GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗». Author Adv. Prashant Mali
Paragraph 1 shall not apply if one of the following applies:
The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law
provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
Processing relates to personal data which are manifestly made public by the data subject;
Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim
pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.
Suitable Recitals
(46) Vital interests of the data subject; (51) Protecting sensitive personal data; (52) Exceptions to the prohibition on processing special categories of personal data; (53) Processing of sensitive data in health and social sector; (54) Processing of sensitive data in public health sector; (55) Public interest in processing by official authorities for objectives of recognized religious communities; (56) Processing personal data on people's political opinions by parties.
COMMENTARY:
Special data under the GDPR vs. Sensitive data under the DPD
With regard to special data, the changes appear, at first glance, to be minor. The GDPR refers to sensitive personal data as “special categories of personal data” (Article 9 of the GDPR). These categories are broadly the same as those in the DPD, except that sensitive data now specifically includes; “genetic data” and “biometric data”, where processed “to uniquely identify a person”. Personal data relating to criminal convictions and offences are not included in those categories, but similar extra safeguards apply to their processing under the GDPR as are currently in effect under the DPD (Article 10 of the GDPR).
Article 9.2 sets out the circumstances in which the processing of “special categories of personal data”, otherwise prohibited, may occur. These grounds largely replicate those under the DPD, which are principally: the explicit consent of the data subject, the performance of specific contracts or processing for specific purposes (e.g. vital interest of an individual or public interest in the area of health, employment, social security, etc.).
Pursuant to these provisions, data controllers must be able to demonstrate that they have a legal basis for the processing of special data. However, the GDPR introduces a new requirement in its Article 35 to perform a Privacy Impact Assessment (PIA) when a type of processing is likely to result in a high risk to the rights and freedoms of data subjects. PIAs are mandatory in the case of large-scale processing of special categories of data (Article 35.3 (b) of the GDPR). Furthermore,
Article 36.1 specifies that the data controller must consult the competent Data Protection Authority prior to starting the processing when the PIA indicates that such processing is likely to result in a high risk to individuals in the absence of measures taken by the data controller to mitigate such risk.
This means that under the GDPR, having a legal basis, such as the consent of the data subject, will no longer be sufficient to process special personal data in cases where the risk to individuals is high, unless the relevant Data Protection Authority sanctions the processing.
Health data
Of all the categories of special data, health-related information - very sensitive in nature - is of particular interest with the increasing use of big data analytics and new technologies in the health and 'wellness' sectors. Here, the changes are more significant. It is to be noted that there are a number of exceptions to the restrictions on processing health data under Article 9.2, including where the processing is necessary for various medical assessments and where the processing is necessary for reasons of public interest in public health.
Also, Member States are entitled, under Article 9(4) GDPR, to maintain or impose further conditions (including limitations) in respect of genetic, biometric or health data. As such, existing differences in approach on these topics will likely be maintained, and further divergence across Member States will be permitted. France already has its own regime under which (i) the processing of health data requires a preliminary declaration or authorisation regime, and (ii) a very specific set of policies and regulation for organisations which host such data has been created.
The GDPR introduces a wide definition of health data: “Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test” (Recital 35). This new definition will help processors and controllers to identify whether the data they collect constitutes health data in order to implement adequate safeguards and document their records adequately. All organisations processing special data will need to become well acquainted with the new EU data protection rules as well as relevant national law and review their existing policies, procedures, and practices to ensure compliance.
Art. 10 GDPR Processing of personal data relating to criminal convictions and offences
Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.
Suitable Recitals
(50) Further processing of personal data.
COMMENTARY:
Article 10 means you must either be processing the data in an official capacity, or have specific legal authorisation – which in the UK, is likely to mean a condition under the Data Protection Bill and compliance with the additional safeguards set out in the Bill. We will publish more detailed guidance on the conditions in the Bill once these provisions are finalised. Even if you have a condition for processing offence data, you can only keep a comprehensive register of criminal convictions if you are doing so in an official capacity.
At a glance
To process personal data about criminal convictions or offences, you must have both a lawful basis under Article 6 and either legal authority or official authority for the processing under Article 10.
The Data Protection Bill deals with this type of data in a similar way to special category data, and sets out specific conditions providing lawful authority for processing it.
You can also process this type of data if you have official authority to do so because you are processing the data in an official capacity.
You cannot keep a comprehensive register of criminal convictions unless you do so in an official capacity.
You must determine your condition for lawful processing of offence data (or identify your official authority for the processing) before you begin the processing, and you should document this.
What’s new?
The GDPR rules for sensitive (special category) data do not apply to information about criminal allegations, proceedings or convictions. Instead, there are separate safeguards for personal data relating to criminal convictions and offences, or related security measures, set out in Article 10. Article 10 also specifies that you can only keep a comprehensive register of criminal convictions if you are doing so under the control of official authority.
What is criminal offence data?
Article 10 applies to personal data relating to criminal convictions and offences, or related security measures. In this guidance, we refer to this as criminal offence data. This concept of criminal offence data includes the type of data about criminal allegations, proceedings or convictions that would have been sensitive personal data under the 1998 Act. However, it is potentially broader than this. In particular, Article 10 specifically extends to personal data linked to related security measures.
What’s different about criminal offence data?
You must still have a lawful basis for your processing under Article 6, in exactly the same way as for any other personal data. The difference is that if you are processing personal criminal offence data, you will also need to comply with Article 10.
Art. 11 GDPR Processing which does not require identification
If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by
Comments (0)