Page Contents

Answer

The following special categories of personal data are deemed ‘sensitive’ and get specific protection under the General Data Protection Regulation (GDPR):

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • processing of genetic data;
  • biometric data for the purpose of uniquely identifying a natural person;
  • health;
  • sex life or sexual orientation.

As a general rule, processing of the types of data listed above is prohibited. However, under certain derogations  a company or organisation may be allowed to process sensitive personal data, when for example:

  • you have made your sensitive data manifestly public;
  • you have given your explicit consent;
  • there is a law which governs a specific type of data processing for a specific purpose related to public interest or health;
  • a law including adequate safeguards provides for the processing of sensitive personal data in areas such as public health, employment and social protection.

Example

The National Statistics Office (a State entity) organises a public census every 5 years. You receive a link to a survey that you’re obliged to fill in. It includes fields such as sex and racial or ethnic origin. In such a situation, since the survey is based on a law which serves a public interest aim and contains safeguards to protect your sensitive data (for example, the data is only accessed by authorised recipients working on the census) your sensitive personal data can be processed by the National Statistics Office.

References

  • Article 9 and Recitals (51) to(56) of the GDPR