Definitions

Personal Data

Art. 4 (1) of the GDPR states that personal data reveal information about an identified or identifiable natural person. Personal data include an individual’s name, a picture, a phone number, even a professional phone number, a code, a bank account number, an e-mail address, a fingerprint, etc.

Please visit: https://gdpr-info.eu/art-9-gdpr/

Special Category of personal data

‘Special category of personal data’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and data concerning health, sex life or judicial information.

Art. 9 of the GDPR contains rules about Processing of special categories of personal data. Sensitive data is personal data which reveals individual’s racial and ethnic origin, political beliefs, religion, philosophical and moral convictions, trade union affiliation or membership, health, and sexual orientation, and also refers to genetic and biometric data.

Article 9(2) sets out the circumstances in which the processing of special category of personal data which is otherwise prohibited, may take place. These include, among others:

  • Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law
  • Necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement
  • Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent.

Please visit: https://gdpr-info.eu/art-9-gdpr/

 

By derogation from Article 9 (1) of the GDPR, the processing of special categories of personal data as referred to in Article 9 (1) of Regulation (EU) 2016/679 shall be permitted

  • by public and private bodies if:
    • processing is necessary to exercise the rights derived from the right of social security and social protection and to meet the related obligations;
    • processing is necessary for the purposes of preventive medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services or pursuant to the data subject’s contract with a health professional and if these data are processed by health professionals or other persons subject to the obligation of professional secrecy or under their supervision; or
    • processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices; in addition to the measures referred to in subsection 2, in particular occupational and criminal law provisions to ensure professional secrecy shall be complied with;

 

  • by public bodies if:
  • processing is urgently necessary for reasons of substantial public interest;
  • processing is necessary to prevent a substantial threat to public security;
  • processing is urgently necessary to prevent substantial harm to the common good or to safeguard substantial concerns of the common good; or
  • processing is necessary for urgent reasons of defence or to fulfil supra- or intergovernmental obligations of a public body of the Federation in the field of crisis management or conflict prevention or for humanitarian measures;

 

  • and as far as the interests of the controller in data processing in the cases of no. 2 outweigh the interests of the data subject.

Please visit: The German Federal Data Protection Act (Bundesdatenschutzgesetz) Part 2, Section 22 Processing of special categories of personal data

https://www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.html#p0174

Consent

The GDPR definition of ‘consent’, written in Art. 4 (11), is: “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Children’s age

In Germany, the age at which a child can provide a valid consent is 16 years.