§ GDPR · Article 9
GDPR Article 9: Obligations, Deadlines & Penalties
At a glance
Article 9 of the GDPR imposes 13 obligations on Member States, association, controller and 3 other entity type(s).
§ Obligations
All obligations under Article 9
Obligation 1
Prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, or data concerning sex life or sexual orientation.
Regulation (EU) 2016/679, Article 9, Article 9
- Obligated entity
-
controller
- Action required
-
prohibit
- Deadline
-
—
- Penalty
-
—
- Exemptions
- None specified in paragraph 1; exemptions listed in paragraph 2.
Obligation 2
Ensure that processing of special categories of data is only carried out if the data subject has given explicit consent for one or more specified purposes, unless Union or Member State law provides that the prohibition may not be lifted by the data subject.
Regulation (EU) 2016/679, Article 9, Article 9
- Obligated entity
-
controller
- Action required
-
obtain consent
- Deadline
-
—
- Penalty
-
—
- Exemptions
- Where Union or Member State law provide that the prohibition may not be lifted by the data subject.
Obligation 3
Ensure that processing for employment and social security purposes is authorized by Union or Member State law or a collective agreement and provides for appropriate safeguards for the fundamental rights and interests of the data subject.
Regulation (EU) 2016/679, Article 9, Article 9
- Obligated entity
-
controller
- Sector scope
- employment and social security
- Action required
-
authorize
- Deadline
-
—
- Penalty
-
—
Obligation 4
Ensure that processing to protect vital interests is only carried out when the data subject is physically or legally incapable of giving consent.
Regulation (EU) 2016/679, Article 9, Article 9
- Obligated entity
-
controller
- Action required
-
verify incapacity
- Deadline
-
—
- Penalty
-
—
Obligation 5
Ensure that processing by not-for-profit bodies with political, philosophical, religious, or trade union aims includes appropriate safeguards, relates solely to members or persons with regular contact, and does not disclose data outside the body without consent.
Regulation (EU) 2016/679, Article 9, Article 9
- Obligated entity
-
foundation, association, or not-for-profit body
- Sector scope
- not-for-profit with political, philosophical, religious, or trade union aim
- Action required
-
implement safeguards
- Deadline
-
—
- Penalty
-
—
Obligation 6
Ensure that processing relates only to personal data which are manifestly made public by the data subject.
Regulation (EU) 2016/679, Article 9, Article 9
- Obligated entity
-
controller
- Action required
-
verify public status
- Deadline
-
—
- Penalty
-
—
Obligation 7
Ensure that processing for the establishment, exercise, or defence of legal claims is necessary for that purpose or when courts are acting in their judicial capacity.
Regulation (EU) 2016/679, Article 9, Article 9
- Obligated entity
-
controller
- Sector scope
- legal claims
- Action required
-
verify necessity
- Deadline
-
—
- Penalty
-
—
Obligation 8
Ensure that processing for reasons of substantial public interest is based on Union or Member State law that is proportionate, respects the essence of data protection rights, and provides suitable and specific measures to safeguard fundamental rights.
Regulation (EU) 2016/679, Article 9, Article 9
- Obligated entity
-
controller
- Sector scope
- substantial public interest
- Action required
-
implement safeguards
- Deadline
-
—
- Penalty
-
—
Obligation 9
Ensure that processing for preventive or occupational medicine, health care, or management of health systems is based on Union or Member State law or contract with a health professional and subject to conditions and safeguards in paragraph 3.
Regulation (EU) 2016/679, Article 9, Article 9
- Obligated entity
-
controller
- Sector scope
- health and social care
- Action required
-
implement safeguards
- Deadline
-
—
- Penalty
-
—
Obligation 10
Ensure that processing for public health reasons is based on Union or Member State law that provides for suitable and specific measures to safeguard rights and freedoms, particularly professional secrecy.
Regulation (EU) 2016/679, Article 9, Article 9
- Obligated entity
-
controller
- Sector scope
- public health
- Action required
-
implement safeguards
- Deadline
-
—
- Penalty
-
—
Obligation 11
Ensure that processing for archiving, scientific, historical research, or statistical purposes is in accordance with Article 89(1) and based on Union or Member State law that is proportionate, respects data protection rights, and provides suitable and specific safeguards.
Regulation (EU) 2016/679, Article 9, Article 9
- Obligated entity
-
controller
- Sector scope
- archiving, research, statistics
- Action required
-
implement safeguards
- Deadline
-
—
- Penalty
-
—
Obligation 12
Ensure that processing of special categories of data for health purposes is carried out by or under the responsibility of a professional subject to an obligation of professional secrecy under Union or Member State law or rules established by national competent bodies.
Regulation (EU) 2016/679, Article 9, Article 9
- Obligated entity
-
health professional
- Sector scope
- health and social care
- Action required
-
maintain secrecy
- Deadline
-
—
- Penalty
-
—
Obligation 13
Maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data, or data concerning health.
Regulation (EU) 2016/679, Article 9, Article 9
- Obligated entity
-
Member States
- Action required
-
legislate
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 9
Who must comply with Article 9 of the GDPR?
+
Member States, association, controller, foundation, health professional, or not-for-profit body.
What does Article 9 of the GDPR require?
+
prohibit obtain consent authorize