Special data according to the RGPD
Special category personal data under the GDPR
In this publication we will explain what are the special category data according to the Data Protection Regulation(RGPD + LOPD-GDD), because nowadays, without exception, we are all exposed to our most intimate data being processed for laudable purposes, such as public interest (health issues), or not so laudable (identity theft).
Against this backdrop, Business Adapter data protection Valencia wants to make clients and readers aware of the relevance of this type of special category data regulated by data protection regulations, as well as the guarantees that assist them, together with the professional activities that must take into account this special regime.
Legal definition
The European Regulation 2016/679 (hereinafter, GDPR), in its Article 9 regulates the processing of special categories of personal data, meaning those relating to:
- Ethnic or racial origin
- Political opinions
- Religious or philosophical convictions
- Union membership
- Genetic data
- Biometric data
- Health data
- Data concerning sex life or sexual orientation
The specific definition of some of these data can be found in Article 4 of the GDPR.
On the other hand, the Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPD-GDD), in its Article 9 refers to the regulation of the RGPD on this type of personal data, noting that some processing must be covered by a regulation with the status of law, establishing therein additional requirements relating to security and confidentiality.
GDPR requirements for special data
The general rule for this type of processing is the prohibition of such processing. Furthermore, the LOPD-GDD establishes that in order to avoid discriminatory situations, the consent of the data subject alone will not be sufficient to lift the prohibition on the processing of data whose main purpose is to identify his or her ideology, union membership, religion, sexual orientation, beliefs or racial or ethnic origin.
Therefore, this personal data could be thought to be shielded by the regulation. However, there are exceptions for their processing that must be taken into account, according to Article 9.2 of the GDPR, which in summary and to give examples would be:
a) the data subject has given his or her explicit consent to the processing of this personal data
b) the processing is indispensable for the fulfillment of obligations in the work environment
c) the processing of such personal data is necessary to protect the vital interests of a person
e) when the data subject has manifestly made the special data available to the public
f) when it is necessary for the defense of claims or courts in the exercise of their duties
g) processing operations for reasons of essential public interest, respecting the right to data protection
h) for purposes of preventive or occupational medicine
i) when it is necessary in the public interest in the field of public health
j) when it is indispensable for purposes of scientific or historical research, for statistical purposes, and always in the public interest
Safety measures
When we are dealing with processing involving special categories of data, we must be sure that we have adopted the following security measures to ensure the protection of these personal data:
a) Prior to the processing of biometric and genetic data, an impact assessment must be carried out; specifically, when biometric and genetic data are processed.
b) Obtain the consent of the data subject in all cases, which must meet the characteristics of Article 6.1 of the LOPD-GDD, free, unequivocal, specific and informed, except when the rule determines that such consent is exempted prior to processing.
c) Elaborate by the data controller and the person in charge, the Register of Processing Activities, specifying the special category data processed, as well as the risks identified, according to article 30.1 c) and 2 of the RGPD and 31.1. of the LOPD-GDD.
d) Appoint a Data Protection Officer, when the main activities of the controller or processor consist of large-scale processing of this type of data, in accordance with Article 37.1. c) RGPD.
e) Develop an authorized access policy for this type of data, specifying the persons/users with access authorization, as well as the generation of personalized users and passwords.
f) Use of encryption techniques, if this type of data is required to be sent by e-mail, or through platforms.
Businesses subject to this type of treatment
Today, there are many types of businesses in which the processing of special category personal data is part of their core business.
All these businesses must adopt the aforementioned security measures, once they have clearly defined the data to be processed.
Examples of businesses using special category data might include the following:
a) Educational centers of any level, since the records of students (mostly minors) must frequently include health-related data (diseases, allergies, etc.).
b) Psychological care services, since the records of service users (patients) must take into account data related to health, sexual life, sexual orientation, and genetics.
e) Dental clinics, for health-related data.
f) Psycho-pedagogical offices, they must collect data related to health, religion, sexual life.
g) Companies that use biometric readers as a method of working time control.
h) Clinics or Services related to assisted reproduction and gestation, for having to deal with genetic data, sexual life and sexual orientation, as well as health data.
i) Aesthetic surgery clinics, they process health data.
j) Law firms, but not self-employed lawyers. They can treat health data, religious, philosophical, genetic, orientation and sexual life opinions.
k) Sports clubs or sports associations, which process health data.
l) Labor risk prevention consultancies/management companies, since they process health data.
What to do if your business processes this special data
We recommend that you contact a Data Protection Company Valencia / RGPD Valencia expert and manage the security policies to be implemented in your organization, data protection manual for employees, etc..