GDPR: what should I keep in mind when processing special categories of personal data?
Special categories of personal data (sensitive personal data)
Some personal data belong to the group of “special categories” of personal data: these are personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, membership of a trade union, genetic data, biometric data, data about health or someone's sexual behavior or sexual orientation. These are personal data that are so sensitive that they should only be processed in very specific cases.
- Race
- E.g. Caucasian
- Political views
- E.g. even of well-known politicians
- Religious or philosophical beliefs
- Even location data (e.g. church visits) can indirectly reveal information about someone’s religious or philosophical beliefs
- Trade union membership
- Genetic data
- Genetic data are personal data relating to inherited or acquired genetic characteristics of a natural person, and which provide unique information on the physiology or health of that natural person, by analyzing biological sample of that natural person. E.g. hereditary and genetic characteristics.
- Biometric data
- Biometric data are personal data which result from a specific technical processing relating to physical, physiological or behavior related characteristics of a natural person, allowing unambiguous identification of that natural person, like facial photos or fingerprints.
- Physical/physiological: DNA, fingerprints, detailed facial photos, shape of the ear/ hand, iris scans, …
- Behavior related characteristics: eye tracking, walking or running pace, signature analysis, handwriting, analysis of keystrokes, …
- Biometric data are personal data which result from a specific technical processing relating to physical, physiological or behavior related characteristics of a natural person, allowing unambiguous identification of that natural person, like facial photos or fingerprints.
- Also voice and video recordings are biometric data, even when the recordings are not used to identify the data subjects; the possibility to identification – which is inherent to raw voice and video recordings – is sufficient.
If you decide that voice or video recording are necessary for you research, you should check if the voice and video recordings could be distorted, without jeopardizing the research purposes.- For example, when researching dialects or facial expressions, the distortion of voice or video recordings will be impossible, because the raw recordings are crucial for achieving the research purposes.
- Video and raw voice recordings are rather unnecessary in case of an online interview where only the content of the conversation matters.
- Moreover, it is recommended to delete voice and video recordings as soon these are not needed anymore to achieve your research purpose.
- Health data
- Health data are personal data relating to the historical, actual or future (physical or mental) health status of a natural person.
- For example:
- Information on injuries, diseases, disease risks, medical history or results of medical examination or treatments;
- Data collected by means of smart apps, such as fitness or activity trackers;
- Data collected in the context of health (care) services (e.g. alcohol use, smoker or not,...;
- Data relating to doctor appointments (e.g. the frequency of visits to the psychologist says something about mental health)
- Data relating to self-confidence, fear of failure, (sensitivity to) burn outs or other psychological features.
- Data on a person's sexual behaviour or sexual orientation
- Data relating to criminal convictions and offences. In a strict sense, these personal data are no special category of personal data, but these data are considered to be sensitive personal data for which the GDPR imposes stricter rules.
Exceptions for processing special categories of personal data
Although the processing of special categories of personal data is in principle prohibited, the GDPR provides a number of exceptions, i.e. well-defined situations in which the processing of these sensitive data is nevertheless permitted such as:
- for archiving in the public interest or scientific, historical or statistical research;
- the data subject has given his or her explicit consent to the processing for one or more specified purposes. Please do not confuse the consent to participate to the research with the consent for the processing of personal data for research purposes;
- the data have been manifestly made public by the data subject;
- the processing is necessary for reasons of public interest in the field of public health;
- the processing is necessary for the purposes of preventive or occupational medicine, medical diagnoses, or the provision of healthcare;
- the processing is necessary to protect the vital interests of the data subject or another natural person;
- the processing is necessary for reasons of substantial public interest by or pursuant to law.
-
the processing is necessary for the performance of obligations under labour law or social security and social protection law.
In order to lawfully process special categories of personal data, your processing activity (within your research) must be based on one of these exceptions. However, this does not mean that you no longer have to comply with any conditions: you must take appropriate and specific measures to protect the interests and privacy of the data subject. More so, as a controller, you will have to take additional measures with regard to a processing of sensitive personal data, such as always carrying out a data protection impact assessment.
Registration in the GDPR register
If you are processing special categories of personal data, you must indicate this in the GDPR Register. In this register you must also motivate why this exception for the processing of special categories of personal data applies to your research.
More tips
- GDPR: Can I share research data with personal data with other researchers or institutions when my research project has ended? (Research integrity & ethics)
- GDPR: how can I ensure that the processing of personal data is lawful? (Research integrity & ethics)
- GDPR: how do I protect my data correctly? (Research integrity & ethics)
- GDPR: how do I register personal data processing activities? (Research integrity & ethics)
- GDPR: how long may I store research data containing personal data? (Research integrity & ethics)
- GDPR: how to be transparent to data subjects in my research? (Research integrity & ethics)
- GDPR: what are personal data? (Research integrity & ethics)
- GDPR: what are some things to consider when processing personal data from minors? (Research integrity & ethics)
- GDPR: What are the basic principles? (Research integrity & ethics)
- GDPR: What are the different roles and responsibilities according to the GDPR? (Research integrity & ethics)
- GDPR: What do I need to think about when transferring personal data to third countries or international organisations? (Research integrity & ethics)
- GDPR: What do I need to think about when using a mailing list in the context of my research? (Research integrity & ethics)
- GDPR: what has changed with regard to the previous privacy legislation? (Research integrity & ethics)
- GDPR: What information should I include in an informed consent form when the processing of personal data is based on the consent of the data subjects? (Research integrity & ethics)
- GDPR: what is the General Data Protection Regulation? (Research integrity & ethics)
- GDPR: What rights do data subjects have, how do I respect them and what exceptions may apply to research? (Research integrity & ethics)
- GDPR: What should I consider when using social media data for scientific research? (Research integrity & ethics)
- GDPR: what should I do in case of a data breach? (Research integrity & ethics)
- GDPR: What should I do in the event of further/secondary processing of personal data? (Research integrity & ethics)
- GDPR: What should I keep in mind when designing my research? (Research integrity & ethics)
- GDPR: What should I think about when I collaborate with others or share my data? (Research integrity & ethics)
- GDPR: When am I processing high-risk personal data and when do I need to conduct a DPIA? (Research integrity & ethics)
- GDPR: when does it apply to my research? (Research integrity & ethics)
- GDPR: who are considered to be vulnerable persons? (Research integrity & ethics)
- GDPR: why is it important to comply with this legislation? (Research integrity & ethics)
- Qualtrics: how do I use this survey tool? (Research integrity & ethics)
Translated tip
Last modified Aug. 28, 2024, 9:38 a.m.