Genetic, biometric or health data

Last reviewed
Genetic, biometric or health data

Austria 05.06.2018 No, the ADPA does not provide conditions for the processing of genetic, biometric or health data. Such special regulations are expected to follow in specific laws for the health-care sector.
Belgium 08.10.2018 n/a
Czech Republic 13.09.2018 Section 16(2) stipulates that special categories of personal data (including genetic, biometric, health data) may be processed for journalistic purposes or for purposes of academic, artistic or literary expression if it is necessary for a legitimate objective and the legitimate interest in the personal data processing overrides the legitimate interests of the data subject.
Denmark 06.09.2018 n/a
Finland 13.11.2018 The Ministry of Social Affairs and Health is responsible for this area and has prepared two legislative proposals. 

1. Government proposal on a new Act on the Electronic Processing of Customer Data in Social and Health Care Services. This is meant to abrogate the current Act. The proposal has taken into consideration the GDPR requirements, but has not yet been submitted to the Parliament.

2. Government proposal on Secondary Use of Health and Social Data. The purpose is to set rules and requirements for use (processing) of health data for statistical, research and development purposes and to ease permission procedures. The proposal will bring the rules into line with the GDPR. The proposal is currently under discussion in the Parliamentary Committees.

France 11.02.2019 Chapter IX of the FDPA.
Article 54. Processing of biometric, genetic and health data can only be carried out for public interest purposes.
The CNIL will impose standard regulations for the processing of biometric, genetic and health data, which will set out mandatory technical and organisational measures to implement prior to any processing.

Article 53. Exemptions: A list of processing activities are excluded (e.g. processing of personal data by doctors carried out in health establishments for medical information purposes, processing carried out for the purpose of ensuring the provision of benefits by health insurance providers, processing activities listed in Article 8 (II) (1°-6°) etc.). Biometric data can also be processed by employers to control access to the workplace in limited circumstances (Art. 8 (II) (9°)).
Germany 23.05.2018 Yes - § 22 FDPA stipulates a general framework for the processing of sensitive data, including rules on health data (no explicit restriction to genetic/biometric data). Such processing is, however, only possible if "suitable and specific" safeguards are taken to protect such data. The safeguards may include technical and organisational measures, pseudonymisation, encryption, or the appointment of a Data Protection Officer ("DPO") etc.
Hungary 01/04/2019 No specific provisions.
Ireland  12.09.2017 n/a
Italy 25.10.2018 IDPA Section 2-septies, 1. Guidance on the safeguards for the processing of genetic, biometric and health data processing should be issued every 2 years. 

In case of high risk processing of genetic data, consent can be a further safeguard, and/or others should be applied (Section 2-septies, (6)). Genetic, biometric and health data cannot be disseminated (Section 2-septies, (7)).
Within 90 days from the entry into force of the Decree (last term is on 18th December 2018) the Authority will identify the applicable safeguards. The existing authorization regime will remain applicable for the processing of genetic and health data until it is replaced by the upcoming safeguards.
Netherlands 17.09.2018 The UAVG provides a limited list of purposes for which processing genetic data, biometric data and health data is allowed.

Article 23 restricts the categories of data processors which may process health data, where processing is based on GDPR Arts. 9(2)(g)+(b)+(h) (employment or social security law; public interest + law; care and treatment).

Article 29 UAVG biometric data can be processed for identification of an individual if the processing is necessary for authentication or security purposes. 
Poland 07.09.2018 Employers are allowed to process employees' biometric data if necessary to ensure access control to particularly important information or access control to the premises requiring special protection.
Slovakia 13.09.2018  Genetic, biometric and health data can also be processed on the basis of a special law or international agreement which binds the Slovak Republic (Article 78 (5) of New DPA).
Spain 05.03.2019 Article 9 of the SDPA also addresses the processing of health data.Such data may be processed when required for the management of health care systems or the execution of an insurance contract to which the data subject is party.
Sweden 06.09.2018 Swedish Act on Patient Data (2008:355) provides further conditions for the processing of personal data in health care.
UK 22.05.2018

Art. 9(2)(h) provided for by Schedule 1, Part 1, § 2. 
Art. 9(2)(i) provided for by Schedule 1, Part 1, § 3. 
*Processing of data concerning health, racial or ethnic origin, genetic or biometric data, sexual life or orientation by not for profit bodies providing support to those with a disability or medical condition permitted - must be necessary for reasons of substantial public interest; condition not available if organisation is aware the data subject withholds consent - Schedule 1, Part 2, § 16. 

*Schedule 1, Part 2, § 20 - processing personal data relating to racial/ ethnic origin; religious or philosophical beliefs; trade union membership; genetic data or health data - permitted for insurance purposes (where there is no impact on the actual data subject).

*Schedule 1, Part 1, § 21 - processing of health data about relatives of members of occupational pension schemes - where no impact on the data subject. 

* must also have an appropriate policy document in place which sets out how the controller will comply with principles at Art 5 GDPR; retention and erasure (including indicating retention periods). Policy document must be reviewed and be available to the Information Commissioner on request.  Record of processing must specify lawful basis for processing under Arts. 9 & 6 GDPR; whether processing meets the policy documents described above.  (Schedule 1, Part 4)