According to Article 6 (1c) of the Regulation (EU) 2016/679 (General data protection regulation – GDPR), the processing of personal data is legitimate when necessary for compliance with a legal obligation to which the controller is subject. In principle, the GDRP (Article 9(1)) prohibits the processing of special categories of personal data, the so-called “sensitive” data which for instance cover health data. However, subject to the provision of appropriate safeguards for the fundamental rights and interests of the data subject, EU or Member States law may for reasons of substantial public interest lay down exemptions (Article 9(2)(g) of the GDPR). The prohibition of processing sensitive data may also be lifted in the case of explicit consent from the data subject (i.e. the participant). Therefore, if collecting data on health (such as HIV or COVID patients) is required for either the collection of common or programme-specific indicators, or for control or audit purposes (e.g. to assess the eligibility of participants), the 2021-2027 Common Provisions Regulation (CPR) (Article 4) provides a legal basis for the legitimate processing of this data as per the GDPR. However, national legislation on data protection may be more restrictive. It is therefore recommended that managing authorities pro-actively seek advice from their national data protection authorities about how to comply with the data processing obligations set out in the GDPR and in national legislation. It may indeed be the case that in order to fulfil the ESF+ monitoring requirements, some Member States have to issue new pieces of legislation to make the data collection lawful. On a side note, please consider that datasets can be pseudonymised (e.g. by using an artificially created unique ID number, which can be dissociated from the personal data via an encryption scheme).
Answer