Extra sensitive data, or special categories of personal data, is data that is considered extra worthy of protection, like information about health, ethnic origin or political opinions. Learn what is defined as extra sensitive and the basics of how to protect the data.
What is extra sensitive data?
Extra sensitive data is personal data that, by its nature, is sensitive in relation to fundamental rights and freedoms. This data is considered extra worthy of protection. The context of its processing could create significant risks to an individual’s fundamental rights and freedoms.
Extra sensitive data is regulated in Article 9 GDPR and includes eight categories of data for which processing is prohibited as a general rule. Thereafter Article 9 (2) GDPR states ten exceptions from when the processing is prohibited. The categories of personal data that are covered are:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data or biometric data for the purpose of uniquely identifying a natural person
- Data concerning health
- Data concerning a natural person’s sex life
- Sexual orientation
Note that recital 51 of the GDPR suggests that photographs only will be seen as extra sensitive data to the extent that they can identify an individual as a biometric, for example, when being used in an electronic passport. A decision from the Swedish supervisory authority on facial recognition by video recording in a public school resulted in Sweden’s first GDPR fine on approximately EUR 20 000.
Keep in mind that there is a broad ability for Member States to add new conditions (including limitations) on the processing of genetic, biometric or health data.
Looking for a practical guide to the DPO role?
The book Data Protection Officer provides a practical guide to the DPO role, encompassing the key activities you’ll need to manage to succeed in the role. Coverage includes data protection fundamentals and processes, understanding risk and relevant standards, frameworks and tools, with DPO tips also embedded throughout the book and case studies included to support practice-based learning.
Available as an e-book and paperback. Get a preview or free sample: Data Protection Officer (BCS Guides to It Roles)
How to process extra sensitive data
The categories of personal data listed above are consequently prohibited to use, unless any of the criteria’s in Article 9(2) are applicable. Before you start processing extra sensitive data it is always a good idea to conclude an advance consultation of your impact assessment (as set out in Article 36 GDPR). This applies especially when using new techniques (see Article 35 GDPR). The situations that may justify the processing of extra sensitive data are:
· Explicit consent
You are allowed to process extra sensitive data if you have explicit consent from the data subject for one or more specific purposes. Consent can also be prohibited by a Member State or EU in specific matters. When using “consent” make sure that the new criteria’s for valid consent are met.
· Employment, social security and social protection (if authorised by law).
Processing necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement is allowed if it is authorized by law.
· Vital interests.
If processing is necessary to protect the vital interests of the data subject or of another individual when the data subject is physically or legally unable to give consent.
· Non-profit bodies.
Processing under the course of legitimate activities by a foundation, association or another non-profit body with a political, philosophical, religious or trade union aim. The condition is that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes. Also, if the body wants to disclose the data outside the body it needs consent from the data subjects.
· Data manifestly made public by the data subject.
This is a legal basis that allows processing if the data subject themselves makes the extra sensitive data public.
· Legal claims or judicial acts.
Processing is valid if it is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
· Substantial public interest.
Processing is valid under reasons of substantial public interest with a basis in law. As a result the Member States can decide the circumstances for the processing of extra sensitive data. Although, the Member States law has to be appropriate to the aim pursued and contain appropriate safeguards measures. Note that some Member States have lists in the law of what public interest is. Examples of this is journalism, academia, art, literature, anti-doping in sport or statutory or government purposes and so forth
· Health or social care with a basis in law.
The processing is valid if it is necessary for occupational or preventative medicine or for assessing the working capacity of the employee. The processing must have a base in Member State law or a contract with a health professional. Note that this ground needs obligations of confidentiality between the parties.
· Public health with a basis in law.
Processing is necessary for reasons of public interest in the area of public health, to protect against serious cross-border threats to health, or to ensure high standards of quality and safety of health care and of medicinal products or medical devices. Note that this ground needs obligations of confidentiality between the parties.
· Archiving, research and statistics with a basis in law.
When the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in Article 89(1).
Conclusion
In order to process extra sensitive data you will have to use Article 9 in combination with Article 6. Some grounds in Article 9(2) are similar to the Article 6 grounds, but not all. You will also have to consider what type of data it is that you are dealing with.