Special Category Data GDPR (General Data Protection Act)

Published on : 22 Jul 2022


Special Category Data GDPR

The General Data Protection Regulation is a data privacy law that protects the privacy of people of citizens of the EU and UK. The regulation is designed to protect the rights of individuals and also ensure the privacy of their personal data. The regulation outlines a detailed set of requirements for organizations collecting, storing, and managing personal data. There is also a separate category of data known as the special category data under GDPR that requires additional measures for ensuring a higher level of security and privacy of data.

These special category data are highly sensitive data that need a higher level of security for it is deemed to be highly sensitive data as per the regulation. The regulation sets out a much more stringent requirement for protecting special category data. Explaining this in detail we have shared about the requirements outlined in GDPR for special category data and what organizations are expected to do when processing such special category data. But before getting straight to the requirements let us understand what is termed as special category data.

What is Special Category Data?

Special Category Data can be termed as classified, sensitive data that requires additional security measures for the protection and explicit consent for processing the data. GDPR has clearly defined this category of data and outlined measures for protecting this category of data. The regulation has set out a clear distinction between sensitive and non-sensitive personal data and further calls for a higher level of security in processing special category data. This is to ensure maximum protection and privacy of sensitive data. Article 9 of the GDPR regulation talks about processing special category data and measures to be taken when dealing with such highly sensitive data. Below given is the list of examples of special category data.

Sensitive data examples:

  • Racial or ethnic origin
  • Political beliefs
  • Religious beliefs
  • Genetic or biometric data
  • Mental health or sexual health
  • Sexual orientation
  • Trade union membership

Difference between Personal Data & Special Category Data?

TitlesPersonal DataSensitive Data
DefinitionPersonal data can be referred to as any information related to an identified or identifiable living human being.Sensitive Personal Data can be referred to as any distinct personal data that is more sensitive in nature compared to personal data
Example1. Identifier’s Name
2. Identification Number
3. Location data
4. Contact information such as a home address, email address
5. IP address
6. Advertising ID
1. Racial or ethnic origin
2. Political opinions
3. Religious or philosophical beliefs
4. Trade union membership
5. Genetic data
6. Biometric data used for
7. Identification purposes
8. Data regarding health, sex life, and sexual orientation
Processing of DataAs per GDPR, Personal Data can be processed under certain conditions like
1. Consent from the data subject,
2. Necessary for legitimate interest,
3. Necessary in the public interest,
4. Exercise of official authority vested in the controller,
5. Necessary for compliance with a legal obligation,
6. Necessary for the performance of a contract with the data subject,
7. Necessary to protect the interests of a data subject,
8. Relevant security measures are implemented and complied with the GDPR requirements.
GDPR has prohibited the processing of all kinds of Sensitive Personal Data unless the data subject has already made their sensitive data public along or under other conditions like
1. the Data Subject has given explicit consent,
2. Necessary for carrying out the obligations under employment, social security or social protection law, or a collective agreement
3. Necessary to protect the vital interests of the data subject who is physically or legally incapable of giving consent.
4. Necessary for the establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity.
5. Necessary for reasons of substantial public interest based on Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguarding measures.
6. Necessary for preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services based on Union or Member State law or according to contract with a health professional and subject to the conditions and safeguards.
7. Necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or medical devices.
8. Necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89
9. For legitimate activities with appropriate safeguards by a foundation, association, or any other not-for-profit body with a political, philosophical, religious, or trade union aim and on condition that the processing relates solely to the members or former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects
What are the security measures required as per GDPR?The GDPR requires that personal data must be processed securely using appropriate technical and organizational measures.

Although the regulation does not mandate a specific set of security measures but rather expects you to take 'appropriate action. The security measures required may vary based on the type of data processed and the type of risk exposure.
Sensitive Personal Data requires additional protection measures for its sensitive and personal nature. All digital files must be encrypted and stored in a folder with minimum access controls.

What does GDPR say about Special Category Data?

GDPR Regulation has distinguished special category data as classified data under the regulation. Article 6 of GDPR states that the processing of special category data can only be performed based on a legit or lawful reason. Further, Article 9 of GDPR outlines specific requirements for processing special category data. The regulation calls for additional security measures in case of dealing with special category data including collection, storage, and processing of data. This is to maintain the highest level of security for the special category data. However, the regulation outlines certain circumstances under which the data can be processed and requirements that should be met for the processing of special category data that are mentioned below.

  • With specified purposes mentioned, explicit consent from the data subject should be received for processing the data;
  • When the processing of data is essential as an obligation and for exercising specific rights of the data subject in terms of employment, social security, social protection law, etc;
  • The Data processing is considered legit and is essential if it is about protecting the vital interests of the data subject or when the data subject is physically or legally incapable of giving consent;
  • Data processing can be carried out if it is for a legitimate reason and further appropriate safeguards have been established, ensuring the privacy of the data disclosed without the consent of the data subjects;
  • Data processing is of special category data that is available in the public domain by the data subject;
  • The data processing activity is essential for exercising, for the defense of legal claims or in case of a court ruling, acting in their judicial capacity;
  • Data processing is essential in case of substantial public interest, based on Union or Member State law that is in line with respecting the right to data protection, and in line with suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
  • Data processing is essential for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services on the basis of Union or Member State law or under contract with a health professional and subject to the conditions and safeguards.
  • Data processing is essential for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or medical devices;
  • Data processing is essential for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) based on Union or Member State law that shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Special category personal data may be processed, subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies. Member States may also introduce further conditions, including limitations, concerning the processing of genetic data, biometric data, or data concerning health.

gdpr compliance consultant

Points to Consider when Processing Special Category Data

 

    1.Define Special Category Data

As a Data Controller, you need to segregate and classify personal data and special category data collected, stored, processed, and transmitted as a part of your business operation. The Data Controller needs to be sure of what is classified as special and whether or not such data includes any information relating to race or ethnic origin, religious or political beliefs, data on health, sex life, or sexual orientation genetic and biometric data as defined under the GDPR regulation.

    2. Assess the Kind of Special Category Data Processed

As a Data Controller and/ or Processor you need to classify the kind of special category of personal data that you are currently collecting and processing. Further, you need to review and verify whether what is collected processed, and stored is legitimate and done lawfully as per the GDPR regulation as outlined in Article 6 of GDPR

   3. Legal basis for processing

You need to ensure and verify whether you have a legitimate reason and lawful basis for the processing of the data.  This would mean with explicit consent or performing based on specific contracts, or based on public interest or the vital interests of an individual as mentioned under Article 9 of GDPR.

   4.Conduct DPIA

Performing a Data Protection Impact Assessment is essential to gauge the potential risk exposure to the processing of special category data. Accordingly, appropriate measures need to be established based on the data exposure and risk classification determined in the assessment process.

For those who are new to the GDPR regulation and compliance process, we recommend consulting a compliance specialist for proper guidance and support. We at VISTA InfoSec offer end-to-end Compliance and Consultation services for Data Controllers and Data Processors looking to achieve GDPR Compliance. For more details about the regulation and/or the process of compliance you can contact our expert or avail our “free one session of consultation” online.

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.