Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) aims at introducing concepts and rules to strengthen the protection of fundamental rights and freedoms of natural persons in respect of data processing activities. The question has been raised on whether and how the GDPR achieves this in relation to special categories of personal data, with opinions expressed as far as to question whether a specific regime for such categories of data is still adequate when we all agree that there may be not the data itself that is special or sensitive but rather its use.
We have analyzed from certain perspectives the GDPR rules on processing special categories of data in a three-fold article aimed at discussing where conundrums lie. This one focuses on whether there is any synergy (intended or achieved) between Articles 6 and 9 of the GDPR, whereas the second and third parts will focus on the specific circumstances (with practical considerations) when processing special categories of personal data is allowed.
1. Special circumstances for special personal data processing …
According to Article 9 of the GDPR, the processing of special categories of personal data is prohibited where at least one of the exemptions for processing identified therein is not met. There are ten such exemptions provided for by the GDPR itself, the Member States being allowed to maintain or introduce further conditions (including limitations) under which the processing of special categories of personal data is lawful.
2. …. but not so special legal grounds
At a first glance, the meeting of one of the conditions provided in Article 9 paragraph (2) of the GDPR suffices for the purpose of lifting the interdiction to process special categories of personal data. Generally, there subsists a view that the exemptions provided under Article 9 of the GDPR constitute legal grounds for processing. The similarity between some of the circumstances in Article 9 and the legal grounds in Article 6 of the GDPR strengthens this view.
However, this does not seem to have been the intention of the GDPR legislator. In fact, the Article 29 Working Party (“WP29”) clarified that, starting from the general objective of providing a higher level of protection to special categories of data, the data controller should assess on a case-by-case basis whether the application of one of the exemptions in Article 9 is sufficient by itself to achieve the objective or one of the grounds in Article 6 should apply cumulatively. Unfortunately, the WP29 neither clarifies the circumstances in Article 9 that are able to provide protection in isolation, without requiring cumulation nor, where such cumulation is needed, the correspondence between circumstances and legal grounds.
3. When special circumstances and legal grounds meet
We have conducted a comparative analysis of the special circumstances in Article 9 and the legal grounds in Article 6 to identify correspondence. Notwithstanding the fact that any special circumstance could be theoretically combined with any legal ground, some predefined links seems to exist, as follows:
4. A paramount absence
One of the legal bases for regular personal data processing that proves very useful in particular industries or areas is the contract performance. Article 9 missed the opportunity to establish a full correspondence with Article 6 in relation to this legal basis. As a result, no special categories of personal data can be processed exclusively based on contract performance, and, therefore, a cumulation with one of the circumstances in Article 9 is needed. Most often, the special circumstance for processing matching with the contract performance is the explicit consent of the data subject.
We take the example of a controller that concludes an agreement with an individual based on which it processes the individual’s personal data required in view of that contract performance, both regular and special personal data, in this latter case relying on the individual’s explicit consent. This may give rise to awkward situations when the individual whose data is processed withdraws his/her consent. In such situation, if the controller has no (other) cause to terminate the agreement (the mere withdrawal of consent by the individual does not amount to a cause, as consent is essentially retractable), it continues to be bound by the obligation to perform the agreement, which it cannot do in the absence of a possibility to process the special categories of personal data (such as biometric data).