Like all privacy laws and regulations, GDPR calls looks to bring in special focus and protection to processing of Sensitive Personal Data. Those are termed as Special Category Data in the regulation.
The regulation requires that Special category data – defined as those by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms –should not be processed, unless processing is allowed in specific cases set out in the Regulation. In addition to the specific requirements for such processing, the general principles and other rules of the Regulation should apply, in particular as regards the conditions for lawful processing.
What are the types of PI included in Special Category PI as per GDPR?
Though the regulation does not provide an explicit and exhaustive list of the types of PI that will fall under the category, the following are specified in the regulation as that will be included:
- Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership,
- processing of genetic data, biometric data for the purpose of uniquely identifying a natural person,
- data concerning health
- data concerning a natural person’s sex life or sexual orientation.
Note: Photographs are considered Special category, only where used as a biometric data for unique identification or authentication. The processing of photographs (in other cases) is not to be considered as processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.
Legal basis for processing Special category of PI:
The Processing of Special category of Data is allowed ONLY if one of the specified conditions are met, as pet the Article 9 of the regulation. These are over and on top of the conditions detailed in Article 6 of the GDPR as a adequate lawful reason for using any personal information.
A few key conditions are quoted here:
- the data subject has given explicit consentto the processing of those personal data for one or more specified purposes, (except where Union or Member State law prevents processing of such a data even with a explicit consent)
- processing is necessary for the purposes of carrying out the obligations and exercising specific rightsof the controller or of the data subject in the field of employment and social security and social protection law (as authorized by applicable laws)
- processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
And 7 other specified conditions (Please refer to Article 9 , paragraph 2 of the regulation for full details). These include data that are manifestly made public by data subject, Processing in genuine Public health interest and so on.
Compliance requirements:
Any contexts where special category data is being processed ‘in a large scale’, the regulation mandates the following as well:
- The Controller or processor who doesn’t have an establishment in the region, shall designate in writing a representative in the region.
- Maintain a record of processing activity irrespective of the size of the organization.
- Conduct a formal Data Protection impact assessment (DPIA).
- Designation of a Data Protection Officer (DPO).