GDPR: Special Processing Categories (9-11)

These articles deal with processing special kinds of information and the different elements that individuals need to be aware of, both data controller and data subject. This includes data that can identify a data subject’s race or ethnicity, political opinions, religious views, criminal convictions, and other health data. Article 11 outlines the criteria for processing data that does not require identifying a data subject.

Article 9: Processing of Special Categories of Personal Data

  1. Processing personal data that reveals ethnic, racial, religion, political views, union membership, health-related information, sex life, or sexual orientation shall be prohibited.
  2. The above bullet does not apply if:
    • The data subject has given expressed consent to the processing and Member State law does not override this consent.
    • Processing is necessary to fulfill data controller obligations in the field of employment and social protection law as authorized by the Member State law.
    • Processing is necessary to protect the data subject, or concerned natural person when they are incapable of giving consent.
    • Processing is carried out in the course of legitimate activities, with appropriate safeguards, and on condition that processing solely relates to members, or former members, of the body requiring the processing and that no information will become public knowledge without the data subject’s consent.
    • The processing relates to data made public by the data subject.
    • Processing is performed whenever courts are acting in their judicial capacity.
    • Processing is necessary for reasons of substantial public interest, and safeguards are in place to protect the rights and interests of data subjects.
    • Processing is necessary for the purposes of preventative or occupational medicine, to assess the working capacity of individuals, medical diagnosis, management of health or social care systems, and the provision of health and social care on the basis of Union or Member State law.
    • Processing is necessary for reasons in the interest of public health, such as protecting against cross-border threats to health or ensuring high standards of health quality and safety.
    • Processing is necessary for archiving purposes in the public interest, scientific, or historical research purposes, or statistical purposes in accordance with Article 89 and based on Union or Member State law.
  1. Personal data referenced in the first bullet may be processed for the purposes of public health if they are processed by or under the responsibility of a professional subject. The processing is obligated to secrecy in accordance with Union or Member State law.
  2. Member States may introduce more restrictive conditions, including limitations, with regard to processing genetic, biometric, or health data.

Article 10: Processing of Personal Data Relating to Criminal Convictions and Offenses

  1. Processing of criminal data relating to criminal convictions and offenses, or related security measures, based on Article 6 is carried out only under the control of official authority or when processing is authorized by the Union or Member State law providing for appropriate safeguards. Any convictions will be kept under the control of the official authority.

Article 11: Processing which does not Require Identification

  1. If the purposes for which a controller processes personal data no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire, or process additional information in order to identify the data subject.
  2. When in a case referencing the above bullet and the controller can demonstrate that they are not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. Articles 15 through 20 do not apply if this is the case unless a data subject provides additional information that can enable their identity to be determined.

How does this apply to you and me?

For starters, your data pertains to you first, others second. If anyone were to tell you otherwise, they’d have to make sure they’re complying with the articles listed above. The different categories of data expand on the details listed in Article 5, which can be found here. The articles seen above explain when processing is permitted and, in some rare cases, do not require consent from the data subject. These would be in instances pertaining to public health (COVID-19 for example), criminal convictions (supervised by law enforcement), or for historical records (such as population diversity in the 1900’s). These instances, however, are permissible because they meet the special requirements outlined in the articles above. This does not take away the rights of the data subject because if data is collected without their consent, the data must be de-identified so as not to tie back to any specific data subject. Look at the case between Harvey and Ross for more information, as these two are still deciding on who is to blame for what happened between them.

We’ll get into further considerations in future newsletters, but the primary takeaway for you is that your consent is required before any data controller can process data and there are special circumstances that would allow a controller to process data. Rest assured though, the data must be anonymized unless it is absolutely necessary in the interest of public safety to match to a specific data subject.

HARVEY AND ROSS

So if we recall, Harvey joined a class-action lawsuit against Ross’s clinic because Ross didn’t disclose that data would be sent to a third-party for further processing. I won’t go too deep into the weeds of this area, but Ross had a duty to his client and he broke it. Although the data was completely anonymized and was in the interest of public health, Harvey wasn’t informed of the matter and might not have agreed to the process had he known. The results of this specific issue would need to be determined by a legal judge, but case can be made for both sides of the table. Ross completely anonymized Harvey’s information and encrypted it before sending to the third-party, but didn’t disclose this part of the procedure. Additional court rulings and laws would need to weigh in on if any of the above articles were infringed upon, but the fact remains that Harvey wasn’t aware of this third-party having access to his data, anonymized or not. We will continue following this story, but I can tell you it will soon become very murky and like most court cases, the better attorney will come out on top regardless if they settle or proceed to court. Harvey and Ross’s case is pretty simple at face-value, but once we begin looking at additional articles in the 30’s and beyond, it will take some serious research for you and I to figure who exactly would be the one left cashing the check (and if we know anything, it’ll always be the attorneys).

Nonetheless, Ross’s third-party was processing anonymized data in the interest of public health, but Harvey was not made aware of this. So, is there anything for us to even talk about for these articles? Probably not, but a skilled privacy attorney can always try!

See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.

Once you understand how valuable your information is, then you can begin taking steps to keep it private.


One comment

Comments are closed.