GDPR - Personal data
Sensitive personal data
In the GDPR there are certain personal data that are considered sensitive, often referred to as “sensitive personal data”, but in the GDPR they are referred to as “special categories of personal data”. When processing these sensitive personal data, the rules are stricter. The sensitive personal data are listed in Article 9 of the GDPR.
The following are the special categories of personal data:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data;
- Biometric data to uniquely identify a natural person;
- Health data; and
- Sex life or sexual orientation.
Is it prohibited to process sensitive personal data under the general rule?
Yes, it is prohibited and thus not allowed to process sensitive personal data according to the general rule in Article 9 of the GDPR. However, there are some exceptions to the general rule, which may allow the processing of sensitive personal data in certain cases.
What are the security requirements for processing sensitive personal data?
When processing sensitive personal data, the company must implement better technical and organisational security measures than when processing “ordinary personal data”. Personal data which is not sensitive, but which is considered to be privacy sensitive, must also be processed with a higher level of security than other “ordinary personal data”.
Health data is sensitive personal data that employers process
Employers often need to process employee health data. For example, information about sick leave or disability. In addition, sick leave is usually stated in payslips, which means that the payslip must be treated with sufficient security. Therefore, for example, an employer should not send the pay slip via unencrypted e-mail.
When is the processing of sensitive personal data allowed?
Article 9(2) of the GDPR contains a list of ten exceptions, which allow the processing of sensitive personal data. This means that if one of the exceptions applies, the sensitive personal data may be processed, despite the prohibition under the general rule in Article 9(1) of the GDPR. Below is a list of the 10 exceptions for the processing of sensitive personal data.
Explicit consent (Article 9(2)(a) GDPR)
Where the data subject has given his or her explicit consent to the processing of sensitive personal data belonging to the data subject, the data in question may be processed on the basis of this exception.
Labour law, social security or social protection (Article 9(2)(b) GDPR)
If the processing of the sensitive personal data is required by law in the field of labour law or collective agreements, this can be done on the basis of this exception. However, this only applies provided that appropriate safeguards are taken in connection with the processing.
Vital interest (Article 9(2)(c) GDPR)
The processing of sensitive personal data is permitted, if it is necessary to save lives. In such cases, the legal basis for the processing is the protection of vital interests pursuant to Article 6(1)(d). For example, a hospital may need to take a blood test on an unconscious person who has been taken to the emergency room, in order to be able to give the person the right blood type. As it constitutes data on health, it is sensitive personal data. However, this exception may not be used if the data subject can give consent, such as if the person has booked a visit to a doctor and can give or refuse consent.
Non-profit organisation (Article 9(2)(d) GDPR)
Sensitive personal data may be processed within a non-profit organisation, provided that these relate only to members or other persons who have regular contact with the organisation, and the sensitive personal data is not disseminated outside the organisation. For example, this exemption may be used by a non-profit political, religious or trade union organisation.
Clearly disclosed by the data subject (Article 9(2)(e) GDPR)
If the sensitive personal data have been clearly disclosed by the data subject, they may be processed on the basis of this exception. For example, if an individual stands as a candidate in an election for a political party and participates openly in interviews, debates and is otherwise publicly politically active.
Establish, exercise or defend legal claims (Article 9(2)(f) GDPR)
If processing of the sensitive personal data is necessary for the establishment, exercise or defence of legal claims, the processing is permitted. It is also permissible for courts to process sensitive personal data as part of their judicial activities.
Important public interest (Article 9(2)(g) GDPR)
If the processing of the sensitive personal data is necessary for important interests under the law, and the processing is subject to appropriate safeguards, the processing is permitted under this exception. For example, government agencies may process sensitive personal data to verify or investigate possible grant fraud. Authorities may also in some cases need to process sensitive personal data as part of their background check. For example, data on breaches of law, health or political extremism, to assess whether an individual is fit to work in classified professions, such as police.
Healthcare or social care (Article 9(2)(h) GDPR)
If processing of sensitive personal data is required by law or agreement in order to carry out healthcare or social care, assessment of treatment and work ability, this exemption may apply. However, confidentiality must be applied and special safeguards must be put in place.
Public health reasons (Article 9(2)(i) GDPR)
This exception means that if the processing of the sensitive personal data needs to take place for public health reasons, it may take place, subject to appropriate technical and organisational safeguards. For example, to ensure the quality of medicines or to protect against serious cross-border threats to health.
Archiving purposes in the public interest, scientific or historical research or statistics (Article 9(2)(j) GDPR)
If sensitive personal data needs to be processed for archiving purposes in the public interest, scientific or historical research or statistics in accordance with Article 89 of the GDPR, this exception may be used, provided that appropriate safeguards are put in place.
Examples of what does not constitute sensitive personal data:
- Bank account details;
- Information on criminal offences or offences;
- Personal identification number.
More Information about Personal Data
Processing of personal data relating to criminal convictions and offences
The general rule in Article 10 of the GDPR prohibits the processing of personal data relating to criminal convictions and offences, unless it is carried out by a law enforcement authority. On the other hand, EU Member States are free to regulate how other actors, such as private companies, may process such personal data. Examples of personal data relating to criminal convictions and offences, are data concerning someone who has committed a crime, judgments in a criminal case and criminal law coercive measures, such as travel bans and decisions.