Introduction

Special category data has a dedicated article in the General Data Protection Regulation. We recall that the GDPR aims to protect citizens’ data against misuse or leakage. Supervisory authorities impose severe penalties on any company that shares user data with third parties without permission or processes it without the data subject’s knowledge.

What is important to remember is that the data that GDPR seeks to protect is not equal in terms of sensitivity or privacy. The more sensitive, the more private the data, the greater the measures needed to process it. In this article, we will discuss the special categories of personal data in the GDPR and how sensitive they are.

What is personal data?

First of all, what data can we call personal data?

Data that GDPR considers personal data are data that indicate or lead to the identification of a specific person, such as a name, address or identification number. There are data which, if obtained alone, do not lead to the identification of individuals, but if collected together, will allow you to identify a specific person. In this case they are considered personal data. For example, if we have a specific name, let it be Marian, there are many people in any country with that name. But if we get Marian and 37 Independence Street these two pieces of information point to a person named Marian who lives at 37 Independence Street and here the data is considered personal and therefore falls under the GDPR.

When most people think of personal data, they think of names, phone numbers and addresses. However, personal data covers a whole range of identifiers. You can read more in the dedicated article about
personal data.

Which personal data are in special (sensitive) categories

This is personal data, but it is more private and has special dedicated laws and procedures in the GDPR. Special categories of personal data are confidential information about an individual that should not be disclosed or known to anyone because it could expose that individual to a real risk or to incidents of discrimination. We list below the special categories of personal data:

  • Racial or ethnic origin,
  • political opinions,
  • religious or philosophical beliefs,
  • union membership,
  • genetic data,
  • biometric data,
  • health data (mental and physical),
  • sex life,
  • sexual orientation.

Data related to the above are considered special category personal data and we will explain each of them in detail.

Data relating to children under the age of 18 also have similar conditions to those required for processing personal data in the special category. However, not all data relating to children under the age of 18 fall into the category of special category personal data.

Criminal records data also have similar processing conditions as special category personal data, although they are not classified as special category personal data.

What does GDPR mean by “processing”? The term “processing” broadly includes most things that can be done with data, such as collecting, recording, storing, modifying, analysing, using (including as a mailing list), sharing, deleting or destroying. Any of these activities are covered by the processing time limit.
Why is special category personal data so sensitive?
You should avoid processing special category personal data if such processing is not necessary. A data protection officer will always stress in GDPR trainings the importance of paying extra attention to such processing, as leaking any part of even a small part of the personal data in the special category could expose the individual to racism or any other danger. If you need to process special categories of personal data, you will need more safeguards. Special category data can only be processed in certain circumstances which we will present in this article. If you process this data outside those specific circumstances set out in the GDPR, there will be penalties and fines that may be higher than those that would be imposed in the case of a normal personal data breach.

What is genetic data?

Genetic data is defined in the GDPR text as:

‘genetic data’ means personal data relating to inherited or acquired genetic characteristics of a natural person which provide unique information about the physiology or health of that natural person and which result, in particular, from the analysis of a biological sample from the natural person concerned”.

On the basis of this Article, any DNA analysis that allows the institution to obtain data indicating a person’s origin or ethnicity is considered genetic data. Also RNA analysis, because RNA is the code that makes up a person’s physical characteristics.

The genetic sample from a person, if not analysed, is not considered personal data, but if it is analysed and data is obtained from it that points to a specific person, then in this case it is considered personal data. Genetic analysis can identify a person without even having a name on it, because no two people have identical DNA, so genetic data is special personal data even without a name on it.

What are biometrics?

Biometrics are identified in the context of GDBR as:

“biometric data” means personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a natural person which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data“.

What is the significance of fingerprint data? Fingerprint data is data related to fingerprints, any service or company that takes fingerprints of its users follows special category data processing procedures. For example, if your company produces fingerprint door keys, then here you need to treat your customer data as special category data. Facial print is also biometric data.

Fingerprints and faceprints are not the only examples of biometric data, any information that does not match between two people is considered biometric data. Biometric data include physical, physiological and behavioural biometric identification techniques, all of which are considered special or sensitive data.

Examples of physical or physiological biometric data:

  • iris scanning,
  • retinal analysis,
  • voice recognition,
  • ear shape recognition.

Any biometric data is personal data and in many cases special category data, because it is possible to identify a specific person. If you process biometric data to identify a person for the purpose of making a decision about them or to treat them in a different way, in this case, the biometric data will become from personal data to special category data, so you will need special cases to process them, as mentioned in Article 9 of the GDPR.

Health data – Special personal data

Health data is described in the GDPR text as follows:

“health data means personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about the state of that person’s health”.

Health data is not just the current health status of the individual, but everything related to the individual’s health history, such as chronic diseases, previous surgeries, previous illnesses and medical tests.

Data on criminal convictions and offences

If the statements are mere accusations without a final court decision convicting the person, then they are not considered special category data. However, these data should be treated with caution.

Racial or ethnic origin

This part aims to protect people against discrimination on grounds of their origin. The term ‘racial origin’ refers to a person’s genetic background, while the term ‘ethnic origin’ refers to the culture of the group to which a person belongs, including its customs, history and language.

Sex life and sexual orientation

The GDPR aims in this article to combat any discrimination resulting from the sexual orientation of individuals. Any information about a person’s sexual orientation, such as whether the person is heterosexual, bisexual, homosexual and transgender, is treated as special category personal data. Therefore, any information about a person’s marriage history may lead to the disclosure of their sexual orientation and therefore the date of marriage is also considered special category personal data.

Religious and philosophical beliefs

This part of the GDPR aims to protect citizens’ beliefs so that they are not discriminated against. All religions or secular beliefs are covered by the GDPR.

All of the above data may only be processed under certain circumstances.

Need help implementing GDPR?
Use our online GDPR consulting services.

  • We assess your risks in every detail

  • We assist you step by step in implementation

  • We train your employees who process data

  • We provide you with standardised procedures and documents

10 cases in which special categories of data (sensitive data) may be processed

Special categories of personal data may be processed in certain cases, as described in Article 9 of the GDPR, and these cases are:

  1. Explicit consent. The first case in which the processing of special categories of data is allowed is when consent is obtained from the data subjects. Consent must meet the basic conditions laid down by the GDPR when giving any consent, namely the data subject must have freely given consent, the consent must be clear and the statement must be revocable. The above terms are the terms of any agreement, whether explicit or not. An explicit consent requires more requirements than the previous ones, such as:
  • consent must be approved by the data owner with an official signature, whether oral or written
  • the type of private data to be processed must be indicated
  • The declaration must be separate, which means there must be no other declarations next to it.

You must be able to prove that you obtained consent without exploiting the owner. If you provide a service to someone and there is a solution to provide this service other than processing special category data, then you are not entitled to obtain explicit consent and process that data. For example, if you provide a service on a particular app and put fingerprint as a type of protection to open the app for your users, while there are other types of protection available, such as pattern or password, but you force users to use fingerprint to open your app and use your service, in this case, even if you get explicit consent for special category data (fingerprint), you violate GDPR, because you force users only to this option.

  1. Employment, social security and social protection legislation

The GDPR allows employers to process special category data for employment purposes, under Article 9, which provides that

“processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or the data subject in the field of employment.” and social security and social protection law, insofar as it is authorised by Union or Member State law or by a collective agreement in accordance with the law of a Member State providing adequate safeguards for the fundamental rights and interests of the data subject.”

The business owner may process special category data for the following purposes:

  • Ensure that the natural person is qualified to work in the European Union
  • Ensuring the health of the future employee and that they do not suffer from illnesses that may prevent them from working.

You must be able to demonstrate that the processing of this data is necessary and also that you should not obtain more data than you need from the processing.

We remind you of the rights conferred by the GDPR on data subjects as well as the position of the data controller with regard to requests from data subjects in the article “GDPR – data subject rights. When do we respond and when don’t we?”

  1. Vital interests

Article 9 provides as follows:

“The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.”

Vital interests are interests that are essential to the life of an individual. This article of the GDPR is only valid if the data subject is unable to give explicit consent, either for legal or physical reasons. This does not mean that you should not ask for consent, you should ask for the data subject’s consent even if he or she is unable to give it. In this case, you can use the vital interests article as a special case.

An example of a vital case: if a person was found on the road who had been in an accident and taken to hospital and the doctor decided he needed emergency surgery, but had fainted and was unconscious to give an explicit explanation to the hospital to see his medical history, in this case vital missions can be used as an exception to do the surgery.

  1. Non-profit organisations

Article 9 of the GDPR also reads as follows:

“The processing is carried out in the course of its legitimate activities, with appropriate safeguards, by a foundation, an association or any other body which is non-profit-making and of a political, philosophical, religious or trade-union nature and provided that the processing relates to members or former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects.”

In this case, non-profit organisations may process sensitive data because the processing in question is not due to benefits that the processor will obtain. However, not all operations carried out by not-for-profit organisations fall into this case, the not-for-profit organisation must clarify the outcome and social benefits of processing data in the special category.

This article can be used if you are a non-profit organisation such as churches, charities and clubs

Important! Do not share data with third parties without the permission of the data owner.

Example: Charities can process data on poor people who receive assistance from the organisation, but if the organisation publishes reports on its activities, it must obtain permission to write the names of these people in those reports.

  1. Made public by the data subject

Article 9 also provides that special categories of personal data may be processed in the following cases:

“processing relates to personal data which are manifestly made public by the data subject”.

Of course, if a person makes their private data public themselves by any means, the GDPR will not penalise those who process this data as it is no longer special or private. But you need to make sure that the person has published their private data themselves and not someone else or someone impersonating them. You need to make sure that the person makes this private data available to everyone and that it is not targeted at a specific group. For example, if a person posts data about their health on Facebook, but only makes their target audience friends, if you are not one of their friends, then you do not have the right to process this person’s data.

So, when processing private data that is made public by an individual, you need to be careful about the following:

  • Is the person who made their data public the same person or someone else?
  • Did the person make their details public intentionally or was this done by mistake?
  • You must keep evidence that the data you have processed has been made public to prove this when you respond.
  1. Health or social assistance

Article 9(2)(h) allows you to process special categories of data if:

“processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the employee’s ability to work, for medical diagnosis, for the provision of medical or social care or treatment or for the management of health or social care systems and services under Union or Member State law or under a contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3”.

Sensitive personal data may be processed without express authorisation for the following purposes:

  • preventive or occupational medicine;
  • assessing an employee’s work capacity;
  • medical diagnosis;
  • the provision of medical care or treatment;
  • provision of social assistance (may include social care, personal care and social support

When you process private data for one of these purposes, you must prove that the processing was necessary and that you have no choice but to process that data. Also, you should not get more information than you need from the processing.

  1. The processing of special data is also permitted for the establishment, exercise or defence of legal claims in court or whenever the courts act in their judicial role.
  1. Major public interest. There are situations where the processing of special categories of personal data is necessary for reasons of substantial public interest.
  1. Public interest in public health. There are also situations where processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and medicinal products or medical devices under Union or national law.
  1. Archiving, research and statistics. Article 9 of the GDPR – Processing of special categories of personal data, provides:

“processing is necessary in archiving purposes in the public interestin for scientific or historical research purposes or for statistical purposesin accordance with Article 89(1), on the basis of Union or Member State law, which must be proportionate to the aim pursued, respect the right to data protection and provide for adequate and specific measures to protect the fundamental rights and interests of the data subject”.

This article does not cover all research, research must be in the public interest and not for commercial or private purposes, for example. Funded research or public opinion research is also allowed.

Do you need an external DPO?
Leave the GDPR challenges to GDPR Complete – team of professionals with legal expertise, IT security expertise and business management expertise

  • We exercise the function of DPO

  • Audit and Implement

  • We train staff

  • Communicate with the authority

conclusions

As seen throughout the article, special categories of personal data are numerous and require special attention. Knowledge of Article 9 of the General Data Protection Regulation is absolutely mandatory as it sets out the cases in which the processing of special categories of data is lawful. Consequently, processing special categories of data in other situations is unlawful and attracts sanctions.

If you need help with GDPR compliance, either through GDPR consulting or outsourced DPO services, contact us at contact@gdprcomplet.ro and schedule a meeting with one of the GDPR experts on the GDPR Complete team.