Vital interest and data protection

Image by Camilo Jimenez from Unsplash.

In recital 4 of the GDPR, the legislator determines that the right to data protection is designed to serve humanity and is not an absolute right, but must be considered in relation to its function in society and maintain a balance with other fundamental rights, proposing, on a case-by-case basis, the concept of proportionality and weighing of rights with the aim of guaranteeing the appropriate balance of legal rights at stake.

In that line of proportionality and weighting, recital 46 states that the lawfulness of the processing or the lifting of the prohibition on processing special categories of data where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person, should only be understood on the basis of the vital interest of a natural person where the processing cannot manifestly be based on a different legal basis. 

The concept of "Necessary for the protection of an interest essential to the life of a person" should be defined on the basis of the following requirements:

• The processing of personal data is to protect the life of a person: It is required to process personal data with the aim of safeguarding the life of a person.
• It would not be possible to safeguard a person's life if the processing is not carried out: that is, there is an interest "essential for life". The processing of personal data must be necessary and suitable to reasonably protect a vital interest essential to the life of a person, the data subject himself or a third party. If it was possible to protect a person life in a less intrusive way, this legal basis would not apply.
• Health data: In most cases, vital interest will be invoked in a medical context and the processing of health data is not possible on the basis of the protection of an interest essential for the life of the data subject when the processing has in its purposes one of the objectives set out in Articles 6 and 9 of the GDPR other than the protection of an interest essential for the life of a natural person, for example, where the processing could be based on consent or where the processing is in the field of public health or healthcare on the basis of Member State or Union law or where the processing is necessary under a contract with a healthcare professional. On the other hand, GDPR in its article 9.2, letter c) requires that the data subject is incapable, physically or legally, to give consent, however, physical or legal incapacity does not automatically replace the rest of the purposes and objectives indicated in articles 6 and 9 of the GDPR.
• Implementation of proactive responsibility and risk management: The processing to protect a vital interest essential for the life of a natural person should be carried out as quickly as possible and should never be delayed by administrative hurdles. To protect the rights of data subjects, mechanisms for recording access to information systems and ex-post documentation on the assistance provided must already be foreseen.

These conditions are set out in Articles 6(1)(d) and 9(2)(c) of the GDPR. In general, these articles will apply in the processing of health data or special categories of data relating to the health of the data subject or of a third party in those cases in which not carrying out the processing may put the life of a person at reasonable risk and there is no other legal basis that identifies a purpose for which such processing is necessary. For example, when the data subject is unconscious in a case of medical emergency and is unable to give consent and such processing is necessary as set out in Article 9(2)(c) and Article 6(1)(d) of the GDPR. Or, as the AEPD has declared in its report 17/2020, in cases of epidemic and in accordance with Recital (46), this legal basis may be the basis for processing of "other natural persons" when "[it] responds to both important reasons of public interest and the vital interests of the data subject, such as when the processing is necessary for humanitarian purposes,  including the control of epidemics and their spread, or in humanitarian emergency situations, especially in the event of natural or man-made disasters.

When health data is necessary to provide data subjects with services related to their health in the performance of a mission in the public interest (Art. 6(1)(e) GDPR, or compliance with a legal obligation (Art. 6(1)(c) GDPR), we would not be in the cases indicated in Articles 6(1)(d) and 9(2)(c) of the GDPR  because the criteria of essential for for the life of data subject or that of another natural person is not met, then, urgency or emergency character is required by the GDPR for the application of the vital interest as a legal basis or to lift the prohibition of article 9.1 of the GDPR. It is also not possible to process special categories of data based on legitimate interest or the performance of a contract, as none of these purposes are among the exceptions indicated in article 9.2 of the GDPR, except for those contracts that have as their object the care of health professionals.

To conclude, Articles 9(2)(c) and 6(1)(d) of the GDPR establish a balancing system that protects the essential interest for the life of an individual (or of "other natural persons", for example in the event of pandemics) in cases where there may be a conflict with the right to the protection of personal data in situations where it is necessary to process data of the data subject or of a third party,  and not carrying out the processing of such data would imply a threat to the life of a person (data subject or third parties) in situations where it is not possible to obtain the consent of the data subject, circumstances that legitimise the processing of health data and make the vital interest essential to the life of individuals prevail over other considerations,  in the event that the circumstances exist that allow the use of said legal basis.

Of course, these conditions must be real and arise as a result of exceptional and specific situations that could not have been foreseen in advance and excludes any data processing that could be carried out for the regular provision of a service to the data subject or to a third party whose purposes could be within the rest of the considerations provided for in articles 6 and 9 of the GDPR other than those established in sections 9(2)(c) and 6(1)(d) GDPR.

This post is related to other materials published by the EDPB and other supervisory authorities:

• Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 [feb 2018]
• https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf [april 2014]
• https://www.autoriteprotectiondonnees.be/professionnel/rgpd-/bases-juridiques/sauvegarde-des-interets-vitaux
• https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/lawful-basis-for-processing/vital-interests/#viin3