Genetic, biometric or health data


Last reviewed
Genetic, biometric or health data

Austria 05.06.2018 No, the ADPA does not provide conditions for the processing of genetic, biometric or health data. Such special regulations are exptected to follow in specific laws for the health-care sector.
Belgium 17.05.2018 n/a
Czech Republic 16.05.2018 n/a
Denmark 22.05.2018 Danish Health Act contains more specific rules on processing of personal data within the health sector.
Finland 17.05.2018 The Ministry of Social Affairs and Health is responsible for this area and has prepared two legislative proposals. 

1: governmental draft on new Act on the Electronic Processing of Customer Data in Social and Health Care Services. This is meant to abrogate the current Act. The proposal has taken into consideration the GDPR requirements, but has not yet been submitted to the Parliament.

2: proposal on Secondary Use of Health and Social Data. The purpose is to set rules and requirements for use (processing) of health data for statistical, research and development purposes and to ease permission procedures. The proposal will bring the rules into line with the GDPR. Proposal  submitted to  Parliament in October 2017 and  now under discussion in the Parliament Committees.  Intended to enter into force on 1st July 2018.
France 22.05.2018 The new French Data Protection Act sets out that the CNIL will impose standard regulations on the processing of biometric, genetic and health data, which will set out mandatory technical and organisational measures. This authority will also authorise processing carried out on behalf of the State of genetic or biometric data necessary to the authentication of individuals or to the identity checks. Moreover, a specific consent must be obtained from the participant to a health research study for the processing of their genetic data before the beginning the study.

The CNIL will publish mandatory standard regulations for the processing of health data for health research studies. The investigator will have to send a declaration of compliance to these regulations to the CNIL before the beginning of the study. However, if the study isnot compliant with such regulations, the investigator will need to obtain a specific authorization from the CNIL before beginning the study. If the CNIL will not respond to the request within two months, the authorisation will be considered as granted.
The information notice for health research study is changed by the New Data Protection Act. The legal guardians of a child or a protected adult must be informed. However, a child over the age of 15 years old can object to the transmission of his health data to his legal guardians
Germany 23.05.2018 Yes - § 22 FDPA stipulates a general framework for the processing of sensitive data, including rules on health data (no explicit restriction to genetic/biometric data). Such processing is, however, only possible if "suitable and specific" safeguards are taken to protect such data. The safequards may include technical and organisational measures, pseudonymisation, encryption, or the appointment of a Data Protection Officer ("DPO") etc.
Hungary 17.05.2018 n/a
Ireland  12.09.2017 n/a
Italy 17.05.2018 Section 2-septies,IDPA: Italian DPA to adopt safeguards for genetic, biometric and health data processing every 2 years. Draft specifies how the guidelines should be adopted and the principles which are to be taken into account by DPA. High risk processing of genetic data requires further safeguards - consent can be a further safeguard. Genetic, biometric and health data cannot be disseminated.
Netherlands 17.05.2018

The UAVG provides a limited list of purposes for which processing genetic data, biometric data and health data is allowed.

Art 23 restricts the categories of data processors which may process health data, where processing is based on GDPR Arts. 9(2)(g)+(b)+(h) (employment or social security law; public interest + law; care and treatment).

Article 29 UAVG  biometric data can be processed for identification of an individual if the processing is necessary for authentication or security purposes.

Poland 16.05.2018 (i) employers are allowed to process biometric data of employees if necessary to ensure access control to particularly important information or access control to the premises requiring special protection, (ii) banks/ payment service providers are allowed to process client's biometric data in order to verify their identity or authenticate their activities, upon receiving their explicit consent.
Spain 16.05.2018 Article 9 Data Protection Draft Bill, the law may enable the processing of data concerning health when required for the management of health care systems or the execution of an insurance contract to which the data subject is party.
Data Protection Draft Bill does not provide regulation for genetic and biometric data.
Sweden 22.05.2018 n/a
UK 22.05.2018

Art. 9(2)(h) provided for by Schedule 1, Part 1, § 2. 
Art. 9(2)(i) provided for by Schedule 1, Part 1, § 3. 
*Processing of data concerning health, racial or ethnic origin, genetic or biometric data, sexual life or orientation by not for profit bodies providing support to those with a disability or medical condition permitted - must be necessary for reasons of substantial public interest; condition not available if organisation is aware the data subject witholds consent - Schedule 1, Part 2, § 16. 

*Schedule 1, Part 2, § 20 - processing personal data relating to racial/ ethnic origin; religious or philosophical beliefs; trade union membership; genetic data or health data - permitted for insurance purposes (where there is no impact on the actual data subject).

*Schedule 1, Part 1, § 21 - processing of health data about relatives of membrs of occupational pension schemes - where no impact on the data subject. 

* must also have an appropriate policy document in place which sets out how the controller will comply with principles at Art 5 GDPR; retention and erasure (including indicating retention periods). Policy document must be reviewed and be available to the Information Commissioner on request.  Record of processing myst specify lawful basis for processing under Arts. 9 & 6 GDPR; whether processing meets the policy documents described above.  (Schedule 1, Part 4)