There are certain types of data that the General Data Protection Regulation (GDPR) considers to be sensitive personal data and therefore classifies them under the special category of personal data.
What are the special categories of personal data?
The GDPR distinctly specifies which data is considered sensitive and falls under the special category of data:
- Data related to racial or ethnic origin,
- Political opinions,
- Religious or philosophical beliefs,
- Trade union membership,
- Genetic data,
- Biometric data to uniquely identify a natural person,
- Health data
- Data concerning an individual’s sex life or sexual orientation
The GDPR prohibits the processing of the abovementioned types of data. Of course, there are certain exemptions to the rule.
Exemptions to the prohibition of processing sensitive personal data
There are certain exceptions to the prohibition of processing special category data.
Where it is allowed by Union or Member State law and performed under special safeguards to protect personal data and other fundamental rights, sensitive personal data can be processed in the field of:
- Employment law
- Social protection law (including pensions)
- Health security reasons
- Protection of vital interest of data subject
- Public health and the management of healthcare services
- in the context of a legal claim
- Archiving, research, and statistics (if permissible by law)
- Public interest
Recital 52 explains that the processing of special categories of personal data can be allowed when it is permissible by Union or Member State law if sensitive data is protected by suitable safeguards and other fundamental rights are protected.
Sensitive data can also be processed if it is in the public interest, in the field of employment law, social protection law, including pensions and for health security, monitoring, and alert purposes, the prevention or control of communicable diseases, and other serious threats to health.
When can you process sensitive personal data?
1. Explicit consent
Processing sensitive personal data is possible if the data subject has given explicit consent to processing those data.
An individual can give explicit consent for one or more specified purposes, except where the European Union or Member State decides the data subject can not lift the prohibition.
2. Employment, social security, and social protection
If the processing of sensitive data is authorized by law and necessary for exercising the data controller’s or data subject’s rights, or if it is necessary to carry out the obligations related to employment, social security, and social protection law.
In all cases, adequate safeguards for protecting the data subject’s fundamental rights and interests have to be present.
3. Vital interests
Sensitive data may be processed if it is crucial to protect the vital interests of the data subject or another individual and the data subject is physically or legally incapable of giving consent.
4. Not-for-profit bodies
If the processing is carried out with appropriate safeguards by a foundation, association, or any other not-for-profit body with a political, philosophical, religious, or trade union aim.
On the condition that the processing relates only to the members, former members, or individuals who have regular contact with it regarding its purposes.
The non-profit body has to ensure that the personal data is not disclosed outside that body without the proper consent of the data subjects.
5. Information made public by the data subject
It is permissible to process sensitive personal data of a data subject if the data subject has already made the data public and accessible
6. Legal claims or judicial acts
Data processing is necessary for the establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity. Whether in court proceedings or an administrative or out-of-court procedure.
7. Public interest
The processing of sensitive data is allowed if a considerable public interest is at stake. However, the processing should be legally permitted and proportionate to the goal pursued.
Processing should also be conducted with respect to the right to data protection and provide safeguard measures to the fundamental rights and the interests of the data subject;
8. Health or social care
Processing is necessary for preventive or occupational medicinefor the assessment of:
- The working capacity of the employee,
- Medical diagnosis,
- The provision of health and social care
- Provision of health treatment
- Management of health
- Management of social care systems and services
This processing has to be permitted by Union or Member State law or under a contract with a health professional. Additional safeguards to protect sensitive data have to be provided.
The GDPR also states that the Member States can add specific conditions and limitations for genetic, biometric, or health data.
Recital 53 deals with processing sensitive data in the healthcare and social sectors.
9. Public health
The processing of sensitive data is aimed at preventing or controllingcontagious diseases and other health threats.
This kind of processing is aimed at countering cross-border threats to health and ensuring high standards of safety forhealth care, medicinal products, or medical devices.
Processing in the name of public health has to be based on the EU or Member State law with appropriate measures and safeguards to protect the rights and freedoms of the data subject, in particular, professional secrecy.
10. Archiving, research, and statistics
Processing is done for:
- Archiving purposes in the public interest,
- Scientific or historical research
- Statistical purposes
The processing is done under Article 89(1) and based on the law, which is proportionate to the goal that wants to be achieved and with specific measures to safeguard the fundamental rights and interests of the data subject.
What is the difference between personal data and sensitive personal data?
The difference between personal and sensitive personal data is that processing sensitive personal data requires additional protection granted by the GDPR since processing those types of data can involve severeand unacceptable risks to fundamental human rights and freedoms.
Also, for you as a controller or processor, different sets of rules are applied when processing special categories of data.
At the same time, the Member States can also introduce further conditions, including limitations, about the processing of genetic data, biometric data, or data concerning health.
Example of a special category of data
When going through the list of what is considered to be sensitive personal data, new terms are being introduced and, need further clarification:
Example of biometric data
- Facial recognition
- Fingerprints
- Voice recognition
- Iris scanning
- Palmprint verification
- Retina recognition
Are photographs sensitive personal data?
According to Recital 51, photographs are considered biometric data only when they are processed with specific means that allow the unique identification of a person in the photo, even though photography can reveal someone’s racial identity or other sensitive information.
Example of health data
- information gathered during the check-in or registration into a health facility or during the application for a medical treatment
- patient medical history
- information on any disability, illness, medical diagnosis, medical treatment, medical opinions
- results of health tests, medical examination
- fitness tracker data
- appointment details
- medical invoices from which you can find out details about individuals’ health
Example of genetic data
- chromosomal analysis
- deoxyribonucleic acid (DNA) analysis
- ribonucleic acid (RNA) analysis
Steps to take when processing sensitive personal data
1. Explore the alternatives
When processing sensitive personal data, the first thing is making sure that there is no other way to achieve the desired goal that would be less intrusive on the individual’s sensitive personal data.
2. Ensure the lawfulness of processing
For processing to be lawful, you must be compliant with GDPR Article 6 -Lawfulness of processing.
Identify the lawful basis for personal data processing in your case and ensure your processing is done according to the GDPR principles.
3. Identify the exemption
Check Article 9 and identify which of the ten possible exemptions for processing sensitive personal data apply to your case.
If you can not find an appropriate exception for your case, you cannot process sensitive data.
4. Identify additional conditions
If you identify the proper exemption, a few require further support in EU law or Member State law.
If you want to make sure processing is compliant, contact your supervisory authority and get acquainted with the regulations and laws governing the area of your interest to meet additional conditions.
Consider this if processing data related to employment, social security, and social protection; sensitive data in the public interest; data regarding health, social care, or public health; and archiving research and statistics.
5. Get familiar with your obligations
Processing special categories of data may entail other obligations, like appointing a DPO, conducting a DPIA, compliance with Article 22regarding automated individual decision-making, including profiling, and implementingsuitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests.
Make sure you are acquainted with all your obligations. The processing of special category data can affect your other obligations, in particular, the need for documentation.
6. Conduct the DPIA
The next step will be assessing if you need to complete a data protection impact assessment (DPIA) for any type of processing that is likely to be high-risk.
Conducting a DPIA is an important aspect of an organization’s GDPR accountability obligations.
7. Document everything
Document the entire process and update your privacy notice, including all relevant information regarding the processing of special category data.
8. Take additional steps
Check with your supervisory authority to find out if there are any additional limitations if you are processing genetic data, biometric data, or data concerning health.
Key Takeaways
In conclusion, the GDPR distinctly identifies sensitive personal data, encompassing various categories such as health, genetics, and biometrics.
While the Regulation generally prohibits processing such data, it allows for specific exemptions under defined circumstances.
These exceptions range from explicit consent and employment-related processing to cases involving vital interests, not-for-profit bodies, public information, legal claims, public interest, health or social care, public health, and archiving, research, and statistics.
It is crucial for organizations to carefully navigate these exemptions, ensuring compliance with legal requirements and safeguarding individuals’ fundamental rights.