General Data Protection Regulation (Regulation (EU) 2016/679)

General Data Protection Regulation (Regulation (EU) 2016/679)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) - consolidated text which includes Regulation (EU) 2016/679 published in the Official Journal of the EU on 04.05.2016 and its corrigendum published on 23.05.2018.
The Regulation is directly applicable in all Member States from 25 May 2018.
  
REGULATION (EC) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
from 27 April 2016
on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
(Text with EEA relevance)

Article 9
Processing of special categories of personal data

  1. The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the sole purpose of identifying a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person shall be prohibited.
  2. Paragraph 1 shall not apply if one of the following conditions applies:
    (a) the data subject has given his or her explicit consent to the processing of those personal data for one or more specific purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 cannot be overridden by the data subject;
    (b) the processing is necessary for the purposes of carrying out the obligations and exercising the special rights of the controller or of the data subject under employment, social security and social protection law, in so far as this is permitted by Union or Member State law or pursuant to a collective agreement in accordance with Member State law which provides for appropriate safeguards for the fundamental rights and interests of the data subject;
    (c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving his or her consent;
    (d) the processing is carried out under appropriate safeguards in the course of the legitimate activities of a foundation, association or other non-profit-making body with a political, philosophical, religious or trade-union aim, provided that the processing relates solely to the members or former members of that body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed without the data subjects' consent;
    (e) the processing relates to personal data which are manifestly made public by the data subject;
    (f) the processing is necessary for the establishment, exercise or defence of legal claims or whenever the courts are acting in their capacity as adjudicatory bodies;
    (g) the processing is necessary for reasons of important public interest based on Union or Member State law, which is proportionate to the aim pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject;
    (h) the processing is necessary for the purposes of preventive or occupational medicine, the assessment of the employee's fitness for work, medical diagnosis, the provision of health or social care or treatment, or for the purposes of the management of health or social care services and systems on the basis of Union or Member State law or pursuant to a contract with a medical practitioner and under the conditions and safeguards referred to in paragraph 3;
    (i) the processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and medicinal products or medical devices, on the basis of Union or Member State law which provides for appropriate and specific measures to safeguard the rights and freedoms of the data subject, in particular the protection of professional secrecy;
    (j) the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89(1), on the basis of Union or Member State law which is proportionate to the aim pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject.
  3. The personal data referred to in paragraph 1 may be processed for the purposes referred to in paragraph 2(h) where the data in question are processed by or under the authority of a professional bound by an obligation of professional secrecy under Union or Member State law or rules established by the national competent authorities or by another person also bound by an obligation of secrecy under Union or Member State law or rules established by the national competent authorities.
  4. Member States may maintain or introduce additional conditions, including restrictions, on the processing of genetic data, biometric data or health data.
     
    Article 10
    Processing of personal data relating to convictions and offences
    The processing of personal data relating to criminal convictions and offences or to related security measures on the basis of Article 6(1) shall be carried out only under the control of an official authority or where the processing is authorised by Union or Member State law which provides for appropriate safeguards for the rights and freedoms of data subjects. A complete record of criminal convictions shall be kept only under the control of an official authority.
X