26
Sat, Sep
59 New Articles

The Conundrums of Processing Special Categories of Personal Data under the General Data Protection Regulation (III)

The Conundrums of Processing Special Categories of Personal Data under the GDPR (III)

Romania
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

As well known, the processing of special categories of personal data is prohibited under article 9 of GDPR, unless one of the exceptions for processing is met. In the first part of this article available here we have analyzed the corelative nature of Articles 9 and 6 under GDPR, whereas the second part, available here, focused on detailing the first seven exemptions set forth under Article 9 paragraph (2) letters a) – g) of the GDPR.

This third and last part is set to analyze the remaining exemptions to the processing of special categories of personal data, namely those mentioned in Article 9 paragraph (2) letters h) – j) of the GDPR, as well as the Romanian specific derogations established pursuant to Member States’ margin of maneuver with regard to the processing of genetic data, biometric data or health data.

Considerations on the processing circumstances provided under Article 9

  • Health and social care

The exception in Article 9 letter h) is very specific and can be used by data controllers conducting processing activities in relation to health data. Moreover, the purposes for which processing is necessary are limited to:

  • preventive or occupational medicine
  • assessment of the working capacity of the employee

For example, in Romania, the employment legislation requires the employer to keep a personal file for each employee. The relevant provisions do not expressly indicate what the file should exactly include, and it is debatable whether the file should also include the documents pursuant to which the employee is granted a sick leave (which, by default, contain health data). Therefore, the employer could use this exemption instead of the one under Article 9 paragraph (2) letter (b) relating to employment, social security or social protection laws, when the requirements therein are not met.

  • medical diagnosis
  • provision of health or social care or treatment
  • management of health or social care systems and services (including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system), especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system.

In addition, the exemption points towards additional requirements and correlation with the legal grounds under Article 6, such as the existence of a legal obligation for the processing activities (“on the basis of Union or Member State law”) or of an agreement in place (“pursuant to contract with a health professional”). As a further protection, the special categories of data must be processed by or under the responsibility of a professional or another person who is subject to the obligation of professional secrecy or a broader confidentiality obligation.

  • Public health

Pursuant to Article 9 letter i), processing of special categories of data is allowed, if necessary, for reasons of public interest (therefore, in conjunction with the public interest as a legal basis under Article 6 paragraph (1) letter (e)) in the area of public health, such as:

  • protecting against serious cross-border threats to health
  • ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices

Additional requirements refer to the fact that the processing should be conducted on the basis of Union or Member State law, which provides for suitable and specific measures to safeguard data subjects’ rights and freedoms, in particular the professional secrecy. In relation to safeguards, this exemption seems lighter than the previous one related to health and social care, as it does not specify that processing must be made by or under the responsibility of a professional, as long as the data controller is bound by professional secrecy.

According to Recital 54 of the GDPR, the area of “public health” should include all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality.

Also, the European Data Protection Board (“EDPB”) issued an opinion according to which processing special categories of data for operations related to reliability and safety purposes during the clinical trial (such as safety reporting, relation with the authorities, archiving purposes) can be made under the exemption of public health in conjunction with the legal obligation to which the data controller is a subject (as a legal basis pursuant to Article 6 of the GDPR).

Another aspect that is worth considering is that processing based on the exemption of public health should not result in the personal data being processed for other purposes by third parties (such as employers or insurance and banking companies), as per Recital 54 of the GDPR. This interdiction was expressly stipulated in the Romanian DP Law. Furthermore, this means that any transfer of personal data by data controllers processing the data under the public health exemption (usually state authorities or bodies that enforce the public health policies) is even more limited, if not forbidden.

  • Archiving, scientific and historical research or statistical purposes

Pursuant to Article 9 letter j), a data controller can process special categories of personal data if necessary, for archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes, based on Union or Member State law, as long as it shall:

  • be proportionate to the aim pursued
  • respect the essence of the right to data protection
  • provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. The safeguards shall ensure that technical and organizational measures are in place (including pseudonymization or anonymization) especially for compliance with the principle of data minimization.

Only the archiving purpose is limited by the public interest, as clearly resulting from the wording of the exception, which means that scientific and historical research, as well as statistical purposes are not conditional upon the public nature of the interest of the processing. For example, processing in view of clinical trials made by medical companies has a scientific purpose without such purpose necessarily having a public interest nature. If such public interest exists, the exception under Article 9 paragraph (2) letter j) relating to “reason of public interest in the area of public health” may better justify the processing (as it seems to also result from the EDPB Opinion 3/2019).

At the same time, insofar as the archiving purpose is concerned, processing by a private entity may however be linked to public interest and, as a result, the public interest of the processing for archiving purposes should not necessarily be linked to the processing made by public authorities or bodies.

We also note that, by correlation between the purpose limitation principle and pursuant to Article 6 paragraph (4), the above purposes are, given their broad nature, generally seen compatible with any other initial purpose for which personal data was collected.

Genetic, biometric or health data

We further note that under Article 9 paragraph (4) of the GDPR, Member States are entitled to maintain or impose further conditions (including limitations) in respect of genetic, biometric or health data. The Romanian DP Law restricted the processing of genetic, biometric or health data for the purpose of automated decision-making or profiling, unless:

  • the explicit consent of the data subject is obtained, or
  • the processing is carried out under explicit legal provisions, with appropriate measures protecting the rights, freedoms and legitimate interests of the data subject.

Final thoughts

Going through the ten exemptions from the general prohibition to the processing of special categories of data, it seems that the final outcome of providing a higher level of protection may be achieved, but sometimes data controllers may have a hard time meeting all the conditions and general requirements, in particular where they should rely on Member State law and such Member State law does not exist or if it exists it is difficult to assess or to conclude that it meets the protection standard required under the GDPR.    

By Monica Iancu, Partner, and Andra Turtoi, Senior Associate, Bondoc si Asociatii

Bondoc si Asociatii at a Glance

Bondoc și Asociații SCA is a leading Romanian law firm advising private corporations, public entities and lending institutions in the development of significant and increasingly integrated projects in a wide range of practice areas, including corporate and commercial law, M&A, banking & finance (including also structural funds and state aid), energy, capital markets, competition law, labor, real estate, IT&C, regulatory and compliance. Its lawyers are specialized in providing integrated advice on virtually every legal aspect associated with complex cross-border transactions, as well as domestic projects.

We have the experience and necessary resources to advise private corporations, public entities and financial institutions in their cross-border expansion, in the development of significant and increasingly integrated projects.

In terms of M&A transactional work, our team has been involved in many significant transactions covering a broad range of industries.

We are one of the few firms capable of assisting in a professional manner on virtually any type of M&A project in any industry in Romania and of any size, including with respect to highly regulated sectors or in connection with public authorities.

We have very strong departments in all support areas needed for such transactions, including without limitation competition, commercial law, real estate, labor law, banking &finance, energy, environment, and other regulatory.

Key Information:

  • 9 partners;
  • 40 lawyers, most of whom have also studied abroad;
  • Covering the full range of legal services;
  • Having worked on many of the largest and most complex projects in the Romanian market in the past 3 years;
  • One of the very few Romanian law firms growing in the market;
  • Highly recommended by international directories in 11 areas of law.

We offer:

  • Integrity;
  • A Client-oriented approach;
  • Top quality services, including in highly regulated sectors;
  • A size allowing for the coverage of several large projects at the same time;
  • Very strong experience in both domestic and international complex projects, including in highly regulated sectors;
  • A holistic approach.

Expertise:

Our lawyers have wide experience in dealing with complex and sophisticated legal matters.

  1. Banking & Finance
  2. Capital Markets
  3. Commercial
  4. Competition
  5. Corporate / Mergers & Acquisitions
  6. Data Protection
  7. Employment
  8. Energy & Natural Resources
  9. Environment & Regulatory
  10. Healthcare/Pharma & Medical Services
  11. Insurance and Private Pensions
  12. Intellectual Property
  13. IT/Technology & Communications
  14. Litigation & Arbitration
  15. Media, Entertainment & Advertising
  16. Public Procurement & PPP
  17. Real Estate& Constructions
  18. Restructuring & Liquidation
  19. State Aid & European Structural Funds
  20. White Collar / Investigations & Compliance

For further information about Bondoc si Asociatii Law Firm, please visit our website at bondoc-asociatii.ro.