There are certain types of data that the General Data Protection Regulation (GDPR) considers to be sensitive personal data and therefore classifies them under the special category of personal data.
What are special categories of personal data?
The GDPR distinctly specifies which data is considered sensitive and fall under the special category of data:
- Data related to racial or ethnic origin,
- Political opinions,
- Religious or philosophical beliefs,
- Trade union membership,
- Genetic data,
- Biometric data for the purpose of uniquely identifying a natural person,
- Health data
- Data concerning an individual’s sex life or sexual orientation
The processing of the abovementioned types of data is prohibited by the GDPR. Of course, there are certain exemptions to the rule.
Exemptions to the prohibition of processing sensitive personal data
There are certain exceptions to the prohibition of the processing of special category data.
Where it is allowed by Union or Member State law and performed under special safeguards to protect personal data and other fundamental rights sensitive personal data can be processed in the field of:
- Employment law
- Social protection law (including pensions)
- Health security reasons
- Protection of vital interest of data subject
- Public health and the management of health-care services
- in the context of a legal claim
- Archiving, research, and statistics (if permissible by law)
- Public interest
Recital 52 explains that processing of special categories of personal data can be allowed when it is permissible by Union or Member State law if sensitive data is protected by suitable safeguards and if the other fundamental rights are protected.
Sensitive data can also be processed if it is in the public interest, in the field of employment law, social protection law including pensions and for health security, monitoring, and alert purposes, the prevention or control of communicable diseases, and other serious threats to health.
When can you process sensitive personal data?
1. Explicit consent
Processing of sensitive personal data is possible if the data subject has given explicit consent to the processing of those data.
An individual can give explicit consent for one or more specified purposes, except where the European Union or Member State decides that the prohibition can not be lifted by the data subject.
2. Employment, social security, and social protection
If the processing of sensitive data is authorized by law, and necessary for exercising the data controller or data subject’s rights. Or if it is necessary for carrying out the obligations related to employment, social security, and social protection law.
In all cases, adequate safeguards for the protection of fundamental rights and interests of the data subject have to be present.
3. Vital interests
Sensitive data may be processed, if it is crucial to protect the vital interests of the data subject or of another individual, and the data subject is physically or legally incapable of giving consent.
4. Not-for-profit bodies
If the processing is carried with appropriate safeguards by a foundation, association, or any other not-for-profit body with a political, philosophical, religious, or trade union aim.
On the condition that the processing relates only to the members, former members, or individuals who have regular contact with it regarding its purposes.
The non-profit body has to make sure that the personal data is not disclosed outside that body without the proper consent of the data subjects.
5. Information made public by the data subject
It is permissible to process sensitive personal data of a data subject if the data subject has already made the data public and accessible
6. Legal claims or judicial acts
Data processing is necessary for the establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity. Whether in court proceedings or in an administrative or out-of-court procedure.
7. Public interest
The processing of sensitive data is allowed if there is considerable public interest at stake. However, the processing should be permitted by law, and proportionate to the goal that is pursued.
Processing should also be conducted with respect to the right to data protection and provide safeguard measures to the fundamental rights and the interests of the data subject;
8. Health or social care
- The working capacity of the employee,
- Medical diagnosis,
- The provision of health and social care
- Provision of health treatment
- Management of health
- Management of social care systems and services
This processing has to be permitted by Union or Member State law or pursuant to contract with a health professional. Additional safeguards to protect sensitive data have to be provided.
The GDPR also states that the Member States can add further specific conditions and limitations for genetic, biometric, or health data.
Recital 53 deals with the processing of sensitive data in the healthcare and social sector.
9. Public health
The processing of sensitive data is aimed at the prevention or control of contagious diseases and other health threats.
This kind of processing is aimed at cross-border threats to health and ensuring high standards of safety of health care, medicinal products, or medical devices.
Processing in the name of public health has to be based on the EU or Member State law with appropriate measures and safeguards to protect the rights and freedoms of the data subject, in particular, professional secrecy.
10. Archiving, research, and statistics
Processing is done for:
- Archiving purposes in the public interest,
- Scientific or historical research
- Statistical purposes
The processing is done in accordance with Article 89(1) and based on the law, which is proportionate to the goal that wants to be achieved, and with specific measures to safeguard the fundamental rights and the interests of the data subject.
What is the difference between personal data and sensitive personal data?
The difference between personal data and sensitive personal data is that processing sensitive personal data requires additional protection granted by the GDPR, since processing those types of data can involve severe and unacceptable risks for fundamental human rights and freedoms.
Also, for you as a controller or processor, different sets of rules are applied when processing special categories of data.
At the same time, the Member States can also introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data, or data concerning health.
Example of a special category of data
When going through the list of what is considered to be sensitive personal data, there are new terms being introduced and therefore need further clarification:
Example of biometric data
- Facial recognition
- Voice recognition
- Iris scanning
- Palmprint verification
- Retina recognition
Are photographs sensitive personal data?
According to Recital 51, photographs are considered biometric data only when they are processed with a specific means that allow the unique identification of a person in the photo, despite the fact that photography can reveal someone’s racial identity or other sensitive information.
Example of health data
- information gathered during the check-in or registration into a health facility or during the application for a medical treatment
- patient medical history
- information on any disability, illness, medical diagnosis, medical treatment, medical opinions
- results of health tests, medical examination
- fitness tracker data
- appointment details
- medical invoices from which you can find out details about individuals’ health
Example of genetic data
Steps to take when processing sensitive personal data
1. Explore the alternatives
When processing sensitive personal data, the first thing is making sure that there is no other way to achieve the desired goal that would be less intrusive on sensitive personal data of the individual.
2. Ensure the lawfulness of processing
For processing to be lawful, you must be compliant with GDPR Article 6 -Lawfulness of processing.
3. Identify the exemption
Check Article 9 of the GDPR and identify which of the 10 possible exemptions for processing sensitive personal data apply to your case.
If you can not find an appropriate exception for your case, then you will not be able to process sensitive data.
4. Identify additional conditions
If you identified the proper exemption, there are few of them that require further support in EU law or Member State law.
If you want to make sure processing is compliant, contact your supervisory authority and make sure you get acquainted with the regulation and law governing the area of your interest to meet additional conditions.
Take this into consideration if processing data related to employment, social security, and social protection; sensitive data in the public interest; data regarding health, social care, or public health; and archiving research, and statistics.
5. Get familiar with your obligations
Processing special categories of data may entail other obligations, like appointing a DPO, conducting a DPIA, compliance with Article 22 regarding automated individual decision-making, including profiling, and the implementation of suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests.
Make sure you are acquainted with all your obligations. The processing of special category data can affect your other obligations in particular the need for documentation.
6. Conduct the DPIA
The next step will be assessing if you need to complete a data protection impact assessment (DPIA) for any type of processing that is likely to be high risk. Conducting a DPIA is an important aspect of the GDPR accountability obligations of an organization.
7. Document everything
Document the entire process, update your privacy notice, including all relevant information regarding the processing of special category data.
8. Take additional steps
Check with your supervisory authority to find out if there are any additional limitations if you are processing genetic data, biometric data, or data concerning health.