GDPR Special Category Data

The EU introduced the General Data Protection Regulations (GDPR) into law on May 25th 2018. The regulations were designed to give individuals in the EU control over their data by changing how the data can be collected, used, and stored by those who handle the information. GDPR has been cited as the most significant change to EU personal data laws since 1995.

Under GDPR, organisations have new responsibilities to their consumers regarding the protection of personal data. However, not all data is treated the same; Article 9 of GDPR outlines ‘special category data’, which can generally be described as particularly sensitive data. Businesses need to follow particular rules when handling this type of information.

It should be noted that while most small businesses are exempt from following GDPR, those that handle information covered by Article 9 are legally required to follow its rules.

What constitutes special category data?

GDPR special category data is defined as data that, if exposed, could significantly impact the rights and freedoms of data subjects and potentially be used against them for unlawful discrimination.

GDPR special category data includes the following information:

  • Race and ethnic origin
  • Religious or philosophical beliefs
  • Political opinions
  • Trade union memberships
  • Biometric data used to identify an individual
  • Genetic data
  • Health data
  • Data related to sexual preferences, sex life, or sexual orientation

Under GDPR, organisations must have a legitimate and lawful reason for collecting, storing, transmitting, or processing these data. However, some EU member states have an outright ban on any organisation from using any special data even if the subject gave their consent for the organisation to do so.

Under GDPR, organisation are prohibited from collecting or processing special data unless at least one of the following criterion is met:

  • Explicit consent has been obtained from the data subject
  • Processing is necessary in order to carry out obligations and exercise specific rights of the data controller for reasons related to employment, social security, and social protection
  • Processing is necessary to protect the vital interests of data subjects where individuals are physically or legally incapable of giving consent
  • Processing is necessary for the establishment, exercise, or defence of legal claims,for reasons of substantial public interest, or reasons of public interest in the area of public health
  • For purposes of preventive or occupational medicine
  • Processing is necessary for archiving purposes in the public interest, scientific, historical research, or statistical purposes
  • Processing relates to personal data which are manifestly made public by the data subject
  • Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects
  • Article 6 of GDPR states that the processing of all personal data must only occur if there is a lawful reason for using the information. Article 9 outlines the requirements that businesses wishing to process special data must fulfil to ensure that they do not accidentally violate GDPR. Article 10 deals with personal data related to criminal convictions and offences separately to other types of special category data.As special category data is particularly sensitive, data controllers and data processors must ensure that additional safeguards are in place to mitigate the risk of an unauthorised individual gaining access to the data.