Your company/organisation can only process sensitive data if one of the following conditions is met:
- the explicit consent of the individual was obtained (a law may rule out this option in certain cases);
- an EU or national law or a collective agreement, requires your company/organisation to process the data to comply with its obligations and rights, and those of the individuals, in the fields of employment, social security and social protection law;
- the vital interests of the person, or of a person physically or legally incapable of giving consent, are at stake;
- you are a foundation, association or other not-for-profit body with a political, philosophical, religious or trade union aim, processing data about its members or about people in regular contact with the organisation;
- the personal data was manifestly made public by the individual;
- the data is required for the establishment, exercise or defence of legal claims;
- the data is processed for reasons of substantial public interest on the basis of EU or national law;
- the data is processed for the purposes of preventive or occupational medicine, assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services on the basis of EU or national law, or on the basis of a contract as a health professional;
- the data is processed for reasons of public interest in the field of public health on the basis of EU or national law;
- the data is processed for archiving, scientific or historical research purposes or statistical purposes on the basis of EU or national law.
Further conditions may be imposed by national law on the processing of genetic data, biometric data or data concerning health. Check with your National Data Protection Authority.
You can process sensitive data
A doctor sees a number of patients at his clinic. He logs the visit in a database that includes fields such as name/surname of patient, description of symptoms and medication prescribed. That is considered to be sensitive data. The processing of health data by the clinic is allowed under the data protection law because it is required to treat the person and is carried out under the responsibility of a doctor who is subject to an obligation of professional secrecy.
You can’t process sensitive data
Your company sells dresses online. In order to tailor the services to the specific interests of your clients, you ask them to provide you with information about sizes, preferred colour, payment method, name and the address so that the product can be delivered. In addition your company asks for your clients’ political views. You need the majority of the information to fulfil your side of the contract. However, clients’ political views are not a requirement to make and deliver their dresses. Your company cannot ask for that information under that contract.
- Article 9 and Recitals (51) to (56) of the GDPR