GDPR: what should I keep in mind when processing special categories of personal data?

Special categories of personal data (sensitive personal data)

Some personal data belong to the group of “special categories” of personal data: these are personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, membership of a trade union, genetic data, biometric data, data about health or someone's sexual behavior or sexual orientation. These are personal data that are so sensitive that they should only be processed in very specific cases. 

  • Race
    • E.g. Caucasian
  • Political views
    • E.g. even of well-known politicians
  • Religious or philosophical beliefs
    • Even location data (e.g. church visits) can indirectly reveal information about someone’s religious or philosophical beliefs
  • Trade union membership
  • Genetic data
    • Genetic data are personal data relating to inherited or acquired genetic characteristics of a natural person, and which provide unique information on the physiology or health of that natural person, by analyzing biological sample of that natural person. E.g. hereditary and genetic characteristics. 
  • Biometric data
    • Biometric data are personal data which result from a specific technical processing relating to physical, physiological or behavior related characteristics of a natural person, allowing unambiguous identification of that natural person, like facial photos or fingerprints.
      • Physical/physiological: DNA, fingerprints, detailed facial photos, shape of the ear/ hand, iris scans, …
      • Behavior related characteristics: eye tracking, walking or running pace, signature analysis, handwriting, analysis of keystrokes, …
  • Also voice and video recordings are biometric data, even when the recordings are not used to identify the data subjects; the possibility to identification – which is inherent to raw voice and video recordings – is sufficient.
    If you decide that voice or video recording are necessary for you research, you should check if the voice and video recordings could be distorted, without jeopardizing the research purposes. 
    • For example, when researching dialects or facial expressions, the distortion of voice or video recordings will be impossible, because the raw recordings are crucial for achieving the research purposes.
    • Video and raw voice recordings are rather unnecessary in case of an online interview where only the content of the conversation matters.
    • Moreover, it is recommended to delete voice and video recordings as soon these are not needed anymore to achieve your research purpose.
  • Health data
    •  Health data are personal data relating to the historical, actual or future (physical or mental) health status of a natural person.
    •  For example:
      • Information on injuries, diseases, disease risks, medical history or results of medical examination or treatments;
      • Data collected by means of smart apps, such as fitness or activity trackers;
      • Data collected in the context of health (care) services (e.g. alcohol use, smoker or not,...;
      • Data relating to doctor appointments (e.g. the frequency of visits to the psychologist says something about mental health)
      • Data relating to self-confidence, fear of failure, (sensitivity to) burn outs or other psychological features.
  • Data on a person's sexual behaviour or sexual orientation
  • Data relating to criminal convictions and offences. In a strict sense, these personal data are no special category of personal data, but these data are considered to be sensitive personal data for which the GDPR imposes stricter rules.

Exceptions for processing special categories of personal data

Although the processing of special categories of personal data is in principle prohibited, the GDPR provides a number of exceptions, i.e. well-defined situations in which the processing of these sensitive data is nevertheless permitted such as:

  • for archiving in the public interest or scientific, historical or statistical research;
  • the data subject has given his or her explicit consent to the processing for one or more specified purposes. Please do not confuse the consent to participate to the research with the consent for the processing of personal data for research purposes;
  • the data have been manifestly made public by the data subject;
  • the processing is necessary for reasons of public interest in the field of public health;
  • the processing is necessary for the purposes of preventive or occupational medicine, medical diagnoses, or the provision of healthcare;
  • the processing is necessary to protect the vital interests of the data subject or another natural person;
  • the processing is necessary for reasons of substantial public interest by or pursuant to law.
  • the processing is necessary for the performance of obligations under labour law or social security and social protection law.

In order to lawfully process special categories of personal data, your processing activity (within your research) must be based on one of these exceptions. However, this does not mean that you no longer have to comply with any conditions: you must take appropriate and specific measures to protect the interests and privacy of the data subject. More so, as a controller, you will have to take additional measures with regard to a processing of sensitive personal data, such as always carrying out a data protection impact assessment.

 

Registration in the GDPR register

If you are processing special categories of personal data, you must indicate this in the GDPR Register. In this register you must also motivate why this exception for the processing of special categories of personal data applies to your research. 

More tips

Translated tip


Last modified Aug. 28, 2024, 9:38 a.m.