As per the GDPR, companies are obliged to protect the personal data of data subjects; however, GDPR special category data requires different treatment. What is this special category data and what rules apply to it?
GDPR special category data refers to especially sensitive personal information of data subjects. If exposed, there could be a significant impact on the rights and freedoms of data subjects and the data could be used for unlawful discrimination.
The following information falls under the GDPR special category data:
- Racial and ethnic information
- Religious or philosophical background
- Political inclination
- Memberships in trade unions
- Biometric data for personal identification
- Genetic data
- Medical records
- Information associated with sexual preferences, sex life, and/or sexual orientation
These data elements are especially sensitive so there must be a legitimate reason why a company would need to collect, store, transmit or process such data. It is not allowed to collect or process these data unless the company has:
- Obtained explicit consent from the data subject; or,
- To process the data to fulfill obligations and exercise specific rights of the data controller associated with a job, social security, and social protection; or,
- To process the data in order to protect the critical interests of the data subjects who are physically or legally incapacitated to give consent; or,
- To process the data to establish, exercise, or defend legal claims, for reasons of public interest or public health; or,
- To provide preventive or occupational medicine; or,
- To process data for archiving data associated with the public interest, scientific, historical research, or statistical purposes; or,
- To process personal data that the data subject has manifestly made public; or,
- To carry out all the processing as part of its legitimate activities with necessary safeguards by an association, foundation, or any non-profit body associated with politics, religion, philosophy or trade union and following terms that the processing is related only to the members or former members of the group or to persons having frequent contact with the group in connection with its purposes and there is no disclosure of personal data outside that group without the data subject’s consent.
Article 6 of the GDPR states that personal data processing can only take place when there is a legitimate reason for doing so. Companies need to check the requirements detailed in Article 9 of GDPR before processing special category data. Article 10 of GDPR details especially sensitive personal data related to criminal convictions and offenses. If collecting, storing, processing or transmitting special category data, data controllers need to put in place additional protections to ensure the privacy and security of that information.
The GDPR is now in effect and stiff financial penalties await those companies who are not in compliance. To avoid being penalized, be sure to accelerate GDPR compliance efforts and document all actions taken to show regulators that your company is in the process of complying with GDPR.