§ GDPR · Article 9

GDPR Article 9: Obligations, Deadlines & Penalties

Regulation (EU) 2016/679, Article 9 · All obligations · GDPR
At a glance
Article 9 of the GDPR imposes 13 obligations on Member States, association, controller and 3 other entity type(s).
§ Obligations

All obligations under Article 9

Obligation 1
Prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, or data concerning sex life or sexual orientation. Regulation (EU) 2016/679, Article 9, Article 9
Obligated entity
controller
Action required
prohibit
Deadline
Penalty
Exemptions
None specified in paragraph 1; exemptions listed in paragraph 2.
Obligation 2
Ensure that processing of special categories of data is only carried out if the data subject has given explicit consent for one or more specified purposes, unless Union or Member State law provides that the prohibition may not be lifted by the data subject. Regulation (EU) 2016/679, Article 9, Article 9
Obligated entity
controller
Action required
obtain consent
Deadline
Penalty
Exemptions
Where Union or Member State law provide that the prohibition may not be lifted by the data subject.
Obligation 3
Ensure that processing for employment and social security purposes is authorized by Union or Member State law or a collective agreement and provides for appropriate safeguards for the fundamental rights and interests of the data subject. Regulation (EU) 2016/679, Article 9, Article 9
Obligated entity
controller
Sector scope
employment and social security
Action required
authorize
Deadline
Penalty
Obligation 4
Ensure that processing to protect vital interests is only carried out when the data subject is physically or legally incapable of giving consent. Regulation (EU) 2016/679, Article 9, Article 9
Obligated entity
controller
Action required
verify incapacity
Deadline
Penalty
Obligation 5
Ensure that processing by not-for-profit bodies with political, philosophical, religious, or trade union aims includes appropriate safeguards, relates solely to members or persons with regular contact, and does not disclose data outside the body without consent. Regulation (EU) 2016/679, Article 9, Article 9
Obligated entity
foundation, association, or not-for-profit body
Sector scope
not-for-profit with political, philosophical, religious, or trade union aim
Action required
implement safeguards
Deadline
Penalty
Obligation 6
Ensure that processing relates only to personal data which are manifestly made public by the data subject. Regulation (EU) 2016/679, Article 9, Article 9
Obligated entity
controller
Action required
verify public status
Deadline
Penalty
Obligation 7
Ensure that processing for the establishment, exercise, or defence of legal claims is necessary for that purpose or when courts are acting in their judicial capacity. Regulation (EU) 2016/679, Article 9, Article 9
Obligated entity
controller
Sector scope
legal claims
Action required
verify necessity
Deadline
Penalty
Obligation 8
Ensure that processing for reasons of substantial public interest is based on Union or Member State law that is proportionate, respects the essence of data protection rights, and provides suitable and specific measures to safeguard fundamental rights. Regulation (EU) 2016/679, Article 9, Article 9
Obligated entity
controller
Sector scope
substantial public interest
Action required
implement safeguards
Deadline
Penalty
Obligation 9
Ensure that processing for preventive or occupational medicine, health care, or management of health systems is based on Union or Member State law or contract with a health professional and subject to conditions and safeguards in paragraph 3. Regulation (EU) 2016/679, Article 9, Article 9
Obligated entity
controller
Sector scope
health and social care
Action required
implement safeguards
Deadline
Penalty
Obligation 10
Ensure that processing for public health reasons is based on Union or Member State law that provides for suitable and specific measures to safeguard rights and freedoms, particularly professional secrecy. Regulation (EU) 2016/679, Article 9, Article 9
Obligated entity
controller
Sector scope
public health
Action required
implement safeguards
Deadline
Penalty
Obligation 11
Ensure that processing for archiving, scientific, historical research, or statistical purposes is in accordance with Article 89(1) and based on Union or Member State law that is proportionate, respects data protection rights, and provides suitable and specific safeguards. Regulation (EU) 2016/679, Article 9, Article 9
Obligated entity
controller
Sector scope
archiving, research, statistics
Action required
implement safeguards
Deadline
Penalty
Obligation 12
Ensure that processing of special categories of data for health purposes is carried out by or under the responsibility of a professional subject to an obligation of professional secrecy under Union or Member State law or rules established by national competent bodies. Regulation (EU) 2016/679, Article 9, Article 9
Obligated entity
health professional
Sector scope
health and social care
Action required
maintain secrecy
Deadline
Penalty
Obligation 13
Maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data, or data concerning health. Regulation (EU) 2016/679, Article 9, Article 9
Obligated entity
Member States
Action required
legislate
Deadline
Penalty
§ Frequently asked

Questions about Article 9

Who must comply with Article 9 of the GDPR? +
Member States, association, controller, foundation, health professional, or not-for-profit body.
What does Article 9 of the GDPR require? +
prohibit obtain consent authorize
Need a cross-border briefing on GDPR Article 9?
Search Fontvera ↵
All EU obligation pages  ·  All GDPR articles