Information on health, race/ethnic origin, sexual orientation, and religious and political beliefs are among a special category of data that have been classified as sensitive personal data under the EU’s General Data Protection Regulation (GDPR) and are given a higher degree of protection. This installment of The eData Guide to GDPR discusses how sensitive personal data is defined, under what conditions it can be processed, and what steps businesses can take to ensure compliance with the GDPR’s special protections of sensitive personal data.
Sensitive personal data is a special category of data identified under Article 9 and Recital 51 in the GDPR. This data requires a higher degree of protection due to the nature of the information and because the processing of the information could create “significant risks to the fundamental rights and freedoms” of the data subject. [1]
Specifically, Article 9 identifies the following categories of data that merit special protection as sensitive personal data: health information, race/ethnic origin, sex life or sexual orientation, religious and political beliefs, genetic and biometric data, and trade union membership. (Note that this is the first time biometric and genetic data are given special protection in the European Union. The other categories of data listed in Article 9 were previously protected as sensitive personal data in the EU’s superseded 1995 Data Protection Directive). Processing of these categories of data is therefore prohibited, absent the specific exceptions identified in Article 9.
Lawful processing of sensitive personal data is only permitted under Article 9 in one of the following circumstances:
The European Commission provides a few example scenarios of what type of data falls within the sensitive personal information data categories, and when processing that data would be lawful:
A doctor logging a patient’s visit and including descriptions of symptoms and medications prescribed. The description of symptoms and medication in this example are sensitive personal health data, and the physician’s office would need to meet one of the exceptions listed in Article 9 in order to lawfully process this data. The commission explains that processing sensitive personal data in this scenario is lawful because it meets the medical exception. The processing of that information is necessary to treat the person and is “carried out under the responsibility of a doctor who is subject to an obligation of professional secrecy”.
The National Statistics Office (a state entity) conducting a public census where a person is obliged to respond by completing an online survey that includes fields such as sex and racial or ethnic origin. Race and ethnic origin information clearly falls within the special category of sensitive personal information. The commission explains that collection of this information is lawful in this situation because it meets the Article 9 public interest exception. “The survey is based on a law which serves a public interest aim and contains safeguards to protect your sensitive data (for example, the data is only accessed by authorised recipients working on the census) your sensitive personal data can be processed by the National Statistics Office.”
A dress company, in order to tailor its services to the specific interests of its clients, asks customers to fill out an online form providing information about sizes, preferred color, payment method, and name and address for delivery. The company also includes a section asking about the customer’s political beliefs. Political belief information clearly falls within the special category of sensitive personal information. The commission explains that it would not be lawful to process that information in this scenario. While the business needs the majority of the information listed in order to fulfill its side of the contract, “the clients’ political views are not a requirement to make and deliver their dresses” and therefore the company cannot lawfully process that information.
A car sharing company can require a customer’s name, address, credit card, and possibly even whether the person has a disability (the disability information would be considered sensitive personal health information under Article 9). However, the company cannot lawfully require a person to disclose his or her racial origin (also considered sensitive personal information under Article 9). The commission explains that, like the example above, the racial origin of a customer is irrelevant to the service being provided by the company, and therefore cannot be lawfully processed as sensitive personal information. “It’s your company/organisation's responsibility as controller to assess how much data is needed and ensure that irrelevant data isn’t collected.”
While these are somewhat straightforward examples using easily identifiable sensitive personal information (race, political beliefs, etc.), the GDPR’s addition of biometric and genetic data to the sensitive personal data category may blur the boundary between specially protected information and regularly protected personal data. The GDPR defines biometric data as “any personal data relating to the physical, physiological, or behavioral characteristics of an individual which allows their unique identification.”[5] Recital 51 provides some guidance on the subject by explaining that the processing of photographs, for example, “should not systematically be considered to be processing of special categories of personal data, as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.” Conceivably, though, other types of data may now fall into the “sensitive personal information” category via the inclusion of biometric and genetic data. For example, geo-location data collected by a phone application might be considered biometric data because it relates to the physical and, depending on whether the application is tracking a person’s location patterns, behavioral characteristic of an individual. To add to the confusion, Article 9(4) states that member states can maintain or introduce further conditions and restrictions with regard to the processing of genetic, biometric, and health data. Thus, businesses should be aware that the law in this area is vague and may vary among countries.
However, businesses that collect personal data can generally take steps to ensure compliance with Article 9’s special protections of sensitive personal data:
[1] Recital 51: “Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.”
[2] Article 9 (2)(d): Processing here is based on the condition that it relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects.
[3] Article 9(2)(g) – Processing in the furtherance of a public interest is allowed only if the basis is “proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights” of the data subject.
[4] Article 9(2)(j) – Processing must be “proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights” of the data subject
[5] Article 4 (14)
[6] Recital 51: “Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.”