Art. 9(2) of the General Data Protection Regulation (GDPR) governs the processing of particularly sensitive data. Until now, it was unclear whether an additional legal basis under Art. 6(1) GDPR was also required. The Court of Justice of the European Union has now provided legal certainty.
The GDPR as a prohibitive law
The purpose of the GDPR is to protect individuals when their personal data is being processed. To effectively achieve this purpose, any processing of personal data requires a legal basis – that is, a specific reason on the part of the controller justifying why they are permitted to process the data in question. Without such a legal basis, personal data may not be processed.
For this reason, the GDPR is referred to as a prohibitive law subject to authorisation. These authorisations or legal bases are exhaustively set out in the GDPR.
We examine the relationship between the different legal bases in light of existing opinions and case law. Is there a hierarchy? And how should the associated legal consequences be assessed?
Conditions for permission in the GDPR
Legal bases for processing are found in Chapter II of the GDPR, which deals with the principles. On the one hand, they are set out in Art. 6(1), first subparagraph, points (a) to (f) GDPR, and apply generally to any processing of personal data. For instance, processing may be lawful on the basis of the data subject’s consent, or if it is necessary for the performance of a contract or for the purposes of the legitimate interests pursued by the controller.
On the other hand, there are additional requirements in Art. 9(2)(a) to (j) GDPR for the processing of particularly sensitive personal data. Particularly sensitive data refers to personal data:
- Racial and ethnic origin,
- political opinions,
- religious or philosophical beliefs,
- trade union membership,
- genetic or biometric characteristics,
- health,
- sexual life or sexual orientation.
These additional requirements include, among other things, explicit consent to the processing, necessity for the protection of vital interests, the establishment, exercise or defence of legal claims, or the protection of public health. The processing of sensitive data must therefore either be necessary for specific purposes or the data subject must consent to the processing.
Previous legal discussion on Art. 6 and 9 GDPR
There had previously been disagreement as to whether the processing of sensitive personal data requires both a legal basis under Art. 6(1) GDPR and, in addition, the fulfilment of one of the conditions set out in Art. 9(2) GDPR or whether the latter provisions themselves could serve as independent legal bases for the processing of sensitive data, making Art. 6(1) GDPR irrelevant.
The view that the cases in Art. 9(2) GDPR constitute independent legal bases was supported by parts of the legal literature, case law, and the Austrian Data Protection Authority. This position is based on the fact that, within the structure of the GDPR, Art. 6(1) and 9(2) are not explicitly linked, as there is no requirement stated anywhere that both must be fulfilled cumulatively. In particular, other provisions often use the wording “Art. 6(1) or Art. 9(2)” rather than “and” or “as well as.”
Furthermore, Art. 9(2) GDPR does not introduce new legal bases that diverge from those in Art. 6 GDPR. Instead, the legal bases set out in Art. 6 GDPR are always implicitly included within those of Art. 9(2).
Thus, according to this view, when relying on Art. 9(2) GDPR, the application of Art. 6(1) GDPR is generally considered unnecessary.
According to the opposing view, supported by parts of the case law and legal literature, as well as the German Data Protection Conference (DSK), Art. 6(1) GDPR cannot be relied upon if none of the cases under Art. 9(2) GDPR applies when processing sensitive data. However, processing cannot be based on Art. 9(2) GDPR alone without also meeting the requirements of Art. 6(1) GDPR at the same time.
This is derived, among other things, from Recital 51, sentence 5 of the GDPR:
“In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing”.
Due to the greater intensity of interference, higher requirements must be met to justify the intrusion. Therefore, Art. 9(2) GDPR is to be applied in addition to, and not as an alternative to, Art. 6(1) GDPR (Short Paper No. 17 of the DSK, p. 2).
Current judgements on the GDPR
Read our regular reviews of data protection law rulings to stay up to date!
Case law on the lawfulness of data processing
In its judgment of December 21, 2023 (Case No. C-667/21), the Court of Justice of the European Union (CJEU) aligned itself with the second view. Art. 6(1) of the GDPR is a general principle concerning the lawful processing of personal data and, like the other principles from Chapter II of the GDPR (e.g., purpose limitation and data minimisation), must be fulfilled for the processing of personal data to be lawful. Art. 6(1), first subparagraph, letters (a) to (f) GDPR constitutes an exhaustive and final list of the cases in which processing can be considered lawful. If processing does not fall under one of these cases, it cannot be lawfully conducted.
With this, the CJEU further clarifies its statements in earlier judgments, in which it already expressed this position though more briefly but in the same wording such as in the judgment of July 4, 2023 (Case No. C-252/21, para. 90) and the judgment of June 22, 2021 (Case No. C-439/19, para. 99).
Art. 9(2) GDPR, as part of Art. 7 to 11 GDPR, specifies for sensitive data the obligations incumbent on the controller under Art. 5(1)(a) GDPR and Art. 6(1) GDPR. It follows that processing based on a case under Art. 9(2) GDPR is only lawful if it also complies with Art. 5(1)(a) GDPR and Art. 6(1) GDPR.
Thus, even in the case of sensitive data, processing must always be based on at least one of the legal grounds listed in Art. 6(1). With this, the CJEU eliminates any remaining doubts regarding the legal basis for the processing of sensitive data.
Significance for data protection practice
In practice, processing under Art. 6(1) GDPR is usually lawful if a condition under Art. 9(2) GDPR is met. The practical relevance of the question concerning the requirements for processing sensitive data has always been limited to cases where the processing is lawful under Art. 9(2) GDPR, but the specific alternatives in Art. 9(2) do not simultaneously fulfil the requirements of a legal basis under Art. 6(1) GDPR.
Example: enemy lists
The most prominent exception of this kind is found in Art. 9(2)(e) GDPR. According to this provision, sensitive data may be processed if the data subject has clearly made them public themselves. However, this issue takes on critical significance in the context of press law and, for example, in cases involving so-called enemy lists. These are lists containing names and – depending on their structure – additional contact and personal data of individuals, intended to reflect or suggest the political stance or support for political causes of those individuals. These are personal data revealing the political opinions of the data subjects and therefore qualify as sensitive data under Art. 9(1) GDPR.
Such information is often sourced from online platforms where the individuals themselves made their data publicly accessible, for example, in the context of donation campaigns or petitions.
By compiling this information and publishing it on specific websites, the personal data are presented to a new audience. As a result, the individuals concerned are significantly more likely to become victims of violations of their privacy and other rights. This may range from online harassment to physical attacks.
The German legislator and judiciary have already responded to such cases in other ways. On the one hand, § 126a of the German Criminal Code (StGB) was introduced, which criminalizes the harmful dissemination of personal data. On the other hand, claims for injunctive relief and damages could be pursued under §§ 1004, 823 of the German Civil Code (BGB) in conjunction with the violation of the right to informational self-determination.
From a purely data protection perspective, however, such processing of personal data could have been considered lawful under Art. 9(2)(e) GDPR assuming the view that Art. 9(2) GDPR constitutes an independent legal basis because the data were made openly accessible through the data subject’s own decision on the original website. This classification only changes if one interprets the provision as implying a specific purpose for the publication, which is not reflected in the actual wording. No balancing of interests would be required either.
If someone has made sensitive data public themselves, those data would no longer be effectively protected. Although the data subject has a right of withdrawal against the controller of the website where the data were originally published (requiring deletion of the data processed based on consent), it remains questionable how such withdrawal would affect a third party relying on Art. 9(2)(e) GDPR. Moreover, no right to object under Art. 21(1) GDPR exists in this case, which would otherwise apply if processing were based on the controller’s legitimate interests. Added to this are the practical difficulties of tracing such dissemination.
Recommendations for action
Anyone who has so far relied solely on the specific cases listed in Art. 9(2) GDPR must now additionally refer to a legal basis under Art. 6(1) GDPR. This has particular implications for data protection information provided to data subjects, the record of processing activities, and internal data protection policies and frameworks. These should be updated accordingly.
In some cases, it may also be necessary to carry out an additional balancing of interests, especially if Art. 9 GDPR is supplemented by reliance on the fallback legal basis of legitimate interests (Art. 6(1)(f) GDPR).
Therefore, make sure that your entire data protection documentation is up to date. The most reliable way to ensure this is through a well-implemented data protection management system (DPMS) and an experienced Data Protection Officer.
