Last review date: 31 December 2024
Yes.
The following are potential legal bases for processing personal data:
☒ the data subject has provided consent to the processing for the identified purposes
☒ the personal data is necessary to perform a contract with the data subject
☒ the personal data is necessary to comply with a legal obligation
☒ the personal data is necessary to protect the vital interests of a natural person
☒ the personal data is necessary for a public interest
☒ the personal data is necessary to fulfil a legitimate interest of the controller or third party (provided that the interest is not overridden by the data subject's privacy interests and the data subject has not made use of his/her right to object)
☒ other
Section 4 of the DPA specifies the circumstances under which Article (6)(1)(e) of the GDPR applies. Pursuant to Section 4 of the DPA, personal data may be processed as provided in Article (6)(1)(e) of the GDPR where:
- the matter concerns data describing the status, duties or performance of a person in a public corporation, business, organization or in some other corresponding activities, as long as, the aim of the processing is in line with the public interest and the processing proportioned to the legitimate objective pursued;
- it is proportionate and necessary for the performance of a task carried out in the public interest by an authority;
- it is necessary for scientific or historical research or statistics and the processing is proportionate to the aim of public interest pursued, or;
- the processing of research data, cultural heritage data and description data thereof that contains personal data, for archiving purposes is necessary and proportionate to the aim of public interest pursued and the rights of data subjects.
Under section 7 of the DPA, the processing of data relating to criminal convictions and offenses as provided in Article 10 of the GDPR shall be carried out only in the following situations:
- when necessary for solving, drafting, presenting, defending or resolving legal proceedings;
- if the data is processed by an insurance company where necessary for the determination of the liability of the insurance company;
- where the processing is based on the provisions of an Act or necessary for compliance with an obligation to which the controller is subject directly by virtue of an Act, or;
- for purposes of scientific or historical research or the processing of data for statistical purposes.
Please also see response regarding processing of personal data and special category data in the employment context.
Last review date: 31 December 2024
☒ Yes
The following are potential legal bases for processing sensitive personal data:
☒ the data subject has given consent to the processing, where consent is measured to a higher standard than for non-sensitive personal data (for example, additional requirement for consent to be "explicit")
☒ processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
☒ processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
☒ processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and further conditions
☒ processing relates to personal data which are manifestly made public by the data subject
☒ processing is necessary for the establishment, exercise or defense of legal claims
☒ processing is necessary for reasons of substantial public interest
☒ processing is necessary for the purposes of medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
☒ processing is necessary for reasons of public interest in the area of public health
☒ processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
☒ other
Pursuant to Section 6(1) of the DPA, special category personal data may be processed in the following circumstances:
- An insurance company processes data relating to the insured and the claimant's health, disease, or disability, or data related to the treatment or other related activities necessary for the insurance company to determine its liability, acquired while carrying out insurance activities.
- Processing is provided for by law or is directly attributable to the responsibilities provided for the controller by law.
- Processing of data regarding a membership of a trade union, which is necessary in order for the controller to carry out its specific rights and obligations in the field of employment law.
- A healthcare service provider processes data relating to the data subject's health or disability, or to the healthcare and rehabilitation services the data subject receives, or other data that is necessary for the treatment of the data subject that the service provider acquires while organizing or producing healthcare services.
- A social welfare service provider processes data relating to the data subject's health or disability, or to the healthcare and rehabilitation services the data subject receives, or other data that is necessary in order to grant the service or benefit that the service provider acquires while organizing or producing social welfare services or when granting benefits.
- Processing health and genetic data related to anti-doping work and sport for disabled to the extent the processing of this data is necessary for enabling anti-doping work or sport for disabled persons and persons with a long-term sickness.
- Processing data related to scientific or historical research or statistics.
- Processing research and cultural heritage related data, except for genetic data, for non-profit archiving purpose.
Additional safeguards applicable to processing under Section 6(1) of the DPA are set forth in Section 6(2) of the DPA.
Pursuant to Section 29 of the DPA, a personal identity code may be processed if the data subject has given consent to it or if so provided by law. A personal identity code may also be processed if it is necessary to uniquely identify the data subject:
- in order to perform a statutory duty;
- in order to implement the rights and duties of the data subject or the controller; or
- for scientific or historical research purposes or statistical purposes.
A personal identity code may be processed in credit granting and debt collection; in insurance, credit institution, payment service, renting and lending activities; in credit data processing; in healthcare and social welfare services and other activities to ensure social security; and in matters concerning public service employment relationships, employment relationships and other service relationships and benefits relating to these.
In addition to the above, a personal identity code may be disclosed for the purposes of data processing performed to update address information or to prevent redundant postal traffic, if the personal identity code is already available to the recipient.
A personal identity code shall not be unnecessarily entered into documents printed out from or drawn up based on a filing system.
The processing of traffic data and location data are subject to provisions set out in the AECS.
Last review date: 31 December 2024
Yes.
A minor within the meaning of data privacy laws is a person below the age of: 13
for purposes of Article 8(1) of the GDPR and 15 for purposes of the AECS.
Last review date: 31 December 2024
☒ in the context of information society services only if processing is based on consent
☒ other
Pursuant to the AECS, in cases related to processing of location data, e.g., for obtaining a consent for using location data or receiving information on the use of location data, minors under the age of 15 shall be represented by their guardian.