GDPR – Processing of sensitive personal data

This update aims to provide you with a practical overview of the most relevant changes resulting from the General Data Protection Regulation (GDPR), applicable as from 25 May 2018. This month’s issue discusses the requirements relating to the use of so-called ‘sensitive data’.

What is 'sensitive data'?

The term ‘sensitive data’ covers personal data revealing:

  • racial or ethnic origin;
  • political opinion;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic and biometric data;
  • health data or data concerning sex life or sexual orientation. 

The categories of sensitive personal data are at large the same as those already covered by the Data Protection Directive (Directive 95/46/EC). It is worth noting that the legislator enlarged the scope of this list taking into account scientific developments, as the GDPR now also covers genetic and biometric data.

Processing of sensitive data under the GDPR

The GDPR endorses the general prohibition of processing of sensitive personal data previously introduced by the Directive. As a result, data controllers are not allowed to process sensitive personal data, unless one of the justifications enumerated in the GDPR is applicable. This is an exhaustive list. Processing of such sensitive data performed in any other situation is therefore considered illegal.

According to the GDPR, processing of sensitive personal data is possible in the following situations:

  1. The data subject has given explicit consent to the processing of those personal data for one or more specified purposes – such consent should be freely given, specific, informed and unambiguous. This means that the data subject must understand that he/she consents to processing of sensitive personal data. What is more, such consent is limited to the processing for the purpose for which it was given. However, in some circumstances the Member States can decide that the prohibition of processing sensitive personal data may not be lifted by the data subject’s consent.
  2. The data controller who is an employer may process sensitive personal data in so far as such processing is authorised by Union or Member State law or a collective agreement. Such provisions allowing processing of s sensitive personal data of the employees by their employers will also provide for appropriate safeguards for the fundamental rights and the interests of the data subjects that should be implemented by the employers.
  3. Vital interests of the data subject or of another natural person are at stake. This exception can only be used by the data controller where the data subject is physically or legally incapable of giving consent.
  4. Processing is carried out by a not-for-profit body with a political, philosophical, religious or trade union aim. Such processing has to relate solely to the members or to former members of the body or to persons who have regular contact with it. The sensitive personal data cannot be disclosed outside that body without the consent of the data subjects. Such bodies have to implement appropriate safeguards of sensitive personal data.
  5. The data subject made manifestly public sensitive personal data which is processed. In such a situation no additional consent has to be given.
  6. The processing is carried out in the frame of judicial proceedings.
  7. The processing is necessary for reasons of substantial public interest. Health data can be processed for reasons of public interest in the area of public health. Such public interest is related to protection against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.
  8. The processing of health data is possible when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy and the processing is necessary for the following purposes:

- preventive or occupational medicine;
- assessment of the working capacity of the employee;
- medical diagnosis;
- provision of health or social care or treatment.

However, Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

9.The processing is necessary for archiving purposes in the public interest, statistical, scientific or historical research purposes.

Where the basic derogations are the same as under the Directive, the GDPR introduces new exceptions relating to judicial proceedings and public interest. Where permitted by the law, the processing of sensitive personal data shall:

  • be proportionate to the aim pursued, and
  • respect the essence of the right to data protection.

What is more, the data controller shall provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject whose sensitive data is processed. One of the appropriate safeguards that the data controllers can implement is ‘pseudonymisation’.

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. However, it should be noted that as long as the key allowing to attribute personal data to a certain individual, the processed data is still personal data. Therefore, only the destruction of the key allowing reversal of pseudonymisation would allow such processing to escape the GDPR applicability.

What does the introduction of the GDPR mean for your organisation and how can you prepare for it?

Since the approach to the processing of sensitive personal data remains largely unchanged, the entry into force of the GDPR will not substantially affect the existing practice. However, it could be a good moment to review the practice existing in your organisation, to ensure that no sensitive personal data is processed, unless prior consent was obtained or other exceptions are applicable. This may thus be a perfect opportunity to review your currently implemented privacy safeguards to assure their compatibility with the current standards.