GDPR tip – What are the conditions for processing special category data?
In last week’s e-zine we looked at the definitions of personal data and what are special categories of (sensitive) personal data. This week we are going to explore sensitive data in greater detail. The first thing that must be noted is that under Article 9 of the GDPR regulations it is prohibited to process sensitive date unless it meets one of the conditions below.
It is important that proper safeguards are put in place when processing sensitive data and that technical and organisational procedures are put in place ensure that the data is managed securely and safely by the right people and through the correct systems.
To process sensitive data, you must adhere to one of the following conditions:
- That the data subject has given explicit consent to process their sensitive data. If you are relying on explicit consent as your legal basis for processing sensitive data, it must be made crystal clear to the data subject why you are processing their sensitive data. It is also important to check EU or Irish law to see if there are any reasons that prohibit you processing sensitive data under this condition.
- For the purposes of carrying out obligations and exercising specific rights of the controller or of the data subject. This purpose covers the areas of employment and social protection law.
- In order to protect the vital interests of the data subject. This would be applied if a data subject was physically or legally incapable of giving consent and it could be used in order to protect someone’s life.
- Processing is carried out in the course of legitimate activities by a foundation, association or any other not-for-profit body. Examples of this include Trade Unions, religious or political organisations.
- Processing relates to personal data which are manifestly made public by the data subject. This would relate to the defence of legal claims.
- Processing is necessary for reasons of substantial public interest.
- Processing is necessary for preventative or occupational medicine. This relates to medical assessments of the working capability of employees or the management of health or social care services.
- Processing is necessary for reasons of public interest in the area of public health. This relates to epidemics or other matters that would impact the health of the general public.
- Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
The one area that could prove challenging is the area of consent, in particular explicit consent and we will look at this next week. If you are dealing with sensitive data and want to consider which of the above options apply why not use the SFA GDPR toolkit on our website which you can download here.
If you would like more information on GDPR or to discuss your requirements further please contact Helen at SFA on 01 605 1668 or at firstname.lastname@example.org or visit our HR and Employment Law advice section on www.sfa.ie