skip to Main Content
BY THE LIECHTENSTEIN DATA PROTECTION AUTHORITY: Particular Categories Of Personal Data (Article 9 GDPR) And Personal Data On Criminal Convictions And Crimes (Article 10 GDPR).

BY THE LIECHTENSTEIN DATA PROTECTION AUTHORITY: particular categories of personal data (Article 9 GDPR) and personal data on criminal convictions and crimes (Article 10 GDPR).

This post is also available in: Italiano Español Français

In addition to the “normal” categories of personal data, there are also a series of sensitive, particularly sensitive personal data. On the one hand, these are special categories of personal data such as health data, political opinions, genetic and biometric data, genetic origin, sexual orientation, etc. (Article 9 GDPR) and, from other personal data on crimes or convictions (Article 10 GDPR).

What they have in common is that they are of a highly personal nature or have an identity-forming character and that their improper use may have a serious discriminatory or stigmatizing effect on those affected. Because the processing of this data is associated with a high risk to the rights and freedoms of the data subject, in addition to the “usual” categories of personal data (name, address, etc.) there are also sensitive categories of personal data, such as health data, political opinions, ethnic origin or data on convictions or crimes.

Due to the more sensitive, highly personal and often identity-creating nature of this data, its processing carries considerable risks to the fundamental rights and freedoms of the data subject or is associated with a large and potential harm (example of risk of discrimination).

They are particularly worthy of protection. According to the risk-based approach of the General Data Protection Regulation (GDPR), the most stringent requirements apply to the processing of these special categories of data (Articles 9 and 10 of the GDPR).

Prohibition subject to authorisation (Article 9 GDPR):

A general prohibition on processing applies to the special categories of personal data listed in Article 9, paragraph 1 of the GDPR. Still, they can be treated under certain conditions. These needs are not only a justification of Article 6, paragraph 1 of the present GDPR, but also one of the exceptions under Article 9, paragraph 2 of the GDPR. It is clear that Article 9, paragraph 2, of the GDPR does not allow processing to perform contracts based on legitimate interests.

The relationship between Article 6 and Article 9 of the GDPR has not been clarified in education nor in practice. Still, the DSS holds the view that until the processing of special categories of personal data is consumptive, there must be an authorisation to Article 6, paragraph 1 of the GDPR as well as an exception to Article 9, paragraph 2 of the GDPR.

Special categories (Article 9, paragraph 1 GDPR)

Article 9, paragraph 1 of the GDPR exhaustively lists all categories of data that the legislator has considered particularly worthy of protection. Individual data may also be part of many special categories at the same time (for example, genetic data may also be health data). From time to time, still, there are questions about how to differentiate them from “ordinary” personal data.

It is also the context, the typology and the purpose of the processing or the link with other personal data that determine whether or not the data processed are part of special categories pursuant to Article 9, paragraph 1 of the GDPR or less (e.g. photo processing for illustrative purposes only), purposes or to clearly identify a natural person using special technical and biometric aids.

Specifically, the categories of data particularly deserving of protection under Article 9.1 of the GDPR are:

  • ethnic or racial origin,
  • political opinions,
  • religious or philosophical convictions,
  • trade union membership,
  • genetic data,
  • biometric data,
  • health data, and
  • data relating to the sexual life or sexual orientation of a natural person

There are only legal definitions for genetic, biometric and health data in Article 4, paragraphs 13, 14 and 15 of the GDPR itself. The same categories of data are also covered from the opening clause under Article 9, paragraph 4 of the GDPR.

For example, Member States are explicitly allowed to provide for additional (stricter) conditions or restrictions from national legislation for the processing of biometric or health data (for example the law on genetic engineering). Still, no lowering of the protection level is allowed.

The legislator has based this list on other catalogues of fundamental rights and prohibitions of discrimination, such as Article 6 of the Council of Europe Data Protection Convention No. 108, Article 14 of the European Convention on Human Rights (ECHR), Article 8 of the former Data Protection Directive 95/46/EC of the European Union or Article 21 of the Charter of Fundamental Rights of the European Union.

The term health data has to be interpreted broadly.

Derogations (Article 9, paragraph 2 GDPR)

Article 9, paragraph 2 of the GDPR provides for ten permissions, if they exist, the special categories of personal data defined from paragraph 1 may be processed exceptionally. The facts can be roughly shared in two groups: the admissibility requirements listed c, d, e, and f are all definitively standardized; while the letters a, b, g, h, i, and j are subordinate to existence (and non) of a specific legal basis in the Union or in the Member States. All exceptions have to be interpreted restrictively.

  1. Express consent (letter a)

Respect for the justification for consent in Article 6.1 a) of the GDPR, the most stringent requirements of the GDPR apply to consent in accordance with Article 9.2 a). For example, it has to be explicit and with reference to the processing of special categories of personal data. A merely implied consent is therefore excluded.

In addition, the Union and the Member States may generally prohibit certain processing of personal data pursuant to Article 9, paragraph 1 of the GDPR by means of an appropriate legal basis and the application of Article 9, paragraph 2 a) of the GDPR or consent as an impossible justification. Corresponding regulations are also possible with additional requirements for consent for certain processing operations (for example, additional formal requirements, conditions, etc.).

  1. Labor law, social security and social protection (letter b)

The derogation from Article 9.2 b) of the GDPR does not exist independently, but has to derive from a corresponding separate legal basis from the Union or the Member States in the field of labor law, social security or social protection (including collective and business contracts). The processing of special categories of personal data has to be necessary to meet standards for it to be allowed.

  1. Protection of vital interests (letter c)

The existence of this exception requires the processing of specific categories of personal data in order to protect the vital interests of the data subject or another person or to avoid risks to life and security. It is still necessary that the person concerned is not able, physically or legally, to expressly leave their consent to the processing, but may presume their presumed consent (for example, in case of emergency, lack of awareness, impossibility of obtaining the legal representative, etc.). The processing of special categories of personal data would, in principle, be motivated by the protection of vital interests only if it does not appear to be a different exception under Article 9(2) of the GDPR.

  1. Political, philosophical, religious and trade union organizations (letter d)

Article 9, paragraph 2, point d of the GDPR, allows the processing of specific categories of personal data by political, philosophical, religious or trade union non-profit organisations (for example, churches, political parties, trade unions, etc.) unless processing within its lawful activities is required (organizational purpose), and internally takes place and organisations provide adequate guarantees for this. In addition, the data processed under this exception may refer only to persons who are (ex) members of the organisation or (in relation to its purpose) regular contacts (for example, donors or regular participants, etc.)

  1. Self-published data (letter e)

The exception in Article 9, paragraph 2, point e) of the GDPR authorises the processing of special categories of admissible data if the person who has published them, obviously and intentionally, directly (or through a person on their behalf). Public means an undetermined group of persons to whom data has been made available (for example, on the internet or on the media in general). Mere participation in a public event meets the requirements of Article 9, paragraph 2, letter e) of the GDPR, but it is not, as is the fact that information can be known on the internet through a search engine.

  1. Rights and judicial acts (letter f)

Special categories of processing of personal data pursuant to Article 9, paragraph 2, point f) of the GDPR are necessary for the exercise, enforcement or defence of a right in a court of law. The fact that this is a judicial, extrajudicial or administrative procedure is irrelevant (recital 52). Similarly, processing is permitted for requirements related to acts performed by judicial authorities in the exercise of their judicial functions. The repeal provided for in Article 9, paragraph 2, point f) of the GDPR, represents an extension of the corresponding justification under Article 6, paragraph 1, point f) of the GDPR (legitimate interest) for sensitive data.

  1. Significant public interest (letter g)

The derogation from Article 9, paragraph 2, letter g) of the GDPR is formulated relatively openly (in contrast to the specific public interests in points h, i, and j) and refers in a similar way to Article 6, paragraph 1, point e) and Article 6, paragraph 3 of the GDPR, simply on a significant public interest, which calls for the processing of special categories of personal data (for example prevention of danger, application of the rule of law, humanitarian purposes, etc.)

Such an important public interest has to be codified in a legal standard at European or Member State level, which has to fulfil certain conditions in order to balance interests. The regulation has to be proportionate to the intended purpose (proportionality) of respecting the nature of the right to data protection and the fundamental interests of the data subject (for example information, resale rights). Article 9, paragraph 2, point g) of the GDPR is an opening clause which allows the legislator to provide for derogations from the general prohibition on the processing of particular categories of personal data.

  1. Health and social sectors (point h)

The derogation from Article 9, paragraph 2, point h) of the GDPR concerns the processing of data relating to a person’s healthcare. It authorizes the exceptional processing of particular categories of personal data in so far as this is necessary for:

  • Healthcare
  • Occupational medicine
  • Assessment of an employee’s ability to work
  • Medical diagnosis
  • Care or treatment in the health or social sector
  • Management of systems and services in the health or social sector

It is irrelevant whether the services are preventive, diagnostic, curative or post-operative. Part of this exception is also, for example, the preservation prescribed by the Medical Records (Documentation) Act for doctors, the processing of sensitive data by pharmacies or by counselling and social services centres.

Treatment on the basis of this derogation must also be based on a legal basis on the law of a Union or the Member State or be justified from a contract with a member of a health profession.

At the end by processing special categories of personal data on the basis of Article 9, paragraph 2, letter h) of the GDPR, the conditions and guarantees pursuant to Article 9.3 of the GDPR are respected. Request that the treatment be carried out by or under the supervision of specialised personnel and that these specialised personnel be subject to professional secrecy (for example, doctor’s secrecy) or, if the treatment is carried out by other persons, are also subject to the obligation of confidentiality.

  1. Public health (point I)

The repeal of Article 9, paragraph 2, point i) of the GDPR seeks to raise the issue of health and fair-trade risk. Special categories of personal data may be processed if there is a public interest in the public health sector (for example, against serious cross-border health threats, ensuring high quality standards and safety in healthcare, pharmaceuticals and medical devices, etc.), which makes this elaboration necessary.

Here again the budget is that there is a legal basis in European or Member State law, which provides for appropriate and specific measures to protect the rights and freedoms of the data subject, in particular professional secrecy (for example, the law on epidemics, the law on therapeutic agents, etc.). Moreover, with this cooperation the limitation of the end must be observed.

  1. Archiving, searching and statistical purposes (letter j)

In accordance with Article 9, paragraph 2, point j) of the GDPR, special categories of personal data may be processed for the purposes of archiving in the public interest, for the purposes of scientific and historical research and for statistical purposes where processing is necessary. Also transformation under Article 9, paragraph 2, point j) of the GDPR, should be provided for in a rule at Union or Member State level that is proportional to the objective pursued (proportionality)and provide for appropriate and specific measures to protect the fundamental rights and interests of the data subject (for example, information, pseudonymisation, etc.). Article 9, paragraph 2, point j) of the GDPR also refers to Article 89, paragraph 1, of the GDPR, which provides adequate guarantees on the rights and freedoms of the persons concerned by the processing of data for those purposes.

Personal data on criminal convictions and crimes (Article 10 GDPR)

Personal data relating to criminal convictions and crimes are not part of the current special categories under Article 9 of the GDPR. However, their improper treatment may have serious consequences for the persons concerned (e.g., risk of discrimination), for which reason they are particularly in need of protection and their treatment is specifically regulated from article 10 of the GDPR. In principle, these data may be processed from private or public entities on the basis of a legal basis in accordance with Article 6.1 of the GDPR.

Yet, Article 10 GDPR further lists that this can be done only under strict conditions of official supervision or from other appropriate guarantees for the rights and freedoms of data subjects established on a legal basis in the Union or in the Member State. (example as§1173a Article 28a ABGB in Liechtenstein for the treatment of extracts from criminal records by private employers).

Complete records of criminal convictions may also be kept exclusively under official supervision and not only under private responsibility (for example, the national register of convicted persons). Article 10 of the GDPR, unlike Article 9, does not include a processing ban, but merely increases the processing requirements for that particular category of data.

Article 10 GDPR collects personal data on crimes, criminal convictions and related security measures. This also includes pronounced sanctions and comparable measures. The scope of Article 10 of the GDPR covers the personal data of perpetrators, instigators and assistants, and in any case of the suspect, but not of witnesses, victims or other parties involved in criminal proceedings. Only the general rules of the GDPR (for example, data accuracy, proportionality, etc.) apply to the latter. However, the principle of proportionality generally applies to the processing of personal data by analogy. To attach great importance must be due to the high risk of discrimination (for example, as regards potential recipients, storage times, data minimisation, etc.).

For the purposes of delimitation, records, databases or individual data (for example, suspects) that the competent authorities include protection against defence against risks to public security, which are treated, which do not fall within the scope of the Block Exemption Regulation or the Block Exemption Regulation, are covered by Article 10 of the GDPR (Article 2.2 of the GDPR), which is covered by the Directive (EU) 2016/2805, article 45 et seq. DSG was transferred to Liechtenstein law.

Impacts on other GDPR regulations

Other GDPR rules also explicitly refer to the processing of special categories of personal data or personal data, remit personal data on convictions and offences, or influence compliance with data protection obligations. Thus, in Article 6, paragraph 4, point c) (compatibility test), in Article 9, paragraph 2, point a) (express consent), Article 22, paragraph 1. 4 (automatic individual decision), Article 30, paragraph 5 (processing list) is laid down, Article 35, paragraph 3, point b), impact assessment on data protection and nature. 37, paragraph 1, point c) – (data protection officer) Specific obligations or explicit restrictions on the processing of personal data as provided for in Articles 9 or 10 of the GDPR, respectively. Elsewhere, the processing of these data results in a greater risk assessment for data subjects, leading to greater data protection obligations (for example, requirements relating to the safety of processing pursuant to Article 32 of the GDPR or notification requirements pursuant to Articles 33 and 34 of the GDPR). Finally, the infringement of Article 9 is also serious in the case of the imposition of bus payments (Article 83.5 a) of the Block Exemption Regulation).

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DEL LIECHTENSTEIN

Back To Top