3. Processing of Sensitive Personal Data
(1) Sensitive Personal Data shall not be Processed unless —
(a) the Data Subject has given an additional written consent to the Processing of this kind of Personal Data;
(b) Processing is necessary for the purposes of carrying out the obligations and specific rights of the Data Controller;
(c) Processing is necessary to protect the vital interests of the Data Subject or of another person where the Data Subject is physically or legally incapable of giving his consent;
(d) Processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body on condition that the Processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the Personal Data are not disclosed to a Third Party without the consent of the Data Subjects;
(e) the Processing relates to Personal Data which are manifestly made public by the Data Subject, or is necessary for the establishment, exercise or defence of legal claims;
(f) Processing is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject;
(g) Processing is necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets, provided the Processing is undertaken in accordance with applicable standards and except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation;
(h) Processing is necessary to comply with any regulatory, auditing, accounting, anti-money laundering or counter terrorist financing obligations that apply to a Data Controller or for the prevention or detection of any crime; or
(i) Processing is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of healthcare services, and where those Personal Data are Processed by a health professional subject under law or rules established by competent bodies to the obligation of confidence or by another person subject to an equivalent obligation.
(2) Subsection (1) shall not apply if —
(a) a permit has been obtained from the Registrar to Process Sensitive Personal Data; and
(b) the Data Controller applies adequate safeguards with respect to the Processing of the Personal Data.