Please wait while the transcript is being prepared...
0:05
FEMALE SPEAKER: With regards
to the processing of data,
Article 9 has the general
provision about the ban
on processing of
sensitive data however
it also, like the directive,
provides for several exceptions.
And consent is one of these
exceptions like in the directive.
It is possible to process sensitive
data if it's necessary for health
purposes, and subject to conditions
and safeguards referred to
in Article 81, which means
safeguards of confidentiality
and security of data.
And finally importantly
for this talk,
processing is necessary for
scientific research purposes,
subject to the conditions
and safeguards
referred to in Article 83.
This is very interesting.
I will focus on that,
let me just shortly
summarize the consent provisions.
1:02
The process of genetic
data for example,
and personal data, health
data, is allowed with consent.
However this consent
has to be explicit,
and it is the controller who
will bear the burden of proof
for data subject consent.
So it's not for the
individual, the data subject,
to prove that they have given their
consent, this is for the controller
to do that.
If there are some competing or
cumulative purposes for processing,
the purpose requiring
consent requirement
must be clearly distinguished,
which might pose several problems
for research which trickles
down from other research which
is a continuation from
other research projects.
And also the consent,
which is important,
shall not provide a legal basis
for the processing, where there is
significant imbalance
between the position
of data subject and controller.
Which means if the controller
has the power over the data
subject to ask for the data,
and this data subject has really
no choice but to keep the data in
order to obtain let's say health
care or some treatment, consent
given by the data subject
might be questioned.
However, again, ambiguous
provisions don't really
say much about the situations
in which this would be so.
I guess we have to say that this
would have to be decided by courts
on a case by case basis
or by data protection
authorities in each country.
