Special rules for special categories of data

Overview

Country
Last reviewed
Special rules for special categories of personal data

Austria 05.06.2018 Sec 7 (3) ADPA provides that the processing of special categories of personal data for scientific, historical or statistical purposes requires an "important public interest".

Besides, the ADPA does not provide for any general rules for the processing of special categories of personal data.

However, Sec 4 (3) ADPA contains preconditions for the processing of personal data relating to criminal convictions and offences. Such data can be processed lawfully based on (i) an explicit statutory provision or (ii) legitimate interests of the controller or a third party.
Belgium 17.05.2018 n/a
Czech Republic 16.05.2018 n/a
Denmark 22.05.2018 § 7(5) provides that a minister after negotiations with the Minister of Justice may establish specific rules on the processing of special category data within the framework of the GDPR.
Finland 17.05.2018 Sections 6 and 7 of the proposed Data Protection Act define exceptions where Article 9(1) of the GDPR is not applicable. There are two relevant special permissions: (i) for the processing of special categories of personal data for insurance companies for the purposes of clarifying their liabilities; and (ii) for the processing of data related to criminal convictions and offences for the purposes of legal proceedings.
France 22.05.2018 The new French Data Protection Act adds three new cases where the processing of special categories of data is allowed:
- For the processing of biometric data necessary to control the access to the workplaces and necessary to the use of devices and applications by employees, agents, or trainees;
- For the processing of public information concerning rulings and court decisions, on the condition that the re-identification of the individuals is impossible
- For the processing necessary to public research and after obtaining an authorization from the CNIL
Germany 23.05.2018 § 22 FDPA stipulates a general framework for the processing of sensitive data, including rules on health data.
Hungary 17.05.2018 n/a 
Ireland  12.09.2017  Under Part 3 of the Data Protection Act 2018, the processing of special categories of personal data is lawful in certain limited circumstances:
• for purposes of employment and social welfare law;
• for purposes of legal advice and legal proceedings;
• for electoral activities and functions of the Referendum Commission;
• for purposes of administration of justice and performance of functions;
• for insurance and pension purposes;
• for reasons of substantial public interest;
• for purposes of Article 9(2)(h) of the GDPR;
• for purposes of public interest in the area of public health;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. 
Italy 17.05.2018 Section 2-sexies, 2, letters from a) to v) provides provisions on the meaning of the 'substantial public interest' lawful basis for  processing special categories of personal data under Article 9(2)(g) GDPR. 
Netherlands 17.05.2018

The UAVG allows derogations for personal data revealing racial and ethnic origin, religious or philosophical belief, and political opinions.

The UAVG includes a limited list of purposes /specific circumstances under which derogation from the prohibition of special categories of personal data is allowed (note that most are in line with derogations currently found under the Dutch Data Protection Act. For racial and ethnic origin personal data, see Article 22, for religious or philosophical belief, see Article 29 and for political opinions personal data, see Article 3). 

In relation to the processing of personal data relating to criminal convictions and offences or related security measures, a list of categories of parties that may process such data (Article 31 and wet politiegegevens & wet justitiële en strafvorderlijke gegevens) is provided - this is the same as current Dutch law on criminal data.

Under Article 25 UAVG, ethnic and racial data can be processed for positive discrimination/equal treatment purposes.

Poland 16.05.2018 n/a
Spain 16.05.2018 According to Article 9 of the Spanish Data Protection Draft Bill, individual's consent will not serve as legitimate ground for processing ideological, trade union membership, sexual orientation, religion, beliefs or ethnic origin data. Additional grounds are needed.
The Spanish Data Protection Draft Bill states that the exclusions for the processing of special categories of personal data contained in Article 9(2)(g), (h) and (i) GDPR shall be based on a law, which could establish additional requirements for their security and confidentiality.
Sweden 22.05.2018 The Act clarifies that Article 9(a), (c), (d), (e) and (f)  GDPR are directly applicable and further provides that sensitive personal data may be processed in accordance with Chapter 3, Sections 2-7 of the new Data Protection Act (which clarify the criteria for processing of sensitive data under Article 9(b), (g), (h) and (j) GDPR).
UK 22.05.2018

The Data Protection Act 2018 contains provisions about the processing of special categories of personal data and criminal offence data.

The processing meets the requirement in Article 9(2)(b), (h), (i) or (j) GDPR for authorisation by, or a basis in, the UK law only if it meets a condition in Part 1 of Schedule 1 of the Act.

The processing meets the requirement in Article 9(2)(g) of the GDPR for a basis in UK law only if it meets a condition in Part 2 of Schedule 1 of the Act.

The processing meets the requirement in Article 10 GDPR for authorisation by UK law only if it meets a condition in Part 1, 2 or 3 of Schedule 1 of the Act.

Except in limited cases, an 'appropriate policy document' in place which sets out how the controller will comply with principles at Article 5 GDPR and retention and erasure (including indicating retention periods). Policy document must be reviewed and be available to the Information Commissioner on request.  Record of processing must specify the lawful basis for processing under Articles 9 & 6 GDPR and whether processing meets the policy documents described above.  (Schedule 1, Part 4)