An online marketplace operator that is the controller of the personal data in advertisements published on its marketplace must, before publication and by appropriate technical and organisational measures, identify advertisements containing sensitive data within the meaning of Article 9(1). It must verify whether the user seeking to publish such an advertisement is the person whose sensitive data appear in it. If not, it must refuse publication unless that user shows that the data subject gave explicit consent within the meaning of Article 9(2)(a), or that another exception in Article 9(2)(b) to (j) applies.

An online marketplace operator that is the controller of the personal data in advertisements published on its marketplace must implement appropriate technical and organisational security measures to prevent advertisements published there that contain sensitive data within the meaning of Article 9(1) from being copied and unlawfully published on other websites.

Under Article 88(1) and (2) of Regulation 2016/679, a national-law provision on the processing of personal data for the purposes of employment relationships that was adopted pursuant to Article 88(1) must require its addressees to comply not only with Article 88(2), but also with Article 5, Article 6(1), and Article 9(1) and (2).

Where a collective agreement falls within Article 88(1) of Regulation 2016/679, the parties' discretion to decide whether processing is 'necessary' under Articles 5, 6(1) and 9(1) and (2) does not prevent the national court from carrying out a full judicial review of that question.

The fact that a person made a statement about his or her sexual orientation during a panel discussion open to the public does not authorise the operator of an online social network platform to process other data relating to that person's sexual orientation, obtained where relevant outside that platform through partner third-party websites and apps, in order to aggregate and analyse those data for personalised advertising.

Under Article 8(1) of Directive 95/46 and Article 9(1) of Regulation 2016/679, where the operator of a pharmacy markets pharmacy-only medicinal products on an online platform, the information customers enter when ordering online - such as their name, delivery address and the details required for individualising the medicinal products - is data concerning health, even where the sale of those medicinal products does not require a prescription.

Article 9(2)(h) of Regulation 2016/679 covers a medical examination body's processing of health data about one of its employees, even where it acts not as employer but as a medical service, in order to assess that employee's working capacity - provided that the processing satisfies the conditions and guarantees expressly imposed by Article 9(2)(h) and Article 9(3).

Article 9(3) of Regulation 2016/679 does not itself require a controller processing health data on the basis of Article 9(2)(h) to ensure that no colleague of the data subject can access the data. That obligation may nonetheless arise under national rules adopted under Article 9(4) or under the integrity and confidentiality principles in Article 5(1)(f), as defined in Article 32(1)(a) and (b).

Processing health data under Article 9(2)(h) is lawful only if it meets the requirements of that provision and also satisfies at least one condition in Article 6(1).

An online social network operator processes "special categories of personal data" when it collects, by means of integrated interfaces, cookies or similar storage technologies, data from a user's visits to websites or apps related to one or more Article 9(1) categories and any information entered there, links those data to the user's social network account, and uses them - where that processing allows information falling within one of those categories to be revealed, even if the information concerns another natural person. That processing is in principle prohibited, subject to the derogations provided for in Article 9(2).

A user of an online social network does not manifestly make public, within the meaning of Article 9(2)(e), the data relating to visits to websites or apps connected with one or more Article 9(1) categories when that data is collected by the operator via cookies or similar storage technologies. Data entered into those websites or apps, or resulting from clicking or tapping buttons such as "Like", "Share", or login buttons linked to the user's social network account, telephone number or email address, is manifestly made public only if the user explicitly chose beforehand - as the case may be through individual settings selected with full knowledge of the facts - to make the data relating to him or her publicly accessible to an unlimited number of persons.

A dominant position in the market for online social networks does not by itself prevent users from validly consenting, within the meaning of Article 4(11) of Regulation 2016/679, under point (a) of the first subparagraph of Article 6(1) and Article 9(2)(a) of that regulation, to the operator's processing of their personal data. But dominance is an important factor in deciding whether that consent was in fact valid, in particular freely given, and the operator must prove that it was.

Publishing on the website of the public authority that collects and checks declarations of private interests personal data that can indirectly reveal a natural person's sexual orientation is processing of special categories of personal data.