This part of our series about “The conundrums of processing special categories of personal data under the General Data Protection Regulation” follows the first article of the series, in which we discussed the correlation between Articles 6 and 9 of the GDPR.
This time we seek to tackle the first seven circumstances under which processing of special categories of personal data is allowed under the GDPR, while the remaining circumstances will be analysed under the next and last part of the series.
- Explicit consent
There is no indication in the GDPR as to the meaning of the explicit consent required for processing special categories of data (Article 9) compared to the mere consent required for processing categories of personal data that is not special (Article 6). To the contrary, consent must be unambiguous and specific for all personal data processing, whether special or not.
Based on the considerations provided by WP29, a controller who intends to process special categories of personal data must go the extra mile to obtain explicit consent. One way of doing this is, for example, by obtaining consent under wet ink or electronic signature or by imposing a two-stage verification process before consent confirmation.
In the absence of a comprehensive interpretation of the concept, the duty to find adequate forms for data subjects to express explicit consent rests on controllers.
- Rights and obligations under employment, social security or social protection laws, or under a collective agreement
The existence of such circumstance of special personal data processing raises no surprise as such, (mainly because, according to WP29, an alternative basis, such as consent, will likely not be a reliable ground due to the presumed imbalance of powers in the work environment). However, the ground is subject to the Member State law providing for appropriate safeguards for the fundamental rights and interests of data subjects.
Most often, controllers do not review the extent to which the local law provides for appropriate safeguards, while most laws do not necessarily provide at least explicitly such kind of safeguards, the more so as they have been issued before the enactment of the GDPR. In our view, this creates a risk of noncompliance for controllers, and one way to overcome this is for controllers to ensure their own safeguards to processing (such as enhanced security means).
- Vital interests of a person physically or legally incapable of giving consent
While such circumstance is unlikely to be relevant for regular businesses and regular types of processing (but rather in case of medical emergency events), controllers have to demonstrate both the lack of capacity (proof on the missing legal capacity being more difficult to obtain) and the fact that the interest protected is vital indeed.
- Non-profit bodies in relation to their members
The processing circumstance specified by Article 9 para (2) (d) of the GDPR is qualified both as regards the data controller (a non-profit body with a political, philosophical, religious or trade union aim) and the data subjects (members, former members or people who have regular contact with the non-profit body). It remains unclear why other non-profit bodies, such as the ones promoting sports or health, are not covered by the exception.
Processing based on this circumstance is to most likely be carried out in conjunction with the ground of legitimate interest provided in Article 6 para (1) (e) and, therefore, a balancing test will have to be carried out by a controller before processing. However, as expressly provided by the text of Article 9 para (2) (d), consent is needed for further disclosure of personal data to third parties and such consent should be an explicit one in the meaning of Article 9 para (2) (a).
- Data manifestly made public by data subjects
The circumstance is rather self-explanatory; however, we only note that since a matching between the processing circumstances provided in Article 9 and the grounds for processing provided in Article 6 is required, additional conditions for processing may be needed, such as the performance of a balancing test if processing is based on legitimate interest.
- Legal claims
The exception provided in Article 9 para (2) (f) allows for the processing of special categories of personal data where this is necessary for the establishment, exercise or defence of legal claims (whether in court proceedings or in administrative or out-of-court proceedings or whenever courts are acting in their judicial capacity.
Even if Recital 52 comes with additional information, the exemption seems not to cover the processing carried out by lawyers when providing legal consultancy services, or the processing activities carried out by other professionals (such as tax advisers). Moreover, according to WP29, it appears that it cannot be used to justify the processing of personal data where there is no imminent probability that legal proceedings will be initiated, which, in our view, is rather unfortunate.
- Substantial public interest
According to the exemption in Article 9 para (2) (g), data controllers may process special categories of personal data if this is necessary for reasons of substantial public interest on the basis of Union or Member State law, as long as such processing will (a) be proportionate to the aim pursued, (b) observe the essence of the right to data protection; and (c) provide for suitable and specific measures to safeguard the fundamental rights and interests of data subjects.
While the exemption seems focused on substantial public interest, to our knowledge, there is no indication on how such public interest may be assessed, which is again another instance when the GDPR leaves large room for interpretation. Member States are under the duty to further clarify the concept.
Romania has further regulated this exemption and, as a result, „performing a task that serves a public interest” is limited to those activities of political parties or citizen organizations belonging to national minorities, to non-governmental organizations that serve the fulfilment of objectives provided by the constitutional or public international law or the functioning of the democratic system, including the encouragement of citizens' participation in decision-making and public policy-making, and the promotion of the principles and values of democracy.
Further, the Romanian law implementing GDPR establishes additional safeguards in case of processing of special categories of personal data in the context of performing a task of public interest, namely:
- implementation of appropriate technical and organizational measures for compliance with the principles listed in Article 5 of the GDPR, in particular the minimization of data, respectively the principle of integrity and confidentiality;
- appointment of a data protection officer, if required in accordance with articles 37-39 of the GDPR;
- setting storage times according to the nature of data and the purpose of processing, as well as specific deadlines under which personal data must be deleted or revised for deletion.
However, the above additional safeguards are no more protective than the GDPR standards, and, as a result, the relevant provisions of the Romanian law implementing GDPR are rather redundant.
By Monica Iancu, Partner, and Andra Turtoi, Senior Associate, Bondoc si Asociatii