Legirel

Législation concernant les activités religieuses et l’organisation des cultes

Accueil > Personal Data Act (523/1999). Sections 11(2) and 12


Personal Data Act (523/1999)

Extracts

Chapter 3 — Sensitive data and personal identity number
Section 11 — Prohibition to process sensitive data
The processing of sensitive data is prohibited. Personal data are deemed to be sensitive, if they relate to or are intended to relate to :
(…)
(2) the social, political or religious affiliation or trade-union membership of a person ;
(…)

Section 12 — Derogations from the prohibition to process sensitive data
(1) The prohibition in section 11 does not prevent :
1. processing of data where the data subject has given an express consent ;
2. processing of data on the social, political or religious affiliation or trade-union membership of a person, where the person has himself/herself brought the data into the public domain ;
3. processing of data necessary for the safeguarding of a vital interest of the data subject or someone else, if the data subject is incapable of giving his/her consent ;
4. processing of data necessary for drafting or filing a lawsuit or for responding to or deciding of such a lawsuit ;
5. processing of data where based on the provisions of an Act or necessary for compliance with an obligation to which the controller is subject directly by virtue of an Act ;
6. processing of data for purposes of historical, scientific or statistical research ;
7. the processing of data on religious, political or social affiliation in the operations of an association or corporation professing such affiliation, where the data relate to members of the association or corporation or to persons connected to the association or corporation on a regular basis and in the context of the stated purposes of the association or corporation, and where the data is not disclosed to a third party without the consent of the data subject association or corporation, and where the data is not disclosed to a third party without the consent of the data subject ;
8. the processing of data on trade-union membership in the operations of a trade union or a federation of trade unions, where the data relate to the members of the union or federation or to persons connected to the union or federation on a regular basis and in the context of the stated purposes of the union or federation, and where the data is not disclosed to a third party without the consent of the data subject ;
9. the processing of data on trade-union membership, where necessary for the observation of the special rights and duties of the controller in the field of labour law ;
10. a health care unit or a health care professional from processing data collected in the course of their operations and relating to the state of health, illness or handicap of the data subject or the treatment or other measures directed at the data subject, or other data which are indispensable in the treatment of the data subject ;
11. an insurer from processing data collected in the course of its insurance activity and relating to the state of health, illness or handicap of the policyholder/claimant or the treatment or other measures directed at the policyholder/claimant, or data on the criminal act, punishment or other sanction of the policyholder/claimant or the person causing the damage, where necessary for the determination of the liability of the insurer ;
12. a social welfare authority or another authority, institution or private producer of social services granting social welfare benefits from processing data collected in the course of their operations and relating to the social welfare needs of the data subject or the benefits, support or other social welfare assistance received by the person or otherwise indispensable for the welfare of the data subject ; or processing of data where the Data Protection Board has issued a permission for the same, as provided in section 43(2).
(2) Sensitive data shall be erased from the data file immediately when there no longer is a reason for its processing, as provided in paragraph (1). The reason and the need for processing shall be re-evaluated at five-year intervals at the longest, unless otherwise provided in an Act or stated in a permission of the Data Protection Board referred to in paragraph (1)(13).

(Source : finlex.fi)