Whilst it is important that all personal data is protected, there are certain activities or categories of personal data which might present a higher risk to the data subject if they were to be mistreated. These are detailed within the regulation and if these are processed then there is a requirement that further restrictions should be placed upon the processing of this data.
The data which is deemed to form part of these special categories includes:
- Racial or Ethnic origin
- Political opinion/affiliation
- Religious or political beliefs
- Trade Union membership
- Genetic or biometric data
- (for the purpose of uniquely identifying a natural person)
- Data concerning health
- Sex-life/sexual orientation
Mistreatment of this type of data might result in additional harm to the data subject, for example it could be the cause of additional discrimination, embarrassment or even result in harm through blackmail or ransom.
In order to process special categories of personal data the organisation needs an additional lawful basis over and above those specified previously.
One or more of these additional lawful bases must also be met:
- Processing is required for carrying out obligations under employment, social security or social protection law, or a collective agreement
- Processing is required to protect the vital interests of a Data Subject or another individual where the Data Subject is legally or physically unable to give consent
- Processing carried out by a not-for-profit body with a philosophical, religious, political or trade union aim, provided the processing relates only to members or former members (or those who have regular contact with it regarding those purposes) and provided there is no disclosure to a third party without consent
- Processing relates to personal data manifestly made public by the Data Subject
- Processing is required for the establishment, exercise, or defence of legal claims or where courts are acting in their judicial capacity
- Processing is required for reasons of significant public interest on the basis of Union or Member State law which is equivalent to the aim pursued, and which contains suitable safeguards
- Processing is required for the purposes of preventative or occupational medicine, for evaluating the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
- Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or guaranteeing high standards of healthcare and of medicinal products or medical devices
- Processing is required for archiving purposes in the public interest, or historical and scientific research purposes or statistical purposes
- Explicit consent of the Data Subject, unless dependence on consent is prohibited by EU or Member State law