Uncategorized

10 cases in which special category data processing is allowed [Article 9 GDPR]

August 21, 2023 No comments yet

Introduction

Special category data has a dedicated article in the General Data Protection Regulation. We recall that the GDPR aims to protect citizens’ data against misuse or leakage. Supervisory authorities impose severe penalties on any company that shares user data with third parties without permission or processes it without the data subject’s knowledge.

What is important to remember is that the data that GDPR seeks to protect is not equal in terms of sensitivity or privacy. The more sensitive, the more private the data, the greater the measures needed to process it. In this article, we will discuss the special categories of personal data in the GDPR and how sensitive they are.

What is personal data?

First of all, what data can we call personal data?

Data that GDPR considers personal data are data that indicate or lead to the identification of a specific person, such as a name, address or identification number. There are data which, if obtained alone, do not lead to the identification of individuals, but if collected together, will allow you to identify a specific person. In this case they are considered personal data. For example, if we have a specific name, let it be Marian, there are many people in any country with that name. But if we get Marian and 37 Independence Street these two pieces of information point to a person named Marian who lives at 37 Independence Street and here the data is considered personal and therefore falls under the GDPR.

When most people think of personal data, they think of names, phone numbers and addresses. However, personal data covers a whole range of identifiers. You can read more in the dedicated article about
personal data.

Which personal data are in special (sensitive) categories

This is personal data, but it is more private and has special dedicated laws and procedures in the GDPR. Special categories of personal data are confidential information about an individual that should not be disclosed or known to anyone because it could expose that individual to a real risk or to incidents of discrimination. We list below the special categories of personal data:

  • Racial or ethnic origin,
  • political opinions,
  • religious or philosophical beliefs,
  • union membership,
  • genetic data,
  • biometric data,
  • health data (mental and physical),
  • sex life,
  • sexual orientation.

Data related to the above are considered special category personal data and we will explain each of them in detail.

Data relating to children under the age of 18 also have similar conditions to those required for processing personal data in the special category. However, not all data relating to children under the age of 18 fall into the category of special category personal data.

Criminal records data also have similar processing conditions as special category personal data, although they are not classified as special category personal data.

What does GDPR mean by “processing”? The term “processing” broadly includes most things that can be done with data, such as collecting, recording, storing, modifying, analysing, using (including as a mailing list), sharing, deleting or destroying. Any of these activities are covered by the processing time limit.
Why is special category personal data so sensitive?
You should avoid processing special category personal data if such processing is not necessary. A data protection officer will always stress in GDPR trainings the importance of paying extra attention to such processing, as leaking any part of even a small part of the personal data in the special category could expose the individual to racism or any other danger. If you need to process special categories of personal data, you will need more safeguards. Special category data can only be processed in certain circumstances which we will present in this article. If you process this data outside those specific circumstances set out in the GDPR, there will be penalties and fines that may be higher than those that would be imposed in the case of a normal personal data breach.

What is genetic data?

Genetic data is defined in the GDPR text as:

‘genetic data’ means personal data relating to inherited or acquired genetic characteristics of a natural person which provide unique information about the physiology or health of that natural person and which result, in particular, from the analysis of a biological sample from the natural person concerned”.

On the basis of this Article, any DNA analysis that allows the institution to obtain data indicating a person’s origin or ethnicity is considered genetic data. Also RNA analysis, because RNA is the code that makes up a person’s physical characteristics.

The genetic sample from a person, if not analysed, is not considered personal data, but if it is analysed and data is obtained from it that points to a specific person, then in this case it is considered personal data. Genetic analysis can identify a person without even having a name on it, because no two people have identical DNA, so genetic data is special personal data even without a name on it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Continue reading