77
Text adopted by Parliament
Consolidated text of the Commission and Council
Processing of national identification number
Member States may determine the specific conditions for the
processing of a national identification number or any other identifier
of general application.
In this case the national identification
number or any other identifier of general application shall be used
only under appropriate safeguards for
the rights and freedoms of
the data subject pursuant to this Regulation.
]
7
Article 81
Text adopted by Parliament
Consolidated text of the Commission and Council
Processing of personal data concerning health
1. In accordance with the rules set out in this Regulation, in particular
with point (h) of Article 9(2), processing of personal data concerning
health must be on the basis of Union law or Member State law which shall
provide for suitable, consistent, and specific measures to safeguard the
data subject's interests and fundamental rights, to the extent that these
are necessary and proportionate, and of which the effects shall be
foreseeable by the data subject, for:
(a) the purposes of preventive or occupational medicine, medical
diagnosis, the provision of care or treatment or the management of health-
care services, and where those data are processed by a health professional
subject to the obligation of professional secrecy or another person also
subject to an equivalent obligation of confidentiality under Member State
law or rules established by national competent bodies; or
(b) reasons of public interest in the area of public health, such as
protecting against serious cross-border threats to health or ensuring high
standards of quality and safety, inter alia for medicinal products or
medical devices, and if the processing is carried out by a person bound
by a confidentiality obligation; or
(c) other reasons of public interest in areas such as social protection,
[Processing of personal data
for
health -
related purposes
1
.
Within the limits of this Regulation and in accordance with
point
s (g) and
(h) of Article 9(2), processing of personal data
concerning health must be
referred to in Article 9(1) may be
processed
on the basis of Union law or Member State law which
shall provide
s
for suitable and specific measures to safeguard the
data subject's legitimate interests, and be
when
necessary for:
(a)
the purposes of preventive or occupational medicine,
medical diagnosis, the provision of care or treatment or the
management of health-care services, and where those data are
processed by a health professional subject to the obligation of
professional secrecy
under Union or Member State law or rules
established by national competent bodies to the obligation of
professional secrecy
or
by
another person also subject to an
equivalent obligation of confidentiality
secrecy
; under Member
State law or rules established by national competent bodies; or
(b)
reasons of public interest in the area of public health, such
as protecting against serious cross-border threats to health or
ensuring high standards of quality and safety,inter alia for
of health
60
especially in order to ensure the quality and cost-effectiveness of the
procedures used for settling claims for benefits and services in the health
insurance system and the provision of health services. Such processing
of personal data concerning health for reasons of public interest shall
not result in data being processed for other purposes, unless with the
consent of the data subject or on the basis of Union or Member State
law.
1a. When the purposes referred to in points (a) to (c) of paragraph 1 can
be achieved without the use of personal data, such data shall not be
used for those purposes, unless based on the consent of the data subject
or Member State law.
1b. Where the data subject's consent is required for the processing of
medical data exclusively for public health purposes of scientific
research, the consent may be given for one or more specific and similar
researches. However, the data subject may withdraw the consent at any
time.
1c. For the purpose of consenting to the participation in scientific
research activities in clinical trials, the relevant provisions of Directive
2001/20/EC of the European Parliament and of the Council
1
shall
apply.
2. Processing of personal data concerning health which is necessary for
historical, statistical or scientific research purposes shall be permitted
only with the consent of the data subject, and shall be subject to the
conditions and safeguards referred to in Article 83.
2a. Member States law may provide for exceptions to the requirement of
consent for research, as referred to in paragraph 2, with regard to
research that serves a high public interest, if that research cannot
possibly be carried out otherwise. The data in question shall be
anonymised, or if that is not possible for the research purposes,
pseudonymised under the highest technical standards, and all necessary
measures shall be taken to prevent unwarranted re-identification of the
data subjects. However, the data subject shall have the right to object at
care and
of
medicinal products or
medical devices; or
(c)
other reasons of public interest in areas such as social
protection, especially in order to ensure the quality and cost-
effectiveness of the procedures used for settling claims for benefits
and services in the health insurance system.
2.
Processing of personal data concerning health which is
necessary for historical, statistical or scientific research purposes,
such as patient registries set up for improving diagnoses and
differentiating between similar types of diseases and preparing
studies for therapies, is subject to the conditions and safeguards
referred to in Article 83
Articles 83a to 83d
.
3.
The Commission shall be empowered to adopt delegated
acts in accordance with Article 86 for the purpose of further
specifying other reasons of public interest in the area of public
health as referred to in point (b) of paragraph 1, as well as criteria
and requirements for the safeguards for the processing of personal
data for the purposes referred to in paragraph 1.]
8
Online Remove password from protected PDF fileOnline Remove Password from Protected PDF file. Download Free Trial. Remove password from protected PDF file. Find your password-protected PDF and upload it.
adding a password to a pdf using reader; pdf security password
52
any time in accordance with Article 19.
3. The Commission shall be empowered to adopt, after requesting an
opinion of the European Data Protection Board, delegated acts in
accordance with Article 86 for the purpose of further specifying public
interest in the area of public health as referred to in point (b) of paragraph
1 and high public interest in the area of research as referred to in
paragraph 2a.
3a. Each Member State shall notify to the Commission those provisions
of its law which it adopts pursuant to paragraph 1, by the date specified
in Article 91(2) at the latest and, without delay, any subsequent
amendment affecting them.
1
Directive 2001/20/EC of the European Parliament and of the Council
of 4 April 2001 on the approximation of the laws, regulations and
administrative provisions of the Member States relating to the
implementation of good clinical practices in the conduct of clinical
trials on medicinal products for human use (OJ L 121, 1.5.2001, p. 34).
Article 82
Text adopted by Parliament
Consolidated text of the Commission and Council
Minimum standards for processing data in the employment context
1. Member States may, in accordance with the rules set out in this
Regulation, and taking into account the principle of proportionality,
adopt by legal provisions specific rules regulating the processing of
employees' personal data in the employment context, in particular but not
limited to the purposes of the recruitment and job applications within the
group of undertakings, the performance of the contract of employment,
including discharge of obligations, laid down by law and by collective
agreements, in accordance with national law and practice, management,
planning and organisation of work, health and safety at work, and for the
purposes of the exercise and enjoyment, on an individual or collective
basis, of rights and benefits related to employment, and for the purpose of
Processing in the employment context
1.
[Within the limits of this Regulation,
]
9
Member States may
[adopt by law specific rules regulating
by law or by collective
agreements provide for more specific rules
to ensure the protection
of the rights and freedoms in respect of
the processing of
employees' personal data in the employment context, in particular
for the purposes of the recruitment, the performance of the contract
of employment, including discharge of obligations laid down by law
or by collective agreements, management, planning and
organisation of work, equality and diversity in the workplace
health
and safety at work, protection of employer’s or customer’s property
and for the purposes of the exercise and enjoyment, on an
49
the termination of the employment relationship. Member States may
allow for collective agreements to further specify the provisions set out
in this Article.
1a. The purpose of processing such data must be linked to the reason it
was collected for and stay within the context of employment. Profiling
or use for secondary purposes shall not be allowed.
1b. Consent of an employee shall not provide a legal basis for the
processing of data by the employer when the consent has not been given
freely.
1c. Notwithstanding the other provisions of this Regulation, the legal
provisions of Member States referred to in paragraph 1 shall include at
least the following minimum standards:
(a) the processing of employee data without the employees' knowledge
shall not be permitted. Notwithstanding the first sentence, Member
States may, by law, provide for the admissibility of this practice, by
setting appropriate deadlines for the deletion of data, providing there
exists a suspicion based on factual indications that must be documented
that the employee has committed a crime or serious dereliction of duty
in the employment context, providing also the collection of data is
necessary to clarify the matter and providing finally the nature and
extent of this data collection are necessary and proportionate to the
purpose for which it is intended. The privacy and private lives of
employees shall be protected at all times. The investigation shall be
carried out by the competent authority;
(b) the open optical-electronic and/or open acoustic-electronic
monitoring of parts of an undertaking which are not accessible to the
public and are used primarily by employees for private activities,
especially in bathrooms, changing rooms, rest areas, and bedrooms,
shall be prohibited. Clandestine surveillance shall be inadmissible
under all circumstances;
(c) where undertakings or authorities collect and process personal data
individual or collective basis, of rights and benefits related to
employment, and for the purpose of the termination of the
employment relationship.
2.
Each Member State shall notify to the Commission those
provisions of its law which it adopts pursuant to paragraph 1, by the
date specified in Article 91(2) at the latest and, without delay, any
subsequent amendment affecting them.
3.
[The Commission shall be empowered to adopt delegated
acts in accordance with Article 86 for the purpose of further
specifying the criteria and requirements for the safeguards for the
processing of personal data for the purposes referred to in
paragraph 1.
Member States may by law determine the conditions
under which personal data in the employment context may be
processed on the basis of the consent of the employee.]
10
33
in the context of medical examinations and/or aptitude tests, they must
explain to the applicant or employee beforehand the purpose for which
these data are being used, and ensure that afterwards they are provided
with these data together with the results, and that they receive an
explanation of their significance on request. Data collection for the
purpose of genetic testing and analyses shall be prohibited as a matter
of principle;
(d) whether and to what extent the use of telephone, e-mail, internet and
other telecommunications services shall also be permitted for private
use may be regulated by collective agreement. Where there is no
regulation by collective agreement, the employer shall reach an
agreement on this matter directly with the employee. In so far as private
use is permitted, the processing of accumulated traffic data shall be
permitted in particular to ensure data security, to ensure the proper
operation of telecommunications networks and telecommunications
services and for billing purposes.
Notwithstanding the third sentence, Member States may, by law, provide
for the admissibility of this practice, by setting appropriate deadlines for
the deletion of data, providing there exists a suspicion based on factual
indications that must be documented that the employee has committed a
crime or serious dereliction of duty in the employment context,
providing also the collection of data is necessary to clarify the matter
and providing finally the nature and extent of this data collection are
necessary and proportionate to the purpose for which it is intended. The
privacy and private lives of employees shall be protected at all times.
The investigation shall be carried out by the competent authority;
(e) workers’ personal data, especially sensitive data such as political
orientation and membership of and activities in trade unions, may
under no circumstances be used to put workers on so-called ‘blacklists’,
and to vet or bar them from future employment. The processing, the use
in the employment context, the drawing-up and passing-on of blacklists
of employees or other forms of discrimination shall be prohibited.
Member States shall conduct checks and adopt adequate sanctions in
30
accordance with Article 79(6) to ensure effective implementation of this
point.
1d. Transmission and processing of personal employee data between
legally independent undertakings within a group of undertakings and
with professionals providing legal and tax advice shall be permitted,
providing it is relevant to the operation of the business and is used for
the conduct of specific operations or administrative procedures and is
not contrary to the interests and fundamental rights of the person
concerned which are worthy of protection. Where employee data are
transmitted to a third country and/or to an international organization,
Chapter V shall apply.
2. Each Member State shall notify to the Commission those provisions of
its law which it adopts pursuant to paragraphs 1 and 1b, by the date
specified in Article 91(2) at the latest and, without delay, any subsequent
amendment affecting them.
3. The Commission shall be empowered, after requesting an opinion
from the European Data Protection Board, to adopt delegated acts in
accordance with Article 86 for the purpose of further specifying the
criteria and requirements for the safeguards for the processing of personal
data for the purposes referred to in paragraph 1.
Article 82a
Text adopted by Parliament
Consolidated text of the Commission and Council
Processing in the social security context
1. Member States may, in accordance with the rules set out in this
Regulation, adopt specific legislative rules particularising the conditions
for the processing of personal data by their public institutions and
departments in the social security context if carried out in the public
interest.
2. Each Member State shall notify to the Commission those provisions
50
which it adopts pursuant to paragraph 1, by the date specified in Article
91(2) at the latest and, without delay, any subsequent amendment
affecting them.
Article 83
Text adopted by Parliament
Consolidated text of the Commission and Council
Processing for historical, statistical and scientific research purposes
1. In accordance with the rules set out in this Regulation, personal data
may be processed for historical, statistical or scientific research purposes
only if:
(a) these purposes cannot be otherwise fulfilled by processing data which
does not permit or not any longer permit the identification of the data
subject;
(b) data enabling the attribution of information to an identified or
identifiable data subject is kept separately from the other information
under the highest technical standards, and all necessary measures are
taken to prevent unwarranted re-identification of the data subjects.
Processing for historical, statistical and scientific research
purposes
Derogations applying to processing of personal data for
archiving, scientific, statistical and historical purposes
1.
Within the limits of this Regulation, personal data may be
processed for historical, statistical or scientific research purposes
only if:
(a)
these purposes cannot be otherwise fulfilled by processing
data which does not permit or not any longer permit the
identification of the data subject;
(b)
data enabling the attribution of information to an identified or
identifiable data subject is kept separately from the other
information as long as these purposes can be fulfilled in this
manner.
2.
Bodies conducting historical, statistical or scientific research
may publish or otherwise publicly disclose personal data only if:
(a)
the data subject has given consent, subject to the conditions
laid down in Article 7;
(b)
the publication of personal data is necessary to present
research findings or to facilitate research insofar as the interests or
the fundamental rights or freedoms of the data subject do not
override these interests; or
(c)
the data subject has made the data public.
3.
The Commission shall be empowered to adopt delegated
acts in accordance with Article 86 for the purpose of further
53
specifying the criteria and requirements for the processing of
personal data for the purposes referred to in paragraph 1 and 2 as
well as any necessary limitations on the rights of information to and
access by the data subject and detailing the conditions and
safeguards for the rights of the data subject under these
circumstances.
1.
Where personal data are processed for scientific, statistical
11
or historical purposes Union or Member State law may, subject to
appropriate safeguards for the rights and freedoms of the data
subject, provide for derogations from Articles 14a(1) and (2)
, 15,
16, 17, 17a, 17b, 18 and 19
12
,
insofar as such derogation is
necessary for the fulfilment of the specific purposes
.
1a.
Where personal data are processed for archiving purposes
in the public interest, Union or Member State law may, subject to
appropriate safeguards for the rights and freedoms of the data
subject, provide for derogations from Articles 14a(1) and (2)
, 15,
16, 17, 17a, 17b, 18, 19, 23, 32, 33 and 53 (1b)(d) and (e)
,
insofar
as such derogation is necessary for the fulfilment of these
purposes
13
.
1b.
In case a type of processing referred to in paragraph
s
1 and
1a serves at the same time another purpose, the derogations
allowed for apply only to the processing for the purposes referred
to in those paragraphs.
2
.
The appropriate safeguards referred to in paragraph
s 1 and
1 a
shall
be laid down in Union or Member State law and be such to
ensure that technological and/or organisational protection
measures pursuant to this Regulation are applied to the personal
data, to minimise the processing of personal data in pursuance of
the proportionality and necessity principles
, such as
pseudonymising the data,
unless those measures prevent
40
achieving the purpose of the processing and such purpose cannot
be otherwise fulfilled within reasonable means.
]
14
Article 83a
Text adopted by Parliament
Consolidated text of the Commission and Council
Processing of personal data by archive services
1. Once the initial processing for which they were collected has been
completed, personal data may be processed by archive services whose
main or mandatory task is to collect, conserve, provide information
about, exploit and disseminate archives in the public interest, in
particular in order to substantiate individuals’ rights or for historical,
statistical or scientific research purposes. These tasks shall be carried
out in accordance with the rules laid down by Member States
concerning access to and the release and dissemination of
administrative or archive documents and in accordance with the rules
set out in this Regulation, specifically with regard to consent and the
right to object.
2. Each Member State shall notify to the Commission provisions of its
law which it adopts pursuant to paragraph 1 by the date specified in
Article 91(2) at the latest and, without delay, any subsequent
amendment affecting them.
Article 84
Text adopted by Parliament
Consolidated text of the Commission and Council
Obligations of secrecy
1. In accordance with the rules set out in this Regulation, Member
States, shall ensure that specific rules are in place setting out the powers
Obligations of secrecy
1.
Within the limits of this Regulation,
Member States may
adopt specific rules to set out the investigative
powers by the
supervisory authorities laid down in points (da) and (db) of
Article
53(2
1
) in relation to controllers or processors that are subjects
65
by the supervisory authorities laid down in Article 53 in relation to
controllers or processors that are subjects under national law or rules
established by national competent bodies to an obligation of professional
secrecy or other equivalent obligations of secrecy, where this is necessary
and proportionate to reconcile the right of the protection of personal data
with the obligation of secrecy.These rules shall only apply with regard to
personal data which the controller or processor has received from or has
obtained in an activity covered by this obligation of secrecy.
2.
Each Member State shall notify to the Commission the rules
adopted pursuant to paragraph 1, by the date specified in Article 91(2) at
the latest and, without delay, any subsequent amendment affecting them.
under national
Union or Member State
law or rules established by
national competent bodies to an obligation of professional secrecy
or other equivalent obligations of secrecy or to a code of
professional ethics supervised and enforced by professional
bodies
, where this is necessary and proportionate to reconcile the
right of the protection of personal data with the obligation of
secrecy. These rules shall only apply with regard to personal data
which the controller or processor has received from or has obtained
in an activity covered by this obligation of secrecy.
2.
Each Member State shall notify to the Commission the rules
adopted pursuant to paragraph 1, by the date specified in Article
91(2) at the latest and, without delay, any subsequent amendment
affecting them
15
.
]
16
Article 85
Text adopted by Parliament
Consolidated text of the Commission and Council
Existing data protection rules of churches and religious associations
1. Where in a Member State, churches and religious associations or
communities apply, at the time of entry into force of this Regulation,
adequate rules relating to the protection of individuals with regard to the
processing of personal data, such rules may continue to apply, provided
that they are brought in line with the provisions of this Regulation.
2. Churches and religious associations which apply adequate rules in
accordance with paragraph 1 shall obtain a compliance opinion pursuant
to Article 38.
[Existing data protection rules of churches and religious
associations
1.
Where in a Member State, churches and religious
associations or communities apply, at the time of entry into force of
this Regulation, comprehensive rules relating to the protection of
individuals with regard to the processing of personal data, such
rules may continue to apply, provided that they are brought in line
with the provisions of this Regulation.
2.
Churches and religious associations which apply
comprehensive rules in accordance with paragraph 1 shall provide
for the establishment of an independent supervisory authority in
accordance with
be subject to the control of an independent
supervisory authority which may be specific, provided that it fulfils
the conditions laid down in
Chapter VI of this Regulation.]
17
Article 85a
Documents you may be interested
Documents you may be interested
