In the GDPR, some of the articles only apply to certain categories of personal data. These specialised articles are important to understand in order to process personal data legally. The categories of personal data that is often called sensitive is one of the certain categories that deserve extra protection according to the GDPR. In this blogpost, we will examine how this extra protection works.
Published September 15th 2020
Main rule: you are not allowed to process sensitive data
The categories of personal data that are often called “sensitive” are named “special categories of personal data” in the GDPR. In the regulation, there is an exhaustive list regarding which categories of personal data that are considered sensitive. These are:
- Racial or ethnic origin,
- Political opinions,
- Religious or philosophical beliefs,
- Trade union membership,
- Genetic data,
- Biometric data,
- Data concerning health and
- Data concerning a natural person´s sex life or sexual orientation.
These different categories of personal data are considered to be extra sensitive because they can lead to significant risks for the fundamental rights and freedoms of the data subject.
There are certain articles in the GDPR that regulate sensitive personal data. These articles stipulate that, as a main rule, you are not allowed to process sensitive data. This means that you are e.g. not allowed to collect personal data regarding an employee’s allergies. Naturally, many businesses must collect sensitive data to function. Therefore, there are many exceptions to this main rule. These exceptions give you the right to process sensitive data in certain situations, if adequate safety measures are taken. The exceptions are partly found in the GDPR, partly in national law. We will examine some of these exceptions under the heading below.
The category of personal data that may cause the most headache is biometric data. Biometric data concerns a person’s “physical, physiological or behavioural properties”. Through biometric data, it is possible to identify a natural person, for example through fingerprint reading when you open your phone or computer. However, data that might be biometric data is not always classified as just that. It is only in certain situations where data is in fact biometric data. E.g. a picture of people is only biometric data when it is processed with technique that enables identification or authentication of a person. Biometric data must therefore be processed for the purposes of uniquely identifying a natural person.
Generally, all companies, public authorities and organizations process sensitive personal data in some way, even if it is just for a short period of time. For example, if you are planning a dinner with your employees and you collect information regarding allergies to make sure that everyone can eat what they are served, you collect sensitive data. The fact that a certain employee is allergic to something is data regarding health. You can read more about data regarding health here.
Bear in mind that you have to conduct an impact assessment to determine whether a processing of personal data is likely to lead to high risk for a data subjects´ rights and freedoms. You can read more about impact assessments here (in Swedish).
Exceptions to the prohibition
In article 9 of the GDPR there are many exceptions to the prohibition against processing sensitive personal data. In the situations mentioned in article 9, you are allowed to process sensitive data, given that you fulfil the other requirements in the GDPR. The exceptions are as follows:
- The data subject has explicitly given his or her consent to the processing of those personal data for one or more specific purposes.
- The processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.
- The processing is necessary to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent, e.g. if someone collapses and therefor can not consent to the processing.
- Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim.
- Processing relates to personal data which are manifestly made public by the data subject. With this exception, it is important to remember that the data subject must intend to make the information public, e.g. if someone in a television programme represents a certain political party.
- Processing is necessary for the establishment, exercise or defence of legal claims.
- Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law.
- Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
- Processing is necessary for reasons of public interest in the area of public health.
- Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
There is also a paragraph in the GDPR that stipulates that member states are allowed to retain or adopt new conditions and limitations regarding processing genetic or biometric data or data regarding health. This means that there might be provisions in national law that take precedence over the GDPR. The conditions and limitations that the member states retain or adopt are not allowed to hinder the free movement of personal data within the EU.
In addition to the GDPR
Some of the exceptions mentioned above also requires a basis in national or European regulation or a collective agreement in order for the exception to be in force. This is the case with the following exceptions:
2) employment and social security and social protection law,
7) necessary for reasons of substantial public interest,
8) within preventive or occupational medicine,
9) the area of public interest and
10) archiving purposes, scientific or historical research purposes or statistical purposes.
In Sweden, much of the supplementing legislation is found in the Swedish Data Protection Law (dataskyddslagen). This law supplements the GDPR in Sweden. Do not forget to verify the exceptions with national legislation!
Public authorities in Sweden: for public authorities, there are a number of exceptions in the Swedish Data Protection Law, which means that public authorities often have more exceptions to rely on than private actors. For example, the Swedish Data Protection Act states that…
- Public authorities are allowed to process sensitive personal data if it is necessary to fulfil the public authority’s obligation to investigate.
- Public authorities are allowed to process sensitive personal data if it is necessary to be able to process cases.
Sensitive personal data – administrative fine
The Swedish Supervisory Authority issued an administrative fine on May 11, 2020. The fine was issued towards a public health department, partly on the basis that the department had processed sensitive personal data wrongfully. The sensitive personal data that the department had processed was information that the natural person was admitted to a forensic psychiatry clinic and that he or she was subject to urine sampling. This information was published on the department’s webpage. The information that someone is admitted to a forensic psychiatric clinic might reveal that the person suffers from a serious mental illness and the information that someone is subject to urine sampling might reveal that the person has or have had a drug addiction. This information regards health, which is sensitive personal data according to the GDPR.
Among other things, the Swedish Supervisory Authority mentioned that the department had not identified an exception to the prohibition against processing sensitive personal data as justification to the outcome of the decision. Due to the fact that the personal data was sensitive, the publication on the webpage was not considered a minor violation. Due to this wrongful processing, the department was imposed a fine of 120 000 SEK.
You can read the whole decision here, in Swedish.
Not sure how to apply the GDPR?
If you have any questions regarding the GDPR, you are welcome to contact us at firstname.lastname@example.org or 046 – 273 17 17.
You can already now book a demo of GDPR Hero to receive information about how you can make GDPR-compliance easier. You can book a demo here.