Information about Personal data
Subjectively privacy-sensitive personal data
Subjectively privacy-sensitive personal data is one of the four groups of privacy-sensitive personal data. Unlike sensitive personal data (Article 9 of the GDPR) and personal data relating to criminal convictions and offences (Article 10 of the GDPR), there is no direct provision relating to subjectively privacy-sensitive personal data in the GDPR.
How does the data subject's subjective experience of privacy breaches affect the processing of their personal data?
The data subject may feel uncomfortable when someone else processes certain types of personal data belonging to the data subject. This means that the processing of such types of personal data affects the subjective experience of the data subject in question. Such types of personal data thus constitute so-called subjectively privacy-sensitive personal data.
Examples of personal data that may be subjectively privacy-sensitive personal data
Financial data
Bank account details, credit card numbers, leverage ratio, credit rating, and other financial personal data are something that many individuals feel uncomfortable with when they are processed by unauthorized persons, as it can have major consequences. No financial data constitutes sensitive personal data within the meaning of Article 9 of the GDPR, but may be subjectively privacy-sensitive.
Electronic communications relating to private matters
Emails, MMS, SMS, voice mail, chat messages and similar electronic communications of a purely private nature are examples of subjectively privacy-sensitive personal data. This is because the data subject may feel that it constitutes an infringement of his or her privacy if another person gains access to such private communications with other individuals.
Location data
Many people feel that it is uncomfortable to be monitored by, for example, being localized. The same applies to being filmed when walking in and out of your home, for example through a camera mounted on the neighbor's entrance door.
Performance at work
Information about an individual's work performance usually constitutes personal data of a subjectively privacy-sensitive nature.
Are there specific rules in the GDPR on subjectively privacy-sensitive personal data?
No, there are no explicit specific rules in the GDPR on subjectively privacy-sensitive personal data. However, there are provisions that deal with the processing of personal data that may be perceived as privacy-sensitive by the data subjects. This is because it may have an impact on the practical execution of the processing and the security measures.
A personal data breach involving subjectively privacy-sensitive personal data may have an impact on a notification to the national data protection authority. In addition, this may mean that the data subjects who have been affected by the breach, may need to be informed of the breach. In the form that the company must fill in when notifying the supervisory authority of personal data breaches, the question arises, inter alia, whether the personal data relate to financial information, such as credit card data, or location data, which constitute subjectively privacy-sensitive personal data.
Must the processing of subjectively privacy-sensitive personal data be preceded by an impact assessment before it begins?
An impact assessment may be required before the processing of subjectively privacy-sensitive personal data begins, but this is not a direct requirement in the GDPR legal text.
Companies must carry out an impact assessment before certain types of personal data processing and this may be necessary, for example, when processing credit card numbers or other types of subjectively privacy-sensitive personal data.
Learn more about Personal Data
Processing of sensitive personal data
According to the main rule, it is not allowed to process sensitive personal data under the GDPR, but there are some exceptions. Examples of sensitive personal data are information on religious beliefs, political opinions, data on health, etc. It is important to know that the rules are stricter when processing sensitive personal data than ‘ordinary personal data’. Among other things, the company needs to take sufficient and appropriate organizational and technical security measures to protect the sensitive personal data.