The GDPR articulates certain principles governing the processing of personal data, which is broadly defined to include any information that can be used to directly or indirectly identify a particular person. Beyond these general provisions however, the GDPR, like its predecessor the Data Protection Directive, enumerates certain restrictions and requirements for the processing of certain types of data that are deemed to be sensitive. GDPR Article 9 expands upon the Directive and provides controllers and processors with enhanced compliance obligations in the event a special category applies.
Sensitive Data under the Directive Is Still Sensitive
The GDPR retains the same special categories of personal data as the Directive, which expressly prohibits the processing of personal data revealing:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade-union membership, and;
- Data concerning health or sex life
Data processors are exempt from this general prohibition if certain circumstances apply, most notably if the data subject provides explicit legal consent or if the data processing involves certain designated areas of importance, including employment, health, or the public interest. The Directive also provides Member States with discretion to broaden these exemptions for reasons of “substantial public interest.”
Genetic and Biometric Data
In addition to the enumerated categories listed above, Article 9 of the GDPR includes the processing of “genetic data” and “biometric data” for the purposes of uniquely identifying a natural person. Therefore, information collected by genetic testing service providers, which have grown in popularity, is subject to additional scrutiny. The GDPR broadly defines “biometric data” as any personal data generated by technical processing and relating to the physical, physiological, or behavioral characteristics of a natural person that would permit identification of that person. This definition not only includes information generated from current facial recognition and fingerprint processes, but potentially any technology that generates personal identifiers, such as consumer purchasing patterns.
The GDPR also expands on the Directive’s treatment of health-related information. Under the Directive, health-related data was included as a special category, but was undefined, leaving that responsibility to Member States. The GDPR however specifically defines “data concerning health” as including personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveals information about his or her health status. Further, Recital 35 to the GDPR clarifies that covered information not only includes genetic and biometric data discussed above, but also any information gathered from tests, examinations, and samples taken not only for diagnostic but also for identification purposes. As with other information covered by Article 9, the processing of this data is generally prohibited, unless one of the enumerated exemptions apply. Health care data processors now have a specific, albeit broad, definition to consider when determining their actions are subject to European regulation.
Data Protection Impact Assessments
While organizations may still process special categories of personal data when the enumerated exemptions apply, the GDPR additionally requires organizations to conduct a data protection impact assessment (“DPIA”) when data processing is likely to result in a high risk to the rights and freedoms of natural persons. In Article 35, the GDPR specifically requires DPIAs when organizations are involved in the “large-scale” processing of special categories of data. While Article 35 does not define “large-scale” processing, it is expected that the same factors used to determine whether your data monitoring or processing occurs on a “large scale” for purposes of appointing a Data Protection Officer would apply to DPIAs.
An organization required to conduct a DPIA must do so prior to any relevant processing. At a minimum, a proper DPIA must contain each of the following:
- a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects likely to the result from the processing; and
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR.
If a DPIA indicates that the relevant data processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller must consult the respective supervisory authority prior to any processing. The GDPR does not define “high risk,” but organizations that would potentially process any special categories of personal data should be particularly aware of their DPIA obligations and consider whether any particular risks can be mitigated prior to data processing.