What is GDPR Special Category Data?

Under GDPR, firms have responsibility in relation to the personal data of data subjects, but there is also a different category of data that is dealt with differently – GDPR special category data.

What is GDPR special category data and how do the rules differ for managing that data.

GDPR Special Category Data

GDPR special category data is personal data of data subjects that is very sensitive, the exposure of which could significantly affect the rights and freedoms of data subjects and potentially be used against them for illegal discrimination.

GDPR special category data includes the following data:

  • Race and ethnicity
  • Religious or philosophical background
  • Political beliefs
  • Trade union subscriptions
  • Biometric data used to identify a person
  • Genetic info
  • Health history
  • Data linked to sexual preferences, sex life, and/or sexual orientation

Because these data elements are so sensitive, a firm must have a legitimate and legal reason for gathering, storing, transmitting, or processing these data. Firms are forbidden from gathering or processing these data unless:

  • Explicit authorization has been given from the data subject; or,
  • Processing is required in order to carry out obligations and exercise specific rights of the data controller for reasons related to employment, social security, and social protection; or,
  • Processing is necessary to safeguard the vital interests of data subjects where individuals are physically or legally incapable of providing consent; or,
  • Processing is required for the establishment, exercise, or defence of legal claims, for reasons of substantial public interest, or reasons of public interest in the area of public health; or,
  • For reasons of preventive or occupational medicine; or,
  • Processing is required for archiving purposes in the public interest, scientific, historical research, or statistical reasons; or,
  • Processing is linked to personal data which are manifestly made public by the data subject; or,
  • Processing is completed in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing is linked solely to the members or to former members of the body or to persons who have regular contact with it in relation to its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects

The processing of all personal data must only take place if there is a legal reason for using the data, as referred to in Article 6 of the GDPR. Any company that needs to process special category data must review the requirements laid down in Article 9 of GDPR. Personal data related to criminal convictions and offenses are also particularly sensitive and dealt with on its own in Article 10 of GDPR.

If special category data are gathered, stored, processed, or transmitted data controllers must ensure that extra protections are put in place to ensure that information is appropriately secured.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA