||Special rules for special categories of personal data
|Austria||05.06.2018||Sec 7 (3) ADPA provides that the processing of special categories of personal data for scientific, historical or statistical purposes requires an "important public interest".
Besides, the ADPA does not provide for any general rules for the processing of special categories of personal data.
However, Sec 4 (3) ADPA contains preconditions for the processing of personal data relating to criminal convictions and offences. Such data can be processed lawfully based on (i) an explicit statutory provision or (ii) legitimate interests of the controller or a third party.
BPA identifies six (6) categories of instances in which processing personal data relating to criminal convictions and offences without the control of official authority is allowed:
Additionally, the BPA introduces specific safeguards for processing of such data, including the requirement to list individuals that have access to such data.
|Czech Republic||13.09.2018||Section 16(2) stipulates that special categories of personal data may be processed for journalistic purposes or for purposes of academic, artistic or literary expression if it is necessary for a legitimate objective and the legitimate interest in the personal data processing overrides the legitimate interests of the data subject.
|Denmark||06.09.2018||§ 7(1) states that the legal bases in GDPR art. 9(1)(a) and (c-f) apply directly in Denmark without any modifications or limitations.
§ 7(2)-(4), however, only partially activates the legal bases in GDPR art. 9(1)(b), (g) and (h), i.e. with certain modifications compared to the wording of the GDPR articles, in line with Danish legislation.
§ 7(5) provides that a minister may, after negotiations with the minister of justice, establish specific rules on the processing of special category data within the framework of the GDPR.
|Finland||13.11.2018||Sections 6 and 7 of the Data Protection Act provide exceptions where Article 9(1) of the GDPR is not applicable. There are two particularly relevant special permissions:
First, a special permission to process special categories of personal data for insurance companies for the purposes of clarifying their liabilities.
Second, a special permission for processing of data related to criminal convictions and offences for the purposes of legal proceedings.
|France||11.02.2019||Article 54 (III). Prior authorizations still required in certain conditions in case of health data processing.
Article 8. The FDPA adds new circumstances where processing of special categories of data is allowed such as:
- processing of biometric data strictly necessary to control access to the workplace and devices and applications used by employees, agents, trainees or service providers;
- processing relating to health data and public research under certain circumstances; and,
- processing relating to the re-use of public information under certain circumstances.
Article 9 of the FDPA and Article 41 of the Decree: the list of persons authorized to process criminal data is extended.
|Germany||23.05.2018||§ 22 FDPA stipulates a general framework for the processing of sensitive data, including rules on health data.|
|Hungary||01/04/2019||The definition of ‘special data’ in the InfoAct is applicable for data processing activities falling under the scope of the GDPR. The categories of data falling under this definition are similar to those of Article 9(1) of the GDPR. The amended InfoAct also keeps the definition of ‘criminal personal data’ and this is also applicable to data processing activities falling under the scope of the GDPR.
Article 5(7) of the InfoAct provides that the provisions applicable to "special data" are also applicable to "criminal personal data".
|Ireland||12.09.2017||Under Part 3 of the Data Protection Act 2018, the processing of special categories of personal data is lawful in certain limited circumstances:
• for purposes of employment and social welfare law;
• for purposes of legal advice and legal proceedings;
• for electoral activities and functions of the Referendum Commission;
• for purposes of administration of justice and performance of functions;
• for insurance and pension purposes;
• for reasons of substantial public interest;
• for purposes of Article 9(2)(h) of the GDPR;
• for purposes of public interest in the area of public health;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
|Italy||25.10.2018||IDPA Section 2-sexies, 2 specifies that a "substantial public interest" is a viable lawful basis for the processing of special categories of personal data.|
|Netherlands||17.09.2018||The UAVG allows derogations for processing data relating to racial and ethnic origin, religious or philosophical belief, and political opinions.
The GDPR Execution Act UAVG includes provisions which provide for a limited list of purposes /specific circumstances under which derogation from the prohibition of special categories of personal data is allowed (note that most are in line with derogations currently found under the Dutch data Protection Act): racial and ethnic origin (article 22), religious or philosophical belief (article 29), political opinions (article 30).
Regarding processing of personal data relating to criminal convictions and offences or related security measures, a list is provided of categories of processors that may process such data (article 31 and wet politiegegevens & wet justitiële en strafvorderlijke gegevens) - this is the same as current Dutch local law on criminal data."
Article 25 UAVG ethnic and racial data can be processed for positive discrimination/equal treatment purposes.
|Poland||07.09.2018||Changes applicable to the private sector include, e.g. changes to (i) the Act on Insurance and Reinsurance Activity enabling insurance companies to process personal data, including health data, in an automated manner, including through profiling, in order to assess insurance risk and perform insurance contracts, and (ii) the Public Procurement Law which provides that transparency principle is not applicable to special categories of personal data collected in the procurement procedure.|
|Slovakia||13.09.2018||Essentially the same as under GDPR.|
|Spain||05.03.2019||In order to avoid discriminatory situations, the consent of the data subject shall not be sufficient to lift the prohibition on the processing of this type of data when the principal purpose of this processing is to identify his or her ideology, trade union membership, religion, sexual orientation, beliefs or racial or ethnic origin.
Additionally, the SDPA states that the processing of special categories of personal data based in the public interest, for the purposes of preventive or occupational medicine or public interest in the area of public health shall be based on a standard with the rank of law, and this law could establish additional requirements for their security and confidentiality.
|Sweden||06.09.2018||The Act clarifies that Article 9(a), (c), (d), (e) and (f) GDPR are directly applicable and further provides that sensitive personal data may be processed in accordance with Chapter 3, Sections 2-7 §§ of the new Data Protection Act (clarifying the criteria for processing of sensitive data under Article 9(b), (g), (h) and (j) GDPR).|
The Data Protection Act 2018 contains provisions about the processing of special categories of personal data and criminal offence data.
The processing meets the requirement in Article 9(2)(b), (h), (i) or (j) GDPR for authorisation by, or a basis in, the UK law only if it meets a condition in Part 1 of Schedule 1 of the Act.
The processing meets the requirement in Article 9(2)(g) of the GDPR for a basis in UK law only if it meets a condition in Part 2 of Schedule 1 of the Act.
The processing meets the requirement in Article 10 GDPR for authorisation by UK law only if it meets a condition in Part 1, 2 or 3 of Schedule 1 of the Act.
Except in limited cases, an 'appropriate policy document' in place which sets out how the controller will comply with principles at Article 5 GDPR and retention and erasure (including indicating retention periods). Policy document must be reviewed and be available to the Information Commissioner on request. Record of processing must specify the lawful basis for processing under Articles 9 & 6 GDPR and whether processing meets the policy documents described above. (Schedule 1, Part 4)