Special rules for special categories of data

Overview

Country
Last reviewed
Special rules for special categories of personal data

Austria 05.06.2018 Sec 7 (3) ADPA provides that the processing of special categories of personal data for scientific, historical or statistical purposes requires an "important public interest".

Besides, the ADPA does not provide for any general rules for the processing of special categories of personal data.

However, Sec 4 (3) ADPA contains preconditions for the processing of personal data relating to criminal convictions and offences. Such data can be processed lawfully based on (i) an explicit statutory provision or (ii) legitimate interests of the controller or a third party.
Belgium 08.10.2018 The BPA identifies six (6) categories of instances in which process personal data relating to criminal convictions and offences without the control of official authority is allowed, notably where:

- Processing by natural persons or private or public-law legal persons insofar as necessary for the management of their own disputes;
- Processing carried out by lawyers necessary for the defence of their client's interests;
- Processing by other persons where necessary for reasons of substantial public interest for fulfilling tasks in the public interest as defined by law;
- Processing required for scientific, historical or statistical research or for archiving purposes;
- Express written consent by the data subject for processing for one or more well-defined purposes and the processing is limited to those purposes;
- Personal data that have clearly been made public by the data subject on its own initiative for one or more well-defined purposes and the processing is limited to those purposes.

Additionally, the BPA introduces specific safeguards for processing of such data, including the requirement to list individuals that have access to such data.
Czech Republic 13.09.2018 Section 16(2) stipulates that special categories of personal data may be processed for journalistic purposes or for purposes of academic, artistic or literary expression if it is necessary for a legitimate objective and the legitimate interest in the personal data processing overrides the legitimate interests of the data subject.
Denmark 06.09.2018 § 7(1) states that the legal bases in GDPR art. 9(1)(a) and (c-f) apply directly in Denmark without any modifications or limitations. 

§ 7(2)-(4), however, only partially activates the legal bases in GDPR art. 9(1)(b), (g) and (h), i.e. with certain modifications compared to the wording of the GDPR articles, in line with Danish legislation. 

§ 7(5) provides that a minister may, after negotiations with the minister of justice, establish specific rules on the processing of special category data within the framework of the GDPR.
Finland 17.05.2018 Sections 6 and 7 of the proposed Data Protection Act define exceptions where Article 9(1) of the GDPR is not applicable. There are two relevant special permissions: (i) for the processing of special categories of personal data for insurance companies for the purposes of clarifying their liabilities; and (ii) for the processing of data related to criminal convictions and offences for the purposes of legal proceedings.
France 22.05.2018 The new French Data Protection Act adds three new cases where the processing of special categories of data is allowed:
- For the processing of biometric data necessary to control the access to the workplaces and necessary to the use of devices and applications by employees, agents, or trainees;
- For the processing of public information concerning rulings and court decisions, on the condition that the re-identification of the individuals is impossible
- For the processing necessary to public research and after obtaining an authorization from the CNIL
Germany 23.05.2018 § 22 FDPA stipulates a general framework for the processing of sensitive data, including rules on health data.
Hungary 17.05.2018 n/a 
Ireland  12.09.2017  Under Part 3 of the Data Protection Act 2018, the processing of special categories of personal data is lawful in certain limited circumstances:
• for purposes of employment and social welfare law;
• for purposes of legal advice and legal proceedings;
• for electoral activities and functions of the Referendum Commission;
• for purposes of administration of justice and performance of functions;
• for insurance and pension purposes;
• for reasons of substantial public interest;
• for purposes of Article 9(2)(h) of the GDPR;
• for purposes of public interest in the area of public health;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. 
Italy 17.05.2018 Section 2-sexies, 2, letters from a) to v) provides provisions on the meaning of the 'substantial public interest' lawful basis for  processing special categories of personal data under Article 9(2)(g) GDPR. 
Netherlands 17.09.2018 The UAVG allows derogations for processing data relating to racial and ethnic origin, religious or philosophical belief, and political opinions.
The GDPR Execution Act UAVG includes provisions which provide for a limited list of purposes /specific circumstances under which derogation from the prohibition of special categories of personal data is allowed (note that most are in line with derogations currently found under the Dutch data Protection Act): racial and ethnic origin (article 22), religious or philosophical belief (article 29), political opinions (article 30).

Regarding processing of personal data relating to criminal convictions and offences or related security measures, a list of is provided of categories of processors that may process such data (article 31 and wet politiegegevens & wet justitiële en strafvorderlijke gegevens) - this is the same as current Dutch local law on criminal data."

Article 25 UAVG ethnic and racial data can be processed for positive discrimination/equal treatment purposes.
Poland 07.09.2018 Changes applicable to the private sector include, e.g. changes to (i) the Act on Insurance and Reinsurance Activity enabling insurance companies to process personal data, including health data, in an automated manner, including through profiling, in order to assess insurance risk and perform insurance contracts, and (ii) the Public Procurement Law which provides that transparency principle is not applicable to special categories of personal data collected in the procurement procedure.
Slovakia 13.09.2018  Essentially the same as under GDPR. 
Spain 07.09.2018 According to Article 9 of the Spanish Data Protection Draft Bill, an individual's consent will not serve as a legitimate ground for processing ideological, trade union membership, sexual orientation, religion, beliefs or ethnic origin data. Additional grounds are needed.
The Spanish Data Protection Draft Bill states that the exclusions for the processing of special categories of personal data contained in Article 9.2 g), h) and i) of the GDPR shall be based on a law, which could establish additional requirements for their security and confidentiality.
Sweden 06.09.2018 The Act clarifies that Article 9(a), (c), (d), (e) and (f)  GDPR are directly applicable and further provides that sensitive personal data may be processed in accordance with Chapter 3, Sections 2-7 §§ of the new Data Protection Act (clarifying the criteria for processing of sensitive data under Article 9(b), (g), (h) and (j) GDPR).
UK 22.05.2018

The Data Protection Act 2018 contains provisions about the processing of special categories of personal data and criminal offence data.

The processing meets the requirement in Article 9(2)(b), (h), (i) or (j) GDPR for authorisation by, or a basis in, the UK law only if it meets a condition in Part 1 of Schedule 1 of the Act.

The processing meets the requirement in Article 9(2)(g) of the GDPR for a basis in UK law only if it meets a condition in Part 2 of Schedule 1 of the Act.

The processing meets the requirement in Article 10 GDPR for authorisation by UK law only if it meets a condition in Part 1, 2 or 3 of Schedule 1 of the Act.

Except in limited cases, an 'appropriate policy document' in place which sets out how the controller will comply with principles at Article 5 GDPR and retention and erasure (including indicating retention periods). Policy document must be reviewed and be available to the Information Commissioner on request.  Record of processing must specify the lawful basis for processing under Articles 9 & 6 GDPR and whether processing meets the policy documents described above.  (Schedule 1, Part 4)