Last reviewed
Genetic, biometric or health data

Austria 05.06.2018 No, the ADPA does not provide conditions for the processing of genetic, biometric or health data. Such special regulations are expected to follow in specific laws for the health-care sector.
Belgium 08.10.2018 Controllers processing genetic, biometric or health data are required to take a number of additional measures, including the requirement to list individuals that have access to such data.
Czech Republic 13.09.2018 Section 16(2) stipulates that special categories of personal data (including genetic, biometric, health data) may be processed for journalistic purposes or for purposes of academic, artistic or literary expression if it is necessary for a legitimate objective and the legitimate interest in the personal data processing overrides the legitimate interests of the data subject.
Denmark 06.09.2018 The Danish Health Act contains more specific rules on processing of personal data within the health sector.
Finland 13.11.2018 The Ministry of Social Affairs and Health is responsible for this area and has prepared two legislative proposals. 

1. Government proposal on a new Act on the Electronic Processing of Customer Data in Social and Health Care Services. This is meant to abrogate the current Act. The proposal has taken into consideration the GDPR requirements, but has not yet been submitted to the Parliament.

2. Government proposal on Secondary Use of Health and Social Data. The purpose is to set rules and requirements for use (processing) of health data for statistical, research and development purposes and to ease permission procedures. The proposal will bring the rules into line with the GDPR. The proposal is currently under discussion in the Parliamentary Committees.

France 22.05.2018 The new French Data Protection Act sets out that the CNIL will impose standard regulations on the processing of biometric, genetic and health data, which will set out mandatory technical and organisational measures. This authority will also authorise processing carried out on behalf of the State of genetic or biometric data necessary to the authentication of individuals or to the identity checks. Moreover, a specific consent must be obtained from the participant to a health research study for the processing of their genetic data before the beginning the study.

The CNIL will publish mandatory standard regulations for the processing of health data for health research studies. The investigator will have to send a declaration of compliance to these regulations to the CNIL before the beginning of the study. However, if the study isnot compliant with such regulations, the investigator will need to obtain a specific authorization from the CNIL before beginning the study. If the CNIL will not respond to the request within two months, the authorisation will be considered as granted.
The information notice for health research study is changed by the New Data Protection Act. The legal guardians of a child or a protected adult must be informed. However, a child over the age of 15 years old can object to the transmission of his health data to his legal guardians
Germany 23.05.2018 Yes - § 22 FDPA stipulates a general framework for the processing of sensitive data, including rules on health data (no explicit restriction to genetic/biometric data). Such processing is, however, only possible if "suitable and specific" safeguards are taken to protect such data. The safeguards may include technical and organisational measures, pseudonymisation, encryption, or the appointment of a Data Protection Officer ("DPO") etc.
Hungary 17.05.2018 n/a
Ireland  12.09.2017 n/a
Italy 17.05.2018 Section 2-septies,IDPA: Italian DPA to adopt safeguards for genetic, biometric and health data processing every 2 years. Draft specifies how the guidelines should be adopted and the principles which are to be taken into account by DPA. High risk processing of genetic data requires further safeguards - consent can be a further safeguard. Genetic, biometric and health data cannot be disseminated.
Netherlands 17.09.2018 The UAVG provides a limited list of purposes for which processing genetic data, biometric data and health data is allowed.

Article 23 restricts the categories of data processors which may process health data, where processing is based on GDPR Arts. 9(2)(g)+(b)+(h) (employment or social security law; public interest + law; care and treatment).

Article 29 UAVG biometric data can be processed for identification of an individual if the processing is necessary for authentication or security purposes.
Poland 07.09.2018 Employers are allowed to process employees' biometric data if necessary to ensure access control to particularly important information or access control to the premises requiring special protection.
Slovakia 13.09.2018  Genetic, biometric and health data can also be processed on the basis of a special law or international agreement which binds the Slovak Republic (Article 78 (5) of New DPA).
Spain 16.05.2018 Article 9 Data Protection Draft Bill, the law may enable the processing of data concerning health when required for the management of health care systems or the execution of an insurance contract to which the data subject is party.
Data Protection Draft Bill does not provide regulation for genetic and biometric data.
Sweden 06.09.2018 Swedish Act on Patient Data (2008:355) provides further conditions for the processing of personal data in health care. 
UK 22.05.2018

Art. 9(2)(h) provided for by Schedule 1, Part 1, § 2. 
Art. 9(2)(i) provided for by Schedule 1, Part 1, § 3. 
*Processing of data concerning health, racial or ethnic origin, genetic or biometric data, sexual life or orientation by not for profit bodies providing support to those with a disability or medical condition permitted - must be necessary for reasons of substantial public interest; condition not available if organisation is aware the data subject withholds consent - Schedule 1, Part 2, § 16. 

*Schedule 1, Part 2, § 20 - processing personal data relating to racial/ ethnic origin; religious or philosophical beliefs; trade union membership; genetic data or health data - permitted for insurance purposes (where there is no impact on the actual data subject).

*Schedule 1, Part 1, § 21 - processing of health data about relatives of members of occupational pension schemes - where no impact on the data subject. 

* must also have an appropriate policy document in place which sets out how the controller will comply with principles at Art 5 GDPR; retention and erasure (including indicating retention periods). Policy document must be reviewed and be available to the Information Commissioner on request.  Record of processing must specify lawful basis for processing under Arts. 9 & 6 GDPR; whether processing meets the policy documents described above.  (Schedule 1, Part 4)