“If processing of sensitive ‘special category’ data is necessary as part of performing the contract, controllers will also need to identify a separate exception to the general prohibition of processing such data, because contractual necessity alone does not fulfil the requirements of Article 9 GDPR. Thus, as with all processing of such special category data, the controller will need both a legal basis – in this case, necessary for the performance of a contract – as well as fulfilling a condition under Article 9(2) which allows for the processing that type of personal data – such as the fact that the data have been ‘manifestly made public’ or the processing is necessary to establish, exercise, or defend a legal claim.”
The Spanish Agency for Data Protection (AEPD) has published the ‘Guide for patients and users of health’, a document that responds to the most frequent questions that citizens usually ask when their personal data is processed by centers, administrations and health professionals and which aims to facilitate the knowledge of their rights.
In a second part, the ‘Guide for patients and healthcare users’ collects the issues raised most frequently before the AEPD.
Press release: https://www.aepd.es/prensa/2019-11-14-guia-pacientes-usuarios-sanidad.html
Guide (in Spanish):
General comparison via Baker McKenzie (via compare jurisdiction and topics)
In many articles it is stated that prior notification/authorization requirements had been replaced with GDPR by the need to have high-risk Data Protection Impact Assessments reviewed by the Supervisory Authorities (GDPR Art 36). – However, there are still cases in which more specific prior notification/authorization requirements exist (GDPR Art 36 (5) and Member state laws (via opening clauses)).
According to the above source, in the EU, -and omitting DPO registrations – there are requirements for
(check source above for the precise wording, my own summary below)
(CCTV, sometimes communication of health data)
(purpose-related: warning someone to engage in some business, creditchecks/financial standing-related, legal information system-related)
(sometimes for processing of person’s NIR (national identification registry) number; state investigations; biometric or genetic data for authentication on behalf of the state; some transfers of personal data to a third country (GDPR 43 (3) a);
“ad hoc scheme for health data and subjects their processing to a prior declaration of conformity with standard references (“référentiels”) of the CNIL. Failing that, article 54 of the Data Protection Act states that processing shall be subject to the CNIL’s prior authorization, except in the field of health research or study. ” (quote from URL above) [Exceptions for some bodies and services listed via a Ministerial Order]
For France/CNIL: Overview by Baker McKenzie
Article by TwoBirds ” The CNIL published on 18 July 2019 a new standard concerning the processing of personal data for the purpose of vigilance in the health sector. ”
Quote: ” The standard is of great importance since according to the French Data Protection Act such processing activities are submitted to the CNIL’s prior authorization. The scope of the French prior authorization requirement is extraterritorial, and any organization worldwide doing product vigilance on individuals residing in France must obtain an authorization in order to be allowed to carry on their activities. But if their activities comply with the CNIL’s new standard, then they can now file a declaration of compliance with the CNIL, instead of filing a full request for authorization. “
Link to inofficial translation by TwoBirds at https://www.twobirds.com/~/media/pdfs/france/new-french-cnil-standard.pdf?la=en&hash=8AE9FA58104BDE6D234289328ACB6BBCE25DCBD2
TwoBird article on overall background at https://www.twobirds.com/en/news/articles/2019/france/processing-health-data-in-france-what-to-look-out-for-after-gdpr – incl. need for prior authorization and CNIL reference methods
Germany Lower Saxony: Typical data protection cases in employment relationships