ENG

Special rules for special categories of data

Country
 		Last reviewed
 Special rules for special categories of personal data
Austria 05.06.2018 Sec 7 (3) ADPA provides that the processing of special categories of personal data for scientific, historical or statistical purposes requires an "important public interest".

Besides, the ADPA does not provide for any general rules for the processing of special categories of personal data.

However, Sec 4 (3) ADPA contains preconditions for the processing of personal data relating to criminal convictions and offences. Such data can be processed lawfully based on (i) an explicit statutory provision or (ii) legitimate interests of the controller or a third party.
Belgium 08.10.2018

BPA identifies six (6) categories of instances in which processing personal data relating to criminal convictions and offences without the control of official authority is allowed:

  • Processing by natural persons or private or public-law legal persons insofar as necessary for the management of their own disputes;
  • Processing carried out by lawyers necessary for the defence of their client's interests;
  • Processing by other persons where necessary for reasons of substantial public interest for fulfilling tasks in the public interest as defined by law;
  • Processing required for scientific, historical or statistical research or for archiving purposes;
  • Express written consent by the data subject for processing for one or more well-defined purposes and the processing is limited to those purposes;
  • Personal data that have clearly been made public by the data subject on its own initiative for one or more well-defined purposes and the processing is limited to those purposes.

Additionally, the BPA introduces specific safeguards for processing of such data, including the requirement to list individuals that have access to such data.
Czech Republic 13.09.2018 Section 16(2) stipulates that special categories of personal data may be processed for journalistic purposes or for purposes of academic, artistic or literary expression if it is necessary for a legitimate objective and the legitimate interest in the personal data processing overrides the legitimate interests of the data subject.
Denmark 06.09.2018 § 7(1) states that the legal bases in GDPR art. 9(1)(a) and (c-f) apply directly in Denmark without any modifications or limitations. 

§ 7(2)-(4), however, only partially activates the legal bases in GDPR art. 9(1)(b), (g) and (h), i.e. with certain modifications compared to the wording of the GDPR articles, in line with Danish legislation. 

§ 7(5) provides that a minister may, after negotiations with the minister of justice, establish specific rules on the processing of special category data within the framework of the GDPR.
Finland 13.11.2018 Sections 6 and 7 of the Data Protection Act provide exceptions where Article 9(1) of the GDPR is not applicable. There are two particularly relevant special permissions: 

First, a special permission to process special categories of personal data for insurance companies for the purposes of clarifying their liabilities.

Second, a special permission for processing of data related to criminal convictions and offences for the purposes of legal proceedings.
France 11.02.2019 Article 54 (III). Prior authorizations still required in certain conditions in case of health data processing.
Article 8. The FDPA adds new circumstances where processing of special categories of data is allowed such as:
- processing of biometric data strictly necessary to control access to the workplace and devices and applications used by employees, agents, trainees or service providers;
- processing relating to health data and public research under certain circumstances; and,
- processing relating to the re-use of public information under certain circumstances.

Article 9 of the FDPA and Article 41 of the Decree: the list of persons authorized to process criminal data is extended.
Germany 23.05.2018 § 22 FDPA stipulates a general framework for the processing of sensitive data, including rules on health data.
Hungary 01/04/2019 The definition of ‘special data’ in the InfoAct is applicable for data processing activities falling under the scope of the GDPR. The categories of data falling under this definition are similar to those of Article 9(1) of the GDPR. The amended InfoAct also keeps the definition of ‘criminal personal data’ and this is also applicable to data processing activities falling under the scope of the GDPR.

Article 5(7) of the InfoAct provides that the provisions applicable to "special data" are also applicable to "criminal personal data".
Ireland  12.09.2017  Under Part 3 of the Data Protection Act 2018, the processing of special categories of personal data is lawful in certain limited circumstances:
• for purposes of employment and social welfare law;
• for purposes of legal advice and legal proceedings;
• for electoral activities and functions of the Referendum Commission;
• for purposes of administration of justice and performance of functions;
• for insurance and pension purposes;
• for reasons of substantial public interest;
• for purposes of Article 9(2)(h) of the GDPR;
• for purposes of public interest in the area of public health;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. 
Italy 25.10.2018 IDPA Section 2-sexies, 2 specifies that a "substantial public interest" is a viable lawful basis for the processing of special categories of personal data. 
Netherlands 17.09.2018 The UAVG allows derogations for processing data relating to racial and ethnic origin, religious or philosophical belief, and political opinions.
The GDPR Execution Act UAVG includes provisions which provide for a limited list of purposes /specific circumstances under which derogation from the prohibition of special categories of personal data is allowed (note that most are in line with derogations currently found under the Dutch data Protection Act): racial and ethnic origin (article 22), religious or philosophical belief (article 29), political opinions (article 30).

Regarding processing of personal data relating to criminal convictions and offences or related security measures, a list is provided of categories of processors that may process such data (article 31 and wet politiegegevens & wet justitiële en strafvorderlijke gegevens) - this is the same as current Dutch local law on criminal data."

Article 25 UAVG ethnic and racial data can be processed for positive discrimination/equal treatment purposes.
Poland 07.09.2018 Changes applicable to the private sector include, e.g. changes to (i) the Act on Insurance and Reinsurance Activity enabling insurance companies to process personal data, including health data, in an automated manner, including through profiling, in order to assess insurance risk and perform insurance contracts, and (ii) the Public Procurement Law which provides that transparency principle is not applicable to special categories of personal data collected in the procurement procedure.
Slovakia 13.09.2018  Essentially the same as under GDPR. 
Spain 05.03.2019 In order to avoid discriminatory situations, the consent of the data subject shall not be sufficient to lift the prohibition on the processing of this type of data when the principal purpose of this processing is to identify his or her ideology, trade union membership, religion, sexual orientation, beliefs or racial or ethnic origin.

Additionally, the SDPA states that the processing of special categories of personal data based in the public interest, for the purposes of preventive or occupational medicine or public interest in the area of public health shall be based on a standard with the rank of law, and this law could establish additional requirements for their security and confidentiality.
Sweden 06.09.2018 The Act clarifies that Article 9(a), (c), (d), (e) and (f)  GDPR are directly applicable and further provides that sensitive personal data may be processed in accordance with Chapter 3, Sections 2-7 §§ of the new Data Protection Act (clarifying the criteria for processing of sensitive data under Article 9(b), (g), (h) and (j) GDPR).
UK 22.05.2018

The Data Protection Act 2018 contains provisions about the processing of special categories of personal data and criminal offence data.

The processing meets the requirement in Article 9(2)(b), (h), (i) or (j) GDPR for authorisation by, or a basis in, the UK law only if it meets a condition in Part 1 of Schedule 1 of the Act.

The processing meets the requirement in Article 9(2)(g) of the GDPR for a basis in UK law only if it meets a condition in Part 2 of Schedule 1 of the Act.

The processing meets the requirement in Article 10 GDPR for authorisation by UK law only if it meets a condition in Part 1, 2 or 3 of Schedule 1 of the Act.

Except in limited cases, an 'appropriate policy document' in place which sets out how the controller will comply with principles at Article 5 GDPR and retention and erasure (including indicating retention periods). Policy document must be reviewed and be available to the Information Commissioner on request.  Record of processing must specify the lawful basis for processing under Articles 9 & 6 GDPR and whether processing meets the policy documents described above.  (Schedule 1, Part 4)