GDPR’s Special Categories of Personal Data
The GDPR places special restrictions on the processing of certain special categories of sensitive personal data. This special data includes race, ethnic origin, health data, genetic data, certain biometric data, information about sex life or sexual orientation, political opinions, religious beliefs, philosophical beliefs, and trade union membership. Recital 51 describes this sensitive personal data as meriting special protection because processing could create significant risks to fundamental rights and freedoms.
How can special data be processed?
Processing of this data is restricted by Article 9 unless it falls within one of a list of conditions, such as when the data subject has given explicit consent for the specified purpose and the member state has not banned consent as an option for allowing processing of this type of special data.
What does the list of sensitive personal data from GDPR Article 9 include?
– data revealing racial or ethnic origin;
– data revealing political opinions;
– data revealing religious beliefs;
– data revealing philosophical beliefs;
– trade union membership;
– the processing of genetic data;
– biometric data for the purpose of uniquely identifying a natural person;
– data concerning health; and
– data concerning a natural person’s sex life or sexual orientation.
How can individual member states modify the GDPR on special data?
The GDPR gives member states the ability to eliminate consent as a justification for lawful processing of these types of data.
Just as a member state can decide to remove consent as a valid reason for processing this type of special data, it can also provide for the processing of this data for reasons that fit within this section: a substantial public interest proportionate to the aim, that respects the essence of the data privacy rights, and contains specific safeguards for the rights and interests of the data subject.
The GDPR has also given member states to impose further limitations on the processing of health data, including genetic and biometric data.
What is excluded from special data?
Article 9 largely excludes legal proceedings and judicial actions from the special protections for these categories of data. Ultimately, one might expect the judiciary has or will develop its own protections for this information.
The treatment of health conditions by a licensed professional adhering to necessary conditions is removed from this section for processing special data. However, it does not by its terms remove it from the more general prohibitions on processing data without an exemption from Article 6.
This section largely removes necessary processing of health data for public health reasons in member states which have suitably provided protections. However, it does not by its terms remove it from the more general prohibitions on processing data without an exemption from Article 6.
Member states can also require archiving of certain information in the public interest. Article 89 sets forth the conditions and safeguards for this sort of processing, including data minimisation and pseudonymisation.
Processing necessary to protect the vital interests of the data subject or another natural person and the data subject is physically or legally incapable of consent. The paradigm case here is processing health data (such as blood work) in order to save the life of a person who is found unconscious and is unable to give consent. It also would cover a person who no longer has the capability to legally consent.
Also excluded from Article 9 is personal data manifestly made public by the data subject. If a person puts this sort of information in the public domain, then it can be processed without consent. So information about the political views of a politician is ripe for handling under this section. However, this may ultimately be tricky depending on how the phrase “manifestly made public” is interpreted. For example, does an actor or actress manifestly make public their race when they are on TV?
Contact Clarip for CCPA and GDPR Software
The Clarip privacy management software is ready to help improve your organization’s privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo with a member of the Clarip team.
If your immediate need is California Consumer Privacy Act compliance, take a look at our CCPA software. From consent management to powerful DSAR Software, Clarip offers enterprise privacy management at an affordable price.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
Consent Management Software Platform
Preference Management Software Solution
Opt In & Opt Out Consent Software for CCPA
Right to Opt Out in CCPA
Mobile App Consent Manager
Service Providers and the Right to Opt Out under the California Consumer Privacy Act
Opt In Consent for Children in CCPA
How to Obtain Consent Under GDPR
Best Practices for GDPR Consent
GDPR’s Special Categories of Personal Data
Verbal Consent Under GDPR
GDPR-K: Children’s Data and Parental Consent