What GDPR says about special categories of data

GDPR restricts how special categories of personal data can be processed. The core principles for data processing as defined by Article 6 still apply, but there are stricter rules of processing special categories of personal data, and additional grounds for processing must be met in order for processing to be lawful.

Article 9.1: There are strict rules for processing special categories of personal data, these categories include:

  • Racial or ethnic origin
  • Sexual orientation
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Health data
  • Information about a person’s sex life

Article 9.2: At least one of these grounds for processing must be met in order for the above categories of special data to be processed lawfully.

  • The data subject has given explicit consent to the processing.
  • The processing is necessary to protect the vital interests of the data subject or another person, and the data subject cannot give consent.
  • The processing is done by a foundation, association, or not-for-profit organization as part of its legitimate activities and with the appropriate safeguards.
  • The processing is of personal data made public by the data subject.
  • The processing is necessary to establish or exercise legal claims or defenses, or is conducted by courts in their judicial capacity.

Specific EU or national laws can also be grounds for lawful processing.

  • The processing is related to employment, social security, or social protection.
  • The processing is necessary for reasons of public interest.
  • The processing is necessary for medical reasons.
  • The processing is necessary for public health.
  • The processing is necessary for archiving purposes.

There is considerable overlap between the standard six grounds for processing (Article 6) and the grounds for processing special categories of personal data.

If the data subject gives explicit consent for processing and/or if the data subject cannot offer consent but processing is in his/her vital interests, then processing is lawful. Processing is also lawful in most cases of legal obligations and/or with official authority, but neither the performance of a contract nor the organization’s legitimate interests are sufficient grounds for lawful processing of these special categories of data.

 

 

Disclaimer

This article is provided for general informational purposes only and is not intended to be legal advice.  By using the article, you agree that the information on this article does not constitute legal or other professional advice. The article is not a substitute for obtaining legal advice from a qualified attorney licensed in your state. The information on the article may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.

 

 

Disclaimer

This article is provided for general informational purposes only and is not intended to be legal advice.  By using the article, you agree that the information on this article does not constitute legal or other professional advice. The article is not a substitute for obtaining legal advice from a qualified attorney licensed in your state. The information on the article may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.