Sensitive data of the GDPR

Art. 9 and Art. 10 GDPR list particular categories of data, of which processing is subject to stricter regime.

The special categories of data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning a natural person’s sex life or sexual orientation.

In principle, it is prohibited to process such data, unless:

  • the data subject gave an explicit consent for such processing,
  • the data subject made such personal data manifestly public or when the processing is necessary for:
  • fulfilling the controllers’ legal obligations and rights (e.g., employment, security)
  • protecting the vital interest of an individual who is not able to give his/her consent (e.g., physical or legal incapacity)
  • carrying out legitimate activities by foundations, associations or other non-for-profit organizations with political, philosophical, religious or trade-union aims
  • the establishment, exercise or defense of legal claims, or whenever courts are acting in their judicial capacity,
  • public interest reasons
  • preventive or occupational medicine purposes, assessment of employees’ working capacity, medical diagnosis, provision of health or social care or treatment or the management of health or social care systems and services
  • public interest reasons in public health area
  • archiving purposes in the public interest, scientific or historical research or statistical purposes.

Also processing of personal data relating to criminal convictions and offences or related security measures is subject to limitations. Namely, such processing may only be carried out under the control of official authority, or when it is authorized by law. It is stressed that any comprehensive register of criminal convictions may be kept under the control only of official authority.