Article 8 - Processing of Sensitive Personal Data

(1) A Data Controller shall not process Sensitive Personal Data unless:
(A) the Data Subject has given his explicit consent to the Processing of that Personal Data;
(B) Processing is necessary for the purposes of carrying out the obligations and specific rights of the Data Controller in the field of employment law;
(C) Processing is necessary to protect the vital interests of the Data Subject or of another person where the Data Subject is physically or legally incapable of giving his consent;
(D) the Processing is carried out by a foundation, association or any other non-profit seeking body in the course of its legitimate activities with appropriate guarantees that the Processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the Personal Data is not disclosed to a Third Party without the consent of the Data Subjects;
(E) the Processing relates to Personal Data which is manifestly made public by the Data Subject or is necessary for the establishment, exercise or defence of legal claims;
(F) Processing is necessary for compliance with any legal obligation to which the Data Controller is subject;
(G) Processing is necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets, provided that such is pursued in accordance with international financial standards and except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the data subject's particular situation;
(H) Processing is necessary to comply with auditing, accounting or anti money laundering obligations that apply to a Data Controller; or
(I) Processing is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where that Personal Data is processed by a health professional subject under national laws or regulations established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.
(2) Article 8(1) shall not apply if:
(A) a permit has been obtained to process Sensitive Personal Data from the QFC Authority; and
(B) the Data Controller applies adequate safeguards with respect to the processing of the Personal Data.
(3) An appeal against a decision of the QFC Authority to refuse to issue a permit to process Sensitive Personal Data may be made to the Tribunal.