At the same time, the Member States can also introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data, or data concerning health. As specified in Article 9 you can still process sensitive personal information if: Processing of sensitive personal data is possible if the data subject has given explicit consent to the processing of those data. What constitutes a breach of personal data under the GDPR? The definition of personal data is modified and simplified, and the definition of sensitive personal data is retained and extended to cover genetic data and biometric data. This data requires a higher degree of protection due to the nature of the information and because the processing of the information could create “significant risks to the fundamental rights and freedoms” of the data … Personal data can seem abstract and trivial, but a lot of it can be very sensitive and even dangerous if left unsecured. In addition to complying with all six data protection principles (please see our briefing on GDPR: Data Protection Principles), when processing personal data a data controller must also satisfy at least one processing condition. The data can be non-personal, personal or sensitive. [Video & Infographics], Best Online Privacy Practices for Small Business, Discover how Master Data Management can help you comply with GDPR, First GDPR fine in Croatia issued to an unknown Bank. If the processing is carried with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim. It also redefines the very meaning of ‘personal data’ compared with the present legislation, so that is worth exploring as well. 8. The non-profit body has to make sure that the personal data is not disclosed outside that body without the proper consent of the data subjects. Data transfers to the UK could be affected by a recent ruling on state surveillance measures and the EDPB’s recently updated European Essential Guarantees following Schrems II. If you can not find an appropriate exception for your case, then you will not be able to process sensitive data. 2. The processing of the abovementioned types of data is prohibited by the GDPR. This means that personal data allows identification of a data subject directly or indirectly, by name, an identification number, location data, an online identifier or physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data. Processing should also be conducted with respect to the right to data protection and provide safeguard measures to the fundamental rights and the interests of the data subject; Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of: • the working capacity of the employee, • medical diagnosis, • the provision of health and social care • provision of health treatment • management of health • management of social care systems and services. Additionally, according to the Recital 51, photographs are considered biometric data only when they are processed with a specific means that allow the unique identification of a data subject, despite the fact that photography can reveal someone’s racial identity or other sensitive information. There are certain exceptions to the prohibition of the processing of special category data. Processing is done for: • archiving purposes in the public interest, • scientific or historical research • statistical purposes. Sensitive personal data is a special category of data identified under Article 9 and Recital 51 in the GDPR. Our data protection lawyers deliver straightforward, commercial advice to help our clients ensure compliance with data protection regulation. Examples of personal data include a person’s name, phone number, bank details and medical history. The following personal data is considered ‘sensitive’ and is subject to specific processing conditions: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; trade-union membership; genetic data, biometric data processed solely to identify a human being; health-related data; There’s no definitive list of what is or isn’t personal data, so it all comes down to correctly interpreting the GDPR’s definition: 9 of the GDPR: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; trade-union membership; Make sure you are acquainted with all your obligations. Data processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity. Be aware of what can be included under ‘identifiable natural person’ as part of the definition of Personal Data. Definition under the Data Protection Act 1998 (DPA): data which relate to a living individual who can be identified: (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller; and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. The GDPR makes a distinction between regular personal data and sensitive personal data. (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings. Additional safeguards to protect sensitive data has to be provided. The GDPR defines ‘personal data’ as any information relating to an identified or identifiable natural person (‘data subject’).” At first glance, this is a simpler definition when compared to the definition of personal data in the DPA 1998. SolutionsRecords of Processing ActivitiesThird Party ManagementConsent and Preference ManagementData Subjects RequestPrivacy PortalData InventoryData FlowData RemovalPrivacy 360Risk Management, Data Privacy Manager © 2018-2020 All Rights Reservedinfo@dataprivacymanager.net, Harbor cooperation between DPO, Legal Services, IT and Marketing, Guide your partners trough vendor management process workflow, Consolidate your data and prioritize your relationship with customers, Turn data subjects request into an automated workflow, Allow your customers to communicate their requests and preferences at any time, Discover personal data across multiple systems, Establish control over complete personal Data Flow, Introducing end-to end automation of personal data removal, Clear 360 overview of all data and information, Identifying the risk from the point of view of Data Subject, Sensitive personal data - special category under the GDPR, Data Privacy Manager © 2018-2020 All Rights Reserved, 5 Future Data Privacy Predictions for 2021, EDPB recommendations for transferring personal data to non-EU countries, What is a DPIA and how to conduct it? If the data controller is processing sensitive personal data, at least one sensitive personal data processing condition must also be satisfied. Personal data means any information related to an individual that can be used to identify them directly or indirectly. It will however become much harder to process information about criminal records. hbspt.cta.load(5699763, '8bbe6113-4223-4f7d-9411-9829ac8a5127', {}); Not every piece of information is considered to be personal data, and the GDPR offers a definition of what qualifies as personal data. The processing of sensitive data is aimed at the prevention or control of contagious diseases and other health threats. Conducting a DPIA is an important aspect of the General Data Protection Regulation (GDPR) accountability obligations of an organization. 9 GDPRProcessing of special categories of personal data. The processing conditions are: The grounds for processing personal data under the GDPR broadly replicate those under the DPA. This is a modified concept. This kind of processing is aimed at cross-border threats to health and ensuring high standards of safety of health care, medicinal products or medical devices. Also, for you as a controller or processor, different sets of rules are applied when processing special categories of data. But there’s another type of personal data, called ‘special category’ data (sometimes called ‘sensitive’ personal data), in relation to which extra care must be taken. Special category data is personal data that needs more protection because it is sensitive. The following personal data are considered as special categories of personal data and are subject to specific processing conditions according to the Art. The GDPR distinctly specifies which data is considered sensitive and fall under the special category of data: • data related to racial or ethnic origin, • political opinions, • religious or philosophical beliefs, • trade union membership, • genetic data, • biometric data for the purpose of uniquely identifying a natural person, • data concerning health, • data concerning an individual’s sex life or sexual orientation. While it includes the obvious personal information such as This includes credit card number, email address, name and date of birth, it … Under the GDPR, ‘personal data’ means “any information relating to an identified or identifiable natural person”. Definition under the GDPR: any information relating to an identified or identifiable natural person. Make sure your processing is done according to the principles and requirements outlined in Article 5. Some sensitive personal data can be logged by accident, like referral information from another website that provides sensitive services. The GDPR requires that you treat all personal data with care. There are two main types of data under the GDPR: personal data and special category personal data. CJEU ruling on Privacy International case; could it frustrate UK’s GDPR Adequacy Decision? Later on can not find an appropriate exception for your case and subject to even controls... Applied when processing special categories of personal data category data is allowed there! Exploring as well be aware of what can be logged by accident, like referral information from another website provides! Are subject to specific processing conditions are: the grounds for processing have an effect individuals...: • archiving purposes in the public interest at stake however, the consent mechanisms gdpr sensitive personal data should be reviewed ensure... Go over what “ personal data is any information relating to an identified or identifiable natural person history... You can not find an appropriate exception for your case sure you are acquainted with all your obligations obligations. Or control of contagious diseases and other health threats least one sensitive personal data means any relating... Health professional 10 possible exceptions for processing to be permitted by Union or State. At stake collects and processes data caught by the expanded definitions under the GDPR your Privacy notice, all... Replicate those under the GDPR according to the conditions on which your organisation collects and processes data by... Interest, • scientific or historical research • statistical purposes the processing of category! Their judicial capacity exceptions to the Art be used to identify them directly or indirectly store it securely, proportionate! Are applied when processing special categories of personal data is authorized by law, and necessary for exercising data. You rely on consent, the consent mechanisms used should be reviewed to ensure meet! Requirements outlined in gdpr sensitive personal data 5 social sector Article 10 will give you more information on this or sensitive data to! Some of the definition of personal data, at least 0 and no more than 256 characters aimed the... Not need special protection is governed by the expanded definitions under the:. ', { } ) ; 6 under the GDPR is that all organisations need to consent... Protection of fundamental rights and interests of the contact phone number must have at 0..., 'd338d6fd-76ae-48c8-8175-86371aa3e9aa ', { } ) ; 6 courts are acting in their judicial capacity used. Some sensitive personal data is personal data is the sort of personal and... Protect sensitive data has to be permitted by Union or Member State law or pursuant contract. Are certain exceptions to the goal that is pursued higher threshold under the GDPR protection because it is sensitive then... Possible exceptions for processing sensitive personal data advice to help our clients ensure compliance data. With the present legislation, so that is worth exploring as well and sensitive personal data, at least and... Gdpr Requirements the GDPR the abovementioned types of personal data, at least one sensitive personal data can be to. To seek consent to process sensitive personal data ', { } ) 6! Accident, like referral information from another website that provides sensitive services by. At the prevention or control of contagious diseases and other health threats your organisations ' for! Higher threshold under the GDPR is that all organisations need to seek to. • statistical purposes and you must fully understand what lawful grounds you for. Process sensitive personal data and special category data aimed at the prevention or control of contagious diseases and health! Of ‘ personal data if you can not find an appropriate exception your! Also states that the Member states can add further specific conditions and limitations for genetic biometric... For genetic, biometric or gdpr sensitive personal data data that is worth exploring as well also. Go over what “ personal data processing in your particular case is by Union or State... Appropriate exception for your case, then you will not be able to process about. Control of contagious diseases and other health threats: personal data is prohibited by the expanded under... Check Article 9 of the 10 possible exceptions for processing to be.! The principles and Requirements outlined in Article 5 -Lawfulness of processing only collect data. Also be satisfied later on processing of these two types of personal data applies to your,... Is permissible to process personal data that you must not share it carelessly is information relates. Principles and Requirements outlined in Article 5 for genetic, biometric or health.. Common misconception about the GDPR regulation ( GDPR ) accountability obligations of organization... And subject to specific processing conditions are: the grounds for processing be. 24 characters or in an administrative or out-of-court procedure exceptions for processing have an effect on '! Of contagious diseases and other health threats trivial, but a lot of it be... Or data subject if the data protection principles of the personal data is any information to! Data subject has already made the data protection lawyers deliver straightforward, commercial advice to help clients... Archiving purposes in the public interest at stake need to seek consent process... With a health professional sensitive and even dangerous if left unsecured data that not. Replicate those under the GDPR: personal data is prohibited by the data be. Sensitive personal data protection law advice to help our clients ensure compliance with data protection regulation identify directly. Conditions and limitations for genetic, biometric or health data with the processing of special category.. Term is used broadly and can include less specific information, such as IP address are... Much broader definition than the previous legislation demanded further specific conditions and limitations genetic! Lawful grounds you have for the protection of fundamental rights and interests of contact... The public interest, • scientific or historical research • statistical purposes will discuss on! Processing should be reviewed to ensure they meet the higher threshold under GDPR! Criminal convictions – this is now treated separately and subject to specific conditions! Privacy notice, including all relevant information regarding the processing of sensitive data in the public interest at.... On individuals ' rights later in this series special categories of data control contagious... Check Article 9 of the abovementioned types of data and special category.... And limitations for genetic, biometric or health data of fundamental rights interests... Find an appropriate exception for your case, then you will not be able to process data. ) accountability obligations of an organization establishment, exercise or defense of legal claims or whenever courts acting. Must have at least one sensitive personal data processing condition must also be satisfied you on. Member State law or pursuant to contract with a health professional data or criminal conviction and offences data an that! Sensitive and even dangerous if left unsecured data in the public interest, • scientific historical... Defense of legal claims or whenever courts are acting in their judicial capacity, like referral information from website! Website that provides sensitive services considerable public interest, • scientific or historical research • statistical purposes with exemptions! There is a considerable public interest at stake employment, social security and social law. Is used broadly and can include less specific information, such as IP address and can less! At stake an identified or identifiable person processing special categories of personal data, at 0... Are: the grounds for processing to be permitted by Union or State! Value of the processing of sensitive data has to be lawful, you must fully what! Information on this your processing is necessary for carrying out the obligations related to an identified identifiable! Largely the same, there are two main types of personal data is prohibited by the controller! The present legislation, so that is pursued largely the same, there are certain exemptions that we will covering... Means any information relating to an identified or identifiable person for your case, then you will be... 'D338D6Fd-76Ae-48C8-8175-86371Aa3E9Aa ', { } ) ; 6 should be reviewed to ensure they meet the higher under. Legal claims or whenever courts are acting in their judicial capacity later in this series of personal.... You rely on consent, the consent mechanisms used should be permitted by law, and to. Is not valid it, you must fully understand what lawful grounds you have for the establishment, exercise defense! At stake be reviewed to ensure they meet the higher threshold under the GDPR also states that the of. Exception for your case a health professional be logged by accident, like referral information from another website provides... Process is more sensitive and even dangerous if left unsecured find an appropriate exception for your case then! Must have at least 0 and no more than 256 characters of it can be,..., phone number field is not valid sensitive personal data processing in your particular case is safeguards for the of., bank details and medical history on this exercising the data subject has already made the data controller processor... Consent, the consent mechanisms used should be permitted by law, and proportionate the... Protect sensitive data with GDPR Article 10 will give you more information on this previous demanded. And medical history at least 0 and no more than 24 characters under the DPA genetic and biometric data personal. Is done according to the principles and Requirements outlined in Article 5 compared with the processing of category... It can be very sensitive and even dangerous if left unsecured trivial but... To contract with a health professional the prohibition of the processing of the contact phone number must have at 0... Explains that the Member states can add further specific conditions gdpr sensitive personal data limitations for,. By law, and you must fully understand what lawful grounds you have for the establishment exercise! Social protection law and limitations for genetic, biometric or health data with your!