You are currently viewing Sensitive Personal Data

Sensitive Personal Data

Some categories of data are considered sensitive by the General Data Protection Regulation, also known as the GDPR (for more information check out the Regulation 2016/679 of the European Union or our post about the GDPR), since they are related to fundamental freedoms and rights which merit specific protection by law.

What will we touch on in this post?

What is sensitive personal data?

According to the GDPR, the following are considered sensitive data:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade-union membership
  • Genetic and Biometric data (processed solely to identify a human being)
  • Health-related data
  • Data concerning a person’s sex life or sexual orientation
  • Criminal convictions and offences, when authorised by EU or national law

To be a bit more specific…

The European Regulation 2016/679 (GDPR), which protects this data, defines some of the points above in greater detail.

According to Article 4 of the GDPR:

  • Genetic data are the inherited or acquired genetic characteristics of a person which give personalised information on their health and physiology and which can be obtained from an analysis of a biological sample of the person, especially through DNA and RNA analysis.
  • Biometric data is the data resulting from specific technical processing relating to the physical, biological and behavioural characteristics of a person and which allows the unique identification of that person, e.g. facial images or dactyloscopic data.
Biometric data are also sensitive personal data
  • Data concerning health is the data related to the physical or mental health of a natural person, as well as healthcare provision. More specifically, this data is collected from the person when they sign up for health services and during the provision of such services, e.g. information related to disease, disability, disease risk, medical history, and clinical treatment, regardless of who made the diagnosis (doctor, hospital, medical device).
Health-related data are sensitive personal data

What is the specific regulatory framework for Sensitive Personal Data?

According to Article 9 of the GDPR, processing the sensitive data we mentioned above is strictly prohibited, unless at least one of the following specific conditions applies:

  • When explicit consent is given by the data subject to process their data for specific purposes. It is, of course, possible that giving consent for any of your sensitive data is prohibited by Union or Member State law (read more about consent in our article about GDPR consent requirements).

For example, the data subject’s consent can be given either with an oral or a written statement, or even with a very unambiguous indication of agreement, such as ticking a box when visiting a website.

  • When processing is necessary to carry out the obligations or exercise specific rights either of the controller or the data subject. More specifically, these obligations and rights relate to the field of labour law or social security and social protection law. In any case, the necessary safeguards for the protection of the subjects’ data and interests should be provided.

For example: When a person orders clothes from an online store, the company can process the shipping address to carry out the delivery.

  • When processing is of great importance for protecting the vital interests of the subjects, in case they are physically or legally incapable of giving consent. More specifically, using the vital interests as justification for the processing should only be done when it has become apparent that the processing can’t be based on any other legal basis. Some types of processing may be based on public interest purposes, but also on the vital interests of the subjects.

For example, this happens when processing is done for humanitarian purposes, such as avoiding or assessing the spread of a pandemic.

  • When processing is done by a foundation, association or non-profit organisation with a political, philosophical, religious or trade union aim during the course of its legitimate activities
  • The subjects of the sensitive data being processed should be members or former members of the body or people in regular contact with them. Of course, the data must not be published to people outside of the body without the subjects’ consent
  • When the processing involves sensitive personal data that the subject themselves has explicitly published
  • When processing is necessary in order to establish, exercise or defend legal claims either in judicial or administrative proceedings or in extrajudicial procedures.
  • When processing serves purposes of substantial public interest, based on Union or Member State law which is proportionate to the pursued aim.

This processing should of course respect and provide measures appropriate to the protection of the subject’s freedoms and rights.

For example, during election campaigns, the democratic system enables political parties to collect data on the political opinions of citizens. This is done for public interest reasons.

  • When processing based on Union or Member State law or a contract with a health professional is necessary for:
    • preventive or occupational medicine purposes
    • assessing the working capacity of the employee
    • medical diagnosis
    • providing health and social care or treatment
    • managing health care systems

For example: After each visit with their patients, a doctor records the patient’s full name, a description of their symptoms and the medication they were prescribed, in other words, data that is considered sensitive. The processing of health data by the clinic is allowed under data protection legislation, precisely because it is necessary for the treatment of the individual and is covered by the doctor’s professional secrecy.

  • Processing is necessary for public interest reasons in relation to the area of public health. However, the processing must be based on Union or Member State law, which will provide specific measures to protect the subject’s rights and freedoms, especially professional secrecy. Processing sensitive data related to health should of course not be done by third parties, such as insurance companies, employers, banks etc.

For example: In the case of serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or various medical devices.

  • When processing is necessary for archiving purposes and for scientific, historical or statistical research, which is proportionate to the pursued aim and provides suitable measures to protect the subject’s freedoms and rights.

It should be noted that any of the conditions written above should implement all the basic principles regarding lawful data processing, such as informing the subject about the legitimate data processing purpose and their right to object to it. You can find out more about that in our article about personal data.

National legislation

Member States may simultaneously introduce further provisions with more conditions and restrictions in order to make the processing of genetic, biometric and health data lawful.

Of course, the extent of these restrictions should not be such as to prevent the circulation of personal data within the Union.

Author

Eleni-Kostakoglou
Eleni Kostakoglou
Lawyer