Take the lead in data protection best practices with our unified SIEM solution!
Chapter 9 of the GDPR addresses specific processing situations where the general data protection rules need nuanced considerations. It ensures that while personal data is adequately protected, legitimate activities—such as research, journalism, and public access to information—can continue unhindered, thereby fostering a balanced approach to data privacy in diverse societal contexts.
Article 85: Processing and freedom of expression and information
Article 85 of the GDPR addresses the reconciliation between the right to personal data protection and the right to freedom of expression and information, particularly in contexts involving journalistic, academic, artistic, or literary purposes.
Reconciliation requirement:
- Member States are mandated to establish laws that reconcile the protection of personal data under the GDPR with the rights to freedom of expression and information.
- This reconciliation applies specifically to processing activities carried out for journalistic purposes, as well as for academic, artistic, or literary expression.
Exemptions and derogations:
- Member States have the authority to introduce exemptions or derogations from certain GDPR provisions to facilitate the aforementioned processing activities.
- The exemptions or derogations can affect the following chapters of the GDPR:
- Chapter II: Principles relating to the processing of personal data.
- Chapter III: Rights of the data subject.
- Chapter IV: Obligations of controllers and processors.
- Chapter V: Transfer of personal data to third countries or international organizations.
- Chapter VI: Independent supervisory authorities.
- Chapter VII: Cooperation and consistency.
- Chapter IX: Provisions relating to specific data processing situations.
Necessity requirement:
- These exemptions or derogations must be deemed necessary to balance the right to personal data protection with the rights to freedom of expression and information.
- This necessity is crucial to ensure that journalistic integrity, academic research, artistic creativity, and literary expression are not unduly restricted by stringent data protection rules.
Notification requirement:
- Each Member State is required to notify the European Commission of the specific provisions of its national law that implement the exemptions or derogations outlined in Article 85.
- Member States must promptly notify the Commission of any subsequent amendments to these provisions.
Example
Imagine a journalist uncovering a data security breach at a large social media company. The investigation may involve processing personal information about employees or user accounts to gather evidence. Under Article 85, Member States could allow for some derogations from data subject rights, such as temporarily limiting access rights to specific data while the investigation unfolds. This ensures the journalist's freedom to publish information in the public interest while also considering the privacy rights of individuals involved.
Article 86: Processing and public access to official documents
Article 86 tackles the potential conflict between public access to official documents and the protection of personal data they may contain. It emphasizes the need to find a balance between these two competing interests.
Scope: This article applies to personal data contained within official documents held by:
- Public authorities
- Public bodies
- Private bodies performing tasks in the public interest (e.g., a company managing public transportation)
Disclosure for public access: These authorities or bodies can disclose personal data in official documents, but only under specific conditions:
EU or Member State law: The disclosure must comply with relevant laws governing public access to official documents within the EU or the specific Member State.
Reconciling rights: The disclosure must be necessary to achieve a balance between the public's right to access these documents and the right to data privacy of individuals whose data is included.
Article 87: Processing of the national identification number
Article 87 deals with the processing of national identification numbers (NINs) and other identifiers of general application. It grants some flexibility to EU Member States while emphasizing the importance of safeguards for data subjects.
Member State discretion: The GDPR acknowledges that different EU countries may have unique national identification systems or other general identifiers used for various purposes. This article allows Member States to establish specific conditions for processing these identifiers within their national legal frameworks.
Mandatory safeguards: Regardless of any national regulations, any processing of national identification numbers or general identifiers must always be done under appropriate safeguards to protect the rights and freedoms of data subjects as outlined in the GDPR. These safeguards could include:
- Strict access controls to limit who can access the data.
- Data minimization practices, using only the minimum data necessary for the specific purpose.
- Strong cybersecurity measures to protect against data breaches.
- Defined data retention periods and secure data deletion procedures.
Article 88: Processing in the context of employment
Article 88 of the GDPR acknowledges the unique considerations surrounding employee data processing. It grants EU Member States flexibility to establish additional, more specific rules within their national laws or through collective agreements. However, these rules must always aim to protect the rights and freedoms of employees regarding their personal data.
Member State flexibility: The GDPR recognizes that employment practices may vary across EU countries. This article allows Member States to create additional regulations or leverage existing collective bargaining agreements to address employee data privacy more comprehensively within their specific contexts.
Focus on employee rights: These additional rules must prioritize the protection of employees' rights and freedoms concerning their personal data processed in the employment context. This includes processing for various purposes, such as:
- Recruitment
- Employment contract performance (including legal or collective agreement obligations)
- Work management, planning, and organization
- Workplace equality and diversity
- Health and safety at work
- Protecting employer or customer property
- Exercising and enjoying employment-related rights and benefits (individual or collective)
- Termination of employment
Mandatory safeguards: Any additional rules established by Member States must incorporate specific and effective measures to safeguard the following aspects of employee data processing:
Transparency: Employees should have clear and accessible information about how their personal data is collected, used, and stored.
Data transfers: If employee data is transferred within a company group or to entities involved in joint economic activities, safeguards to protect employee privacy during the transfer are crucial.
Workplace monitoring: Any monitoring systems implemented in the workplace (e.g., email monitoring or video surveillance) must be done with appropriate justification and in a way that minimizes privacy intrusions.
Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Article 89 addresses the safeguards and derogations related to how personal data is processed for archiving purposes in the public interest, as well as for scientific, historical research, or statistical purposes. The key points of Article 89 are as follows: safeguards for processing; derogations for scientific or historical research, or statistical purposes; and derogations for archiving purposes in the public interest.
Safeguards for processing
Processing personal data for the specified purposes must be done with appropriate safeguards to protect the rights and freedoms of data subjects. These safeguards include technical and organizational measures, particularly emphasizing the principle of data minimization. One of the key measures mentioned is pseudonymization, which is the process of altering personal data so that it can no longer be attributed to a specific data subject without additional information. If the purposes of processing can be achieved without identifying the data subjects, then the processing should be done in that manner.
Derogations for scientific or historical research, or statistical purposes
For scientific or historical research purposes or statistical purposes, Union or Member State law may allow derogations from certain rights of data subjects. These rights include:
- Article 15: Right of access by the data subject
- Article 16: Right to rectification
- Article 18: Right to restriction of processing
- Article 21: Right to object
These derogations are permitted only if respecting these rights would make it impossible or seriously impair the achievement of the research or statistical purposes, and such derogations are necessary to fulfill those purposes.
Derogations for archiving purposes in the public interest
For archiving purposes in the public interest, similar derogations may be provided by Union or Member State law. The rights from which derogations can be made in this context include:
- Article 15: Right of access by the data subject
- Article 16: Right to rectification
- Article 18: Right to restriction of processing
- Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
- Article 20: Right to data portability
- Article 21: Right to object
Again, these derogations are only allowed if respecting these rights would make it impossible or seriously impair the achievement of the archiving purposes and are necessary to fulfill those purposes.
Article 90: Obligations of secrecy
Article 90 acknowledges situations where data protection principles might conflict with professional secrecy obligations. It grants EU Member States some flexibility to define how supervisory authorities (SAs) can exercise their investigative powers in such cases.
Professional secrecy vs. data protection: This article recognizes that certain professions (e.g., lawyers or doctors) have legal or ethical obligations to maintain confidentiality (professional secrecy) about client or patient data. Article 90 allows Member States to establish specific rules for how these obligations interact with the GDPR's data protection requirements.
Proportionate balance: Member States can define the powers of SAs when investigating data controllers or processors who are subject to professional secrecy obligations. This allows the authorities to fulfill their data protection oversight role while respecting professional secrecy within these specific contexts. This balance needs to be both necessary and proportionate.
Limited scope: These special rules established by Member States can only apply to personal data that the controller or processor obtained through activities covered by their professional secrecy obligation. For example, a lawyer's client data would be covered, but general website visitor data wouldn't.
Article 91: Existing data protection rules of churches and religious associations
Article 91 of the GDPR acknowledges the unique situation of churches and religious associations. It allows them to potentially continue using existing data protection rules under certain conditions.
Existing rules: If, at the time the GDPR came into effect, a Member State had comprehensive data protection rules specifically for churches and religious associations, these existing rules could potentially continue to apply.
Alignment with GDPR: However, this is only possible if the existing rules are brought into line with the core principles and requirements of the GDPR. This ensures a minimum level of data protection for individuals.
Independent supervision: Churches and religious associations relying on existing rules under this article are still subject to independent SA oversight. The SA can be specific to religious organizations, but it must still fulfill the independence and competence requirements outlined in Chapter VI of the GDPR.
Disclaimer: This guide has been created using information provided by official GDPR documents.