D. Opening clause (para. 4)
Art. 9(4) GDPR – What EU Member States may regulate in addition for genetic, biometric and health data.
Back to the Art. 9 GDPR overview.
At a Glance
Art. 9(4) allows EU Member States to introduce even stricter rules than the GDPR itself for three specific data categories. They may therefore tighten the GDPR in these areas – but not relax it.
To which data categories does para. 4 apply?
The opening clause applies only to these three categories:
| Data category | Does para. 4 apply? |
|---|---|
| Racial/ethnic origin | ❌ No |
| Political opinions | ❌ No |
| Religious/philosophical beliefs | ❌ No |
| Trade union membership | ❌ No |
| Genetic data | ✅ Yes |
| Biometric data | ✅ Yes |
| Health data | ✅ Yes |
| Sex life/sexual orientation | ❌ No |
Why precisely these three? Because they are particularly subject to rapid change driven by technological developments – and a need for national regulation was therefore foreseeable.
What Member States may do on this basis
On the basis of Art. 9(4), Member States may:
- Lay down additional conditions for permitting processing (e.g. official authorisation)
- Introduce purpose limitations (e.g. genetic data only for specific medical purposes)
- Order prohibitions of processing in sub-areas (e.g. genetic analysis by employers prohibited)
- Prescribe organisational duties (e.g. separation of genetic data from other data)
- Set retention periods
What they may not do
What Germany has regulated
Germany has made use of the opening clause in several laws:
| Data category | Law | Key content |
|---|---|---|
| Genetic data | Gendiagnostikgesetz (GenDG) | Prohibition without consent; specific consent form; right not to know |
| Health data | § 22(2) BDSG | Obligation to take technical and organisational protective measures |
| Health data | §§ 295 et seq. SGB V | Special billing rules for statutory health insurance data |
| Biometric data | State police and public-order laws | Restrictions on the use of biometric recognition |
The Gendiagnostikgesetz (GenDG) as the most important example
The GenDG is stricter than the GDPR on the following points:
- Right not to know (§ 9 GenDG): Data subjects can refuse to be informed of genetic findings
- Qualified consent (§ 8 GenDG): Stricter requirements than under Art. 7 GDPR
- Prohibition of discrimination (§§ 18–21 GenDG): Employers and insurers may neither require genetic tests nor use their results
- Doctor's responsibility (§ 7 GenDG): Genetic testing for medical purposes may only be initiated by doctors
Conflict-of-laws rule: Where the GenDG is stricter than the GDPR, the GenDG takes precedence. In case of doubt, what is more favourable for the data subject applies.
Frequently Asked Questions (FAQ)
May Germany tighten the GDPR for all sensitive data categories? No – only for genetic data, biometric data and health data. For the other categories there is no national scope under para. 4.
Can a national law subsequently authorise processing prohibited under Art. 9(2)? No. Art. 9(4) only allows tightening – not weakening of the GDPR's level of protection.
Does the GenDG apply alongside the GDPR? Yes. Both apply simultaneously. Where the GenDG is stricter, the GenDG applies. Where the GDPR is stricter, the GDPR applies.
Next: E. GDPR and national law