As well known, the processing of special categories of personal data is prohibited under article 9 of GDPR, unless one of the exceptions for processing is met. In the first part of this article available here we have analyzed the corelative nature of Articles 9 and 6 under GDPR, whereas the second part, available here, focused on detailing the first seven exemptions set forth under Article 9 paragraph (2) letters a) – g) of the GDPR.
This third and last part is set to analyze the remaining exemptions to the processing of special categories of personal data, namely those mentioned in Article 9 paragraph (2) letters h) – j) of the GDPR, as well as the Romanian specific derogations established pursuant to Member States’ margin of maneuver with regard to the processing of genetic data, biometric data or health data.
Considerations on the processing circumstances provided under Article 9
- Health and social care
The exception in Article 9 letter h) is very specific and can be used by data controllers conducting processing activities in relation to health data. Moreover, the purposes for which processing is necessary are limited to:
- preventive or occupational medicine
- assessment of the working capacity of the employee
For example, in Romania, the employment legislation requires the employer to keep a personal file for each employee. The relevant provisions do not expressly indicate what the file should exactly include, and it is debatable whether the file should also include the documents pursuant to which the employee is granted a sick leave (which, by default, contain health data). Therefore, the employer could use this exemption instead of the one under Article 9 paragraph (2) letter (b) relating to employment, social security or social protection laws, when the requirements therein are not met.
- medical diagnosis
- provision of health or social care or treatment
- management of health or social care systems and services (including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system), especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system.
In addition, the exemption points towards additional requirements and correlation with the legal grounds under Article 6, such as the existence of a legal obligation for the processing activities (“on the basis of Union or Member State law”) or of an agreement in place (“pursuant to contract with a health professional”). As a further protection, the special categories of data must be processed by or under the responsibility of a professional or another person who is subject to the obligation of professional secrecy or a broader confidentiality obligation.
- Public health
Pursuant to Article 9 letter i), processing of special categories of data is allowed, if necessary, for reasons of public interest (therefore, in conjunction with the public interest as a legal basis under Article 6 paragraph (1) letter (e)) in the area of public health, such as:
- protecting against serious cross-border threats to health
- ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices
Additional requirements refer to the fact that the processing should be conducted on the basis of Union or Member State law, which provides for suitable and specific measures to safeguard data subjects’ rights and freedoms, in particular the professional secrecy. In relation to safeguards, this exemption seems lighter than the previous one related to health and social care, as it does not specify that processing must be made by or under the responsibility of a professional, as long as the data controller is bound by professional secrecy.
According to Recital 54 of the GDPR, the area of “public health” should include all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality.
Also, the European Data Protection Board (“EDPB”) issued an opinion according to which processing special categories of data for operations related to reliability and safety purposes during the clinical trial (such as safety reporting, relation with the authorities, archiving purposes) can be made under the exemption of public health in conjunction with the legal obligation to which the data controller is a subject (as a legal basis pursuant to Article 6 of the GDPR).
Another aspect that is worth considering is that processing based on the exemption of public health should not result in the personal data being processed for other purposes by third parties (such as employers or insurance and banking companies), as per Recital 54 of the GDPR. This interdiction was expressly stipulated in the Romanian DP Law. Furthermore, this means that any transfer of personal data by data controllers processing the data under the public health exemption (usually state authorities or bodies that enforce the public health policies) is even more limited, if not forbidden.
- Archiving, scientific and historical research or statistical purposes
Pursuant to Article 9 letter j), a data controller can process special categories of personal data if necessary, for archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes, based on Union or Member State law, as long as it shall:
- be proportionate to the aim pursued
- respect the essence of the right to data protection
- provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. The safeguards shall ensure that technical and organizational measures are in place (including pseudonymization or anonymization) especially for compliance with the principle of data minimization.
Only the archiving purpose is limited by the public interest, as clearly resulting from the wording of the exception, which means that scientific and historical research, as well as statistical purposes are not conditional upon the public nature of the interest of the processing. For example, processing in view of clinical trials made by medical companies has a scientific purpose without such purpose necessarily having a public interest nature. If such public interest exists, the exception under Article 9 paragraph (2) letter j) relating to “reason of public interest in the area of public health” may better justify the processing (as it seems to also result from the EDPB Opinion 3/2019).
At the same time, insofar as the archiving purpose is concerned, processing by a private entity may however be linked to public interest and, as a result, the public interest of the processing for archiving purposes should not necessarily be linked to the processing made by public authorities or bodies.
We also note that, by correlation between the purpose limitation principle and pursuant to Article 6 paragraph (4), the above purposes are, given their broad nature, generally seen compatible with any other initial purpose for which personal data was collected.
Genetic, biometric or health data
We further note that under Article 9 paragraph (4) of the GDPR, Member States are entitled to maintain or impose further conditions (including limitations) in respect of genetic, biometric or health data. The Romanian DP Law restricted the processing of genetic, biometric or health data for the purpose of automated decision-making or profiling, unless:
- the explicit consent of the data subject is obtained, or
- the processing is carried out under explicit legal provisions, with appropriate measures protecting the rights, freedoms and legitimate interests of the data subject.
Going through the ten exemptions from the general prohibition to the processing of special categories of data, it seems that the final outcome of providing a higher level of protection may be achieved, but sometimes data controllers may have a hard time meeting all the conditions and general requirements, in particular where they should rely on Member State law and such Member State law does not exist or if it exists it is difficult to assess or to conclude that it meets the protection standard required under the GDPR.
By Monica Iancu, Partner, and Andra Turtoi, Senior Associate, Bondoc si Asociatii