Article 9 - Processing of special categories of personal data
8 preliminary rulingsJudgment of 2 Dec 2025, C-492/23 (Russmedia Digital and Inform Media Press) 
Article 5(2) and Articles 24 to 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)must be interpreted as meaning that the operator of an online marketplace, as controller, within the meaning of Article 4(7) of that regulation, of the personal data contained in advertisements published on its online marketplace, is required, before the publication of the advertisements and by means of appropriate technical and organisational measures,– to identify the advertisements that contain sensitive data in terms of Article 9(1) of that regulation,– to verify whether the user advertiser preparing to place such an advertisement is the person whose sensitive data appear in that advertisement and, if this is not the case,– to refuse publication of that advertisement, unless that user advertiser can demonstrate that the data subject has given his or her explicit consent to the data in question being published on that online marketplace, within the meaning of Article 9(2)(a), or that one of the other exceptions provided for in Article 9(2)(b) to (j) is satisfied.
Judgment of 4 Oct 2024, C-21/23 (Lindenapotheke)
Article 8(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and Article 9(1) of Regulation 2016/679, must be interpreted as meaning that, in a situation where the operator of a pharmacy markets pharmacy-only medicinal products on an online platform, the information which the customers of that operator enter when ordering the medicinal products online, such as their name, the delivery address and the details required for individualising the medicinal products, constitutes data concerning health, within the meaning of those provisions, even where the sale of those medicinal products does not require a prescription.
Judgment of 4 Oct 2024, C-446/21 (Schrems)
Article 9(2)(e) of Regulation 2016/679 must be interpreted as meaning that the fact that a person has made a statement about his or her sexual orientation on the occasion of a panel discussion open to the public does not authorise the operator of an online social network platform to process other data relating to that person’s sexual orientation, obtained, as the case may be, outside that platform using partner third-party websites and apps, with a view to aggregating and analysing those data, in order to offer that person personalised advertising.
Judgment of 21 Dec 2023, C-667/21 (Krankenversicherung Nordrhein)
Article9 (2)(h) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)must be interpreted as meaning that the exception provided for in that provision is applicable to situations in which a medical examination body processes data concerning the health of one of its employees acting not in its capacity as employer, but as a medical service, in order to assess the working capacity of that employee, provided that the processing concerned satisfies the conditions and guarantees expressly imposed by that point (h) and by Article 9 (3) of that regulation.
Article 9(3) of Regulation 2016/679 must be interpreted as meaning that the controller of data concerning health, based on Article 9(2)(h) of that regulation, is not required, under those provisions, to ensure that no colleague of the data subject can access data relating to his or her state of health. However, such an obligation may be imposed on the controller either under rules adopted by a Member State on the basis of Article 9(4) of that regulation or under the principles of integrity and confidentiality set out in Article 5(1)(f) of that regulation and defined in Article 32(1)(a) and (b) thereof.
Article 9 (2)(h) and Article 6(1) of Regulation 2016/679 must be interpreted as meaning that the processing of data concerning health based on the first provision must, in order to be lawful, not only comply with the requirements arising from that provision, but must also satisfy at least one of the conditions of lawfulness set out in Article 6(1) of that regulation.
Judgment of 4 Jul 2023, C-252/21 (Meta Platforms and Others)
Article 9(1) of Regulation 2016/679 must be interpreted as meaning that, where the user of an online social network visits websites or apps to which one or more of the categories referred to in that provision relate and, as the case may be, enters information into them when registering or when placing online orders, the processing of personal data by the operator of that online social network, which entails the collection – by means of integrated interfaces, cookies or similar storage technologies – of data from visits to those sites and apps and of the information entered by the user, the linking of all those data with the user’s social network account and the use of those data by that operator, must be regarded as ‘processing of special categories of personal data’ within the meaning of that provision, which is in principle prohibited, subject to the derogations provided for in Article 9(2), where that data processing allows information falling within one of those categories to be revealed, irrespective of whether that information concerns a user of that network or any other natural person;
Article 9(2)(e) of Regulation 2016/679 must be interpreted as meaning that, where the user of an online social network visits websites or apps to which one or more of the categories set out in Article 9(1) of that regulation relate, the user does not manifestly make public, within the meaning of the first of those provisions, the data relating to those visits collected by the operator of that online social network via cookies or similar storage technologies; Where he or she enters information into such websites or apps or where he or she clicks or taps on buttons integrated into those sites and apps, such as the ‘Like’ or ‘Share’ buttons or buttons enabling the user to identify himself or herself on those sites or apps using login credentials linked to his or her social network user account, his or her telephone number or email address, that user manifestly makes public, within the meaning of Article 9(2)(e), the data thus entered or resulting from the clicking or tapping on those buttons only in the circumstance where he or she has explicitly made the choice beforehand, as the case may be on the basis of individual settings selected with full knowledge of the facts, to make the data relating to him or her publicly accessible to an unlimited number of persons;
Judgment of 1 Aug 2022, C-184/20 (Vyriausioji tarnybinės etikos komisija)
Article 8(1) of Directive 95/46 and Article 9(1) of Regulation 2016/679 must be interpreted as meaning that the publication, on the website of the public authority responsible for collecting and checking the content of declarations of private interests, of personal data that are liable to disclose indirectly the sexual orientation of a natural person constitutes processing of special categories of personal data, for the purpose of those provisions.
Judgment of 24 Sep 2019, C-136/17 (GC and Others)
The provisions of Article 8(1) and (5) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the prohibition or restrictions relating to the processing of special categories of personal data, mentioned in those provisions, apply also, subject to the exceptions provided for by the directive, to the operator of a search engine in the context of his responsibilities, powers and capabilities as the controller of the processing carried out in connection with the activity of the search engine, on the occasion of a verification performed by that operator, under the supervision of the competent national authorities, following a request by the data subject.
The provisions of Article 8(1) and (5) of Directive 95/46 must be interpreted as meaning that the operator of a search engine is in principle required by those provisions, subject to the exceptions provided for by the directive, to accede to requests for de-referencing in relation to links to web pages containing personal data falling within the special categories referred to by those provisions. Article 8(2)(e) of Directive 95/46 must be interpreted as meaning that, pursuant to that article, such an operator may refuse to accede to a request for de-referencing if he establishes that the links at issue lead to content comprising personal data falling within the special categories referred to in Article 8(1) but whose processing is covered by the exception in Article 8(2)(e) of the directive, provided that the processing satisfies all the other conditions of lawfulness laid down by the directive, and unless the data subject has the right under Article 14(a) of the directive to object to that processing on compelling legitimate grounds relating to his particular situation. The provisions of Directive 95/46 must be interpreted as meaning that, where the operator of a search engine has received a request for de-referencing relating to a link to a web page on which personal data falling within the special categories referred to in Article 8(1) or (5) of Directive 95/46 are published, the operator must, on the basis of all the relevant factors of the particular case and taking into account the seriousness of the interference with the data subject’s fundamental rights to privacy and protection of personal data laid down in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, ascertain, having regard to the reasons of substantial public interest referred to in Article 8(4) of the directive and in compliance with the conditions laid down in that provision, whether the inclusion of that link in the list of results displayed following a search on the basis of the data subject’s name is strictly necessary for protecting the freedom of information of internet users potentially interested in accessing that web page by means of such a search, protected by Article 11 of the Charter.
Judgment of 6 Nov 2003, C-101/01 (Bodil Lindqvist)
Reference to the fact that an individual has injured her foot and is on half-time on medical grounds constitutes personal data concerning health within the meaning of Article 8(1) of Directive 95/46.
