63 | 1/2/14 | Preventing fraud "(1) This condition is met if the processing- (a) is necessary for the purposes of preventing fraud or a particular kind of fraud, and (b) consists of- (i) the disclosure of personal data by a person as a member of an anti-fraud organisation, (ii)the disclosure of personal data in accordance with arrangements made by an anti-fraud organisation, or (iii) the processing of personal data disclosed as described in sub-paragraph (i) or (ii). (2) In this paragraph, "anti-fraud organisation" has the same meaning as in section 68 of the Serious Crime Act 2007. " |
DPA Sch 1
|
||||||||||
| 64 | 1/2/15 | Suspicion of terrorist financing or money laundering "This condition is met if the processing is necessary for the purposes of making a disclosure in good faith under either of the following- (a) section 21CA of the Terrorism Act 2000 (disclosures between certain entities within regulated sector in relation to suspicion of commission of terrorist financing offence or for purposes of identifying terrorist property), (b) section 339ZB of the Proceeds of Crime Act 2002 (disclosures within regulated sector in relation to suspicion of money laundering)." |
DPA Sch 1
|
||||||||||
| 65 | 1/2/16 | Support for individuals with a particular disability or medical condition | DPA Sch 1
|
||||||||||
| 66 | 1/2/17 | Counselling etc | DPA Sch 1
|
||||||||||
| 67 | 1/2/18 | Safeguarding of children and of individuals at risk | DPA Sch 1
|
||||||||||
| 68 | 1/2/19 | Safeguarding of economic well-being of certain individuals | DPA Sch 1
|
||||||||||
| 69 | 1/2/20 | Insurance | DPA Sch 1
|
||||||||||
| 70 | 1/2/21 | Occupational pensions | DPA Sch 1
|
||||||||||
| 71 | 1/2/22 | Political parties | DPA Sch 1
|
||||||||||
| 72 | 1/2/23 | Elected representatives responding to requests | DPA Sch 1
|
||||||||||
| 73 | 1/2/24 | Disclosure to elected representatives | DPA Sch 1
|
||||||||||
| 74 | 1/2/25 | Informing elected representatives about prisoners | DPA Sch 1
|
||||||||||
| 75 | 1/2/26 | Publication of legal judgments "This condition is met if the processing- (a) consists of the publication of a judgment or other decision of a court or tribunal, or (b) is necessary for the purposes of publishing such a judgment or decision." |
DPA Sch 1
|
||||||||||
| 76 | 1/2/27 | Anti-doping in sport | DPA Sch 1
|
||||||||||
| 77 | 1/2/28 | Standards of behaviour in sport | DPA Sch 1
|
||||||||||
| 78 | 1/4/ | Appropriate policy document and additional safeguards | DPA Sch 1
|
||||||||||
| 79 | 1/4/38 | Application of this Part of this Schedule "This Part of this Schedule makes provision about the processing of personal data carried out in reliance on a condition in Part 1, 2 or 3 of this Schedule which requires the controller to have an appropriate policy document in place when the processing is carried out." |
DPA Sch 1
|
||||||||||
| 80 | 1/4/39 | Requirement to have an appropriate policy document in place "The controller has an appropriate policy document in place in relation to the processing of personal data in reliance on a condition described in paragraph 38 if the controller has produced a document which- (a) explains the controller's procedures for securing compliance with the principles in Article 5 of the GDPR (principles relating to processing of personal data) in connection with the processing of personal data in reliance on the condition in question, and (b) explains the controller's policies as regards the retention and erasure of personal data processed in reliance on the condition, giving an indication of how long such personal data is likely to be retained." |
DPA Sch 1
|
||||||||||
| 81 | 1/4/40 | Additional safeguard: retention of appropriate policy document "(1) Where personal data is processed in reliance on a condition described in paragraph 38, the controller must during the relevant period- (a) retain the appropriate policy document, (b) review and (if appropriate) update it from time to time, and (c) make it available to the Commissioner, on request, without charge. (2) "Relevant period", in relation to the processing of personal data in reliance on a condition described in paragraph 38, means a period which- (a) begins when the controller starts to carry out processing of personal data in reliance on that condition, and (b) ends at the end of the period of 6 months beginning when the controller ceases to carry out such processing." |
DPA Sch 1
|
||||||||||
| 82 | 1/4/41 | Additional safeguard: record of processing "A record maintained by the controller, or the controller's representative, under Article 30 of the GDPR in respect of the processing of personal data in reliance on a condition described in paragraph 38 must include the following information- (a) which condition is relied on, (b) how the processing satisfies Article 6 of the GDPR (lawfulness of processing), and (c) whether the personal data is retained and erased in accordance with the policies described in paragraph 39(b) and, if it is not, the reasons for not following those policies." |
DPA Sch 1
|
||||||||||
| 83 | 2/5/ | Exemptions etc based on Article 85(2) for reasons of freedom of expression and information | DPA Sch 2
|
||||||||||
| 84 | 2/5/26 | Journalistic, academic, artistic and literary purposes | DPA Sch 2
ICO guidance |
||||||||||
| Item | Reference | Sections of the Data Protection Act 2018 which affect Article 9 | Link | ||||||||||
| 85 | s. | Special categories of personal data | |||||||||||
| 86 | s. 10 | Special categories of personal data and criminal convictions etc data (1) Subsections (2) and (3) make provision about the processing of personal data described in Article 9(1) of the GDPR (prohibition on processing of special categories of personal data) in reliance on an exception in one of the following points of Article 9(2)— (a) point (b) (employment, social security and social protection); (b) point (g) (substantial public interest); (c) point (h) (health and social care); (d) point (i) (public health); (e) point (j) (archiving, research and statistics). (2) The processing meets the requirement in point (b), (h), (i) or (j) of Article 9(2) of the GDPR for authorisation by, or a basis in, the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1 of Schedule 1. (3) The processing meets the requirement in point (g) of Article 9(2) of the GDPR for a basis in the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 2 of Schedule 1. (4) Subsection (5) makes provision about the processing of personal data relating to criminal convictions and offences or related security measures that is not carried out under the control of official authority. (5) The processing meets the requirement in Article 10 of the GDPR for authorisation by the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1, 2 or 3 of Schedule 1. (6) The Secretary of State may by regulations— (a) amend Schedule 1— (i) by adding or varying conditions or safeguards, and (ii) by omitting conditions or safeguards added by regulations under this section, and (b) consequentially amend this section. (7) Regulations under this section are subject to the affirmative resolution procedure. |
DPA s.10 | ||||||||||
| 87 | s. 11 | Special categories of personal data etc: supplementary (1) For the purposes of Article 9(2)(h) of the GDPR (processing for health or social care purposes etc), the circumstances in which the processing of personal data is carried out subject to the conditions and safeguards referred to in Article 9(3) of the GDPR (obligation of secrecy) include circumstances in which it is carried out— (a) by or under the responsibility of a health professional or a social work professional, or (b) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law. (2) In Article 10 of the GDPR and section 10, references to personal data relating to criminal convictions and offences or related security measures include personal data relating to— (a) the alleged commission of offences by the data subject, or (b) proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing. |
DPA s.11 | ||||||||||
| 88 | s. 15 | Restrictions on data subject's rights | DPA s.15 | ||||||||||
| 89 | s. 15 | Exemptions etc (1) Schedules 2, 3 and 4 make provision for exemptions from, and restrictions and adaptations of the application of, rules of the GDPR. (2) In Schedule 2— (a) Part 1 makes provision adapting or restricting the application of rules contained in Articles 13 to 21 and 34 of the GDPR in specified circumstances, as allowed for by Article 6(3) and Article 23(1) of the GDPR; (b) Part 2 makes provision restricting the application of rules contained in Articles 13 to 21 and 34 of the GDPR in specified circumstances, as allowed for by Article 23(1) of the GDPR; (c) Part 3 makes provision restricting the application of Article 15 of the GDPR where this is necessary to protect the rights of others, as allowed for by Article 23(1) of the GDPR; (d) Part 4 makes provision restricting the application of rules contained in Articles 13 to 15 of the GDPR in specified circumstances, as allowed for by Article 23(1) of the GDPR; (e) Part 5 makes provision containing exemptions or derogations from Chapters II, III, IV, V and VII of the GDPR for reasons relating to freedom of expression, as allowed for by Article 85(2) of the GDPR; (f) Part 6 makes provision containing derogations from rights contained in Articles 15, 16, 18, 19, 20 and 21 of the GDPR for scientific or historical research purposes, statistical purposes and archiving purposes, as allowed for by Article 89(2) and (3) of the GDPR. (3) Schedule 3 makes provision restricting the application of rules contained in Articles 13 to 21 of the GDPR to health, social work, education and child abuse data, as allowed for by Article 23(1) of the GDPR. (4) Schedule 4 makes provision restricting the application of rules contained in Articles 13 to 21 of the GDPR to information the disclosure of which is prohibited or restricted by an enactment, as allowed for by Article 23(1) of the GDPR. (5) In connection with the safeguarding of national security and with defence, see Chapter 3 of this Part and the exemption in section 26. |
DPA s.15 | ||||||||||
| 90 | s. 19 | Processing for archiving, research and statistical purposes: safeguards (1) This section makes provision about— (a) processing of personal data that is necessary for archiving purposes in the public interest, (b) processing of personal data that is necessary for scientific or historical research purposes, and (c) processing of personal data that is necessary for statistical purposes. (2) Such processing does not satisfy the requirement in Article 89(1) of the GDPR for the processing to be subject to appropriate safeguards for the rights and freedoms of the data subject if it is likely to cause substantial damage or substantial distress to a data subject. (3) Such processing does not satisfy that requirement if the processing is carried out for the purposes of measures or decisions with respect to a particular data subject, unless the purposes for which the processing is necessary include the purposes of approved medical research. |
DPA s.19 | ||||||||||
| Item | Reference | GDPR Recitals which affect Article 9 | |||||||||||
| 91 | Recital 20 | (20) While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations. | |||||||||||
| 92 | Recital 33 | (33) It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose. | |||||||||||
| 93 | Recital 51 | (51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms. | |||||||||||
| 94 | Recital 52 | (52) Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. | |||||||||||
| 95 | Recital 53 | (53) Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data. | |||||||||||
| 96 | Recital 54 | (54) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council (11), namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies. | |||||||||||
| 97 | Recital 55 | (55) Moreover, the processing of personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognised religious associations, is carried out on grounds of public interest. | |||||||||||
| 98 | Recital 56 | (56) Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established. | |||||||||||
| Item | Reference | Related Guidance which affects Article 9 | |||||||||||
| 99 | ICO guidance on consent under GDPR | Guidance | |||||||||||
| 100 | Article 29 Working Party Guidelines on consent | Guidance | |||||||||||
| 101 | The meaning of "legal claims" is considered in ICO guidance on international transfers | Guidance | |||||||||||
| 102 | The meaning of "legal claims" is considered in EDPB guidance on Article 49 | Guidance | |||||||||||
| 103 | ICO guidance on Lawfulness, fairness and transparency | Guidance | |||||||||||
| 104 | ICO guidance on Purpose limitation | Guidance | |||||||||||
| 105 | ICO guidance on Legal obligation | Guidance | |||||||||||
| 106 | ICO guidance on Vital interests | Guidance | |||||||||||
| 107 | ICO guidance on Public task | Guidance | |||||||||||
| 108 | ICO guidance on Special category data | Guidance |