Special category data has a dedicated article in the General Data Protection Regulation. We recall that the GDPR aims to protect citizens’ data against misuse or leakage. Supervisory authorities impose severe penalties on any company that shares user data with third parties without permission or processes it without the data subject’s knowledge.
What is important to remember is that the data that GDPR seeks to protect is not equal in terms of sensitivity or privacy. The more sensitive, the more private the data, the greater the measures needed to process it. In this article, we will discuss the special categories of personal data in the GDPR and how sensitive they are.
What is personal data?
First of all, what data can we call personal data?
Data that GDPR considers personal data are data that indicate or lead to the identification of a specific person, such as a name, address or identification number. There are data which, if obtained alone, do not lead to the identification of individuals, but if collected together, will allow you to identify a specific person. In this case they are considered personal data. For example, if we have a specific name, let it be Marian, there are many people in any country with that name. But if we get Marian and 37 Independence Street these two pieces of information point to a person named Marian who lives at 37 Independence Street and here the data is considered personal and therefore falls under the GDPR.
When most people think of personal data, they think of names, phone numbers and addresses. However, personal data covers a whole range of identifiers. You can read more in the dedicated article about
Which personal data are in special (sensitive) categories
This is personal data, but it is more private and has special dedicated laws and procedures in the GDPR. Special categories of personal data are confidential information about an individual that should not be disclosed or known to anyone because it could expose that individual to a real risk or to incidents of discrimination. We list below the special categories of personal data:
- Racial or ethnic origin,
- political opinions,
- religious or philosophical beliefs,
- union membership,
- genetic data,
- biometric data,
- health data (mental and physical),
- sex life,
- sexual orientation.
Data related to the above are considered special category personal data and we will explain each of them in detail.
Data relating to children under the age of 18 also have similar conditions to those required for processing personal data in the special category. However, not all data relating to children under the age of 18 fall into the category of special category personal data.
Criminal records data also have similar processing conditions as special category personal data, although they are not classified as special category personal data.
What does GDPR mean by “processing”? The term “processing” broadly includes most things that can be done with data, such as collecting, recording, storing, modifying, analysing, using (including as a mailing list), sharing, deleting or destroying. Any of these activities are covered by the processing time limit.
Why is special category personal data so sensitive?
You should avoid processing special category personal data if such processing is not necessary. A data protection officer will always stress in GDPR trainings the importance of paying extra attention to such processing, as leaking any part of even a small part of the personal data in the special category could expose the individual to racism or any other danger. If you need to process special categories of personal data, you will need more safeguards. Special category data can only be processed in certain circumstances which we will present in this article. If you process this data outside those specific circumstances set out in the GDPR, there will be penalties and fines that may be higher than those that would be imposed in the case of a normal personal data breach.
What is genetic data?
Genetic data is defined in the GDPR text as:
‘genetic data’ means personal data relating to inherited or acquired genetic characteristics of a natural person which provide unique information about the physiology or health of that natural person and which result, in particular, from the analysis of a biological sample from the natural person concerned”.
On the basis of this Article, any DNA analysis that allows the institution to obtain data indicating a person’s origin or ethnicity is considered genetic data. Also RNA analysis, because RNA is the code that makes up a person’s physical characteristics.
The genetic sample from a person, if not analysed, is not considered personal data, but if it is analysed and data is obtained from it that points to a specific person, then in this case it is considered personal data. Genetic analysis can identify a person without even having a name on it, because no two people have identical DNA, so genetic data is special personal data even without a name on it.
What are biometrics?
Biometrics are identified in the context of GDBR as:
“biometric data” means personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a natural person which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data“.
What is the significance of fingerprint data? Fingerprint data is data related to fingerprints, any service or company that takes fingerprints of its users follows special category data processing procedures. For example, if your company produces fingerprint door keys, then here you need to treat your customer data as special category data. Facial print is also biometric data.
Fingerprints and faceprints are not the only examples of biometric data, any information that does not match between two people is considered biometric data. Biometric data include physical, physiological and behavioural biometric identification techniques, all of which are considered special or sensitive data.
Examples of physical or physiological biometric data:
- iris scanning,
- retinal analysis,
- voice recognition,
- ear shape recognition.
Any biometric data is personal data and in many cases special category data, because it is possible to identify a specific person. If you process biometric data to identify a person for the purpose of making a decision about them or to treat them in a different way, in this case, the biometric data will become from personal data to special category data, so you will need special cases to process them, as mentioned in Article 9 of the GDPR.
Health data – Special personal data
Health data is described in the GDPR text as follows:
“health data means personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about the state of that person’s health”.
Health data is not just the current health status of the individual, but everything related to the individual’s health history, such as chronic diseases, previous surgeries, previous illnesses and medical tests.
Data on criminal convictions and offences
If the statements are mere accusations without a final court decision convicting the person, then they are not considered special category data. However, these data should be treated with caution.
Racial or ethnic origin
This part aims to protect people against discrimination on grounds of their origin. The term ‘racial origin’ refers to a person’s genetic background, while the term ‘ethnic origin’ refers to the culture of the group to which a person belongs, including its customs, history and language.
Sex life and sexual orientation
The GDPR aims in this article to combat any discrimination resulting from the sexual orientation of individuals. Any information about a person’s sexual orientation, such as whether the person is heterosexual, bisexual, homosexual and transgender, is treated as special category personal data. Therefore, any information about a person’s marriage history may lead to the disclosure of their sexual orientation and therefore the date of marriage is also considered special category personal data.
Religious and philosophical beliefs
This part of the GDPR aims to protect citizens’ beliefs so that they are not discriminated against. All religions or secular beliefs are covered by the GDPR.
All of the above data may only be processed under certain circumstances.