AB872,5,1311 (f) The processing is conducted to detect security incidents; to protect against
12malicious, deceptive, fraudulent, or illegal activity; or to prosecute a person
13responsible for that activity.

AB872,5,1514 (g) The controller or a 3rd party has a legitimate ground to process the personal
15data.

AB872,5,17 16(3) Processing of certain types of personal data. (a) Except as provided in
17par. (b), a controller or processor may not process any of the following:

AB872,5,1918 1. Personal data revealing a consumer's racial or ethnic origin, political
19opinions, religious or philosophical beliefs, or trade union membership.

AB872,5,2120 2. Genetic data, data concerning health, or personal data concerning a
21consumer's sex life or sexual orientation.

AB872,5,2322 3. Biometric data, if the purpose of the processing is to uniquely identify a
23consumer.

AB872,5,2524 (b) A controller or processor may process information described in par. (a) if any
25of the following applies:

AB872,6,2

11. The processing is conducted for a purpose to which the consumer explicitly
2consents.

AB872,6,33 2. The processing is necessary for complying with a legal obligation.

AB872,6,64 3. The consumer is physically or legally incapable of giving consent and the
5processing is necessary to protect the vital interests of the consumer or another
6individual.

AB872,6,87 4. The processing is conducted by a nonprofit organization having a political,
8philosophical, or religious purpose and all of the following applies:

AB872,6,119 a. The processing relates only to members or former members of the
10organization or to persons who have regular contact with the organization related
11to the organization's purposes.

AB872,6,1212 b. The personal data processed is not disclosed outside the organization.

AB872,6,1313 5. The processing relates to personal data that the consumer makes public.

AB872,6,1514 6. The processing is necessary for establishing, exercising, or defending a legal
15claim or a court authorizes the processing.

AB872,6,1616 7. The processing is necessary for reasons of substantial public interest.

AB872,6,2017 8. The processing is necessary for reasons of public interest in the area of public
18health, if the personal data is processed by or under the responsibility of a
19professional subject to confidentiality obligations under federal, state, or local law
20and any of the following applies:

AB872,6,2221 a. Processing the personal data is necessary to provide health care or treatment
22to a person in a medical emergency.

AB872,6,2523 b. Processing the personal data is necessary to protect against serious threats
24to health or for ensuring the quality and safety of health care, medical products, or
25medical devices.

AB872,7,2

19. The processing is necessary for archiving purposes that are in the public
2interest, scientific or historic research purposes, or statistical purposes.

AB872,7,5 3(4) Request to restrict processing of personal data. (a) Except as provided
4in par. (c) 1., upon a consumer's request, a controller may store but may not otherwise
5process the consumer's personal data if any of the following applies:

AB872,7,66 1. Processing the personal data is unlawful.

AB872,7,87 2. Storing the personal data is necessary for the consumer to establish,
8exercise, or defend a legal claim.

AB872,7,109 3. The controller has no legitimate ground to process the personal data that
10overrides the consumer's request.

AB872,7,1711 (b) If a controller is required under par. (a) to not process, other than by storing,
12a consumer's personal data and the controller has disclosed the personal data to
13other controllers, the controller shall notify each recipient to whom the controller
14disclosed the personal data about the consumer's request under par. (a), unless
15notification is impossible or involves unreasonable effort. Except as provided in par.
16(c) 1., upon receiving the notice, a controller may store but may not otherwise process
17the consumer's personal data if any of the conditions of par. (a) applies.

AB872,7,1918 (c) 1. Paragraphs (a) and (b) do not prohibit a controller from processing, other
19than by storing, a consumer's personal data if any of the following apply: