Changed practice for the data controllers’ processing of sensitive data
In the future, the Danish Data Protection Agency will assess processing of sensitive data by data controllers, which are covered by Article 9 (1) of the General Data Protection Regulation (GDPR), based on a requirement of a dual legal basis. An exception to the prohibition must now be identified both in Article 9(2) and in Article 6.
The requirement of a dual legal basis
A data controller may process sensitive personal data which are subject to the prohibition in Article 9(1) of the GDPR if an exception to the prohibition can be found either in Article 9(2) of the GDPR or in other provisions of regulation implementing Article 9 of the GDPR. At the same time, there must be a legal basis for the processing of sensitive data in Article 6 of the GDPR. Therefore, the Data Protection Agency will, going forward, require a dual legal basis for data controllers to be able to process information under Article 9(1) of the GDPR.
There has been no prior requirement to identify an exception in Article 6 of the GDPR and the identification of a derogation in Article 9(2) has, therefore, been sufficient to date. The change is based on the practice of processing personal data within the EU as a contribution to the uniform application of the GDPR across the EU. Several guidelines have been issued, and the CJEU has handed down several judgments which support the requirement of a dual legal basis for the processing of sensitive data.
What is the implication of the practice change?
Data controllers processing sensitive information subject to the prohibition laid down in Article 9(1) shall, in the future, consider whether the two exceptions to the prohibition laid down in Article 9(1) can be identified. Also, the general principles governing the processing of personal data, as set out in Article 5 of the GDPR (in particular, that the processing must be lawful, fair, have an objective purpose etc.), must always be satisfied when processing personal data.
The Data Protection Agency considers that the conditions set out in Article 6 most often will be met when the conditions laid down in Article 9(2) or the provisions implementing Article 9 are met. However, it should be noted that there may be exceptions.
The new practice will be of particular importance concerning objections under Article 21 of the GDPR. In practice, the data subject is given the opportunity to object to the processing of sensitive personal data processed under Article 9 where the processing of data is carried out on the basis of Article 6(1)(e) or (f) of the GDPR, even when the controller fulfils the exceptions in Article 9(2) or provisions implementing Article 9 of the GDPR.
According to the Data Protection Agency, data controllers are not required to review all of their data protection documents, including records, as a result of the changed practice. Adaptations and adjustments of relevant documents in relation to the processing of sensitive data may be carried out on an ongoing basis when the documents are to be updated by the data controller.