Data protection an individual example of real life

Sensitive data - what companies need to know

The “special categories of personal data” form a separate sub-area within the personal data. Its definition goes back to Art. 9 Para. 1 GDPR, which ultimately states that this is information about the:

  • racial and ethnic origin,
  • political opinions,
  • religious or philosophical beliefs,
  • Union membership,
  • Health,
  • Sex life and sexual orientation

of the person concerned acts.
The processing of genetic and biometric data to identify a natural person is also affected.

If this data is misused, there is an above-average risk for the data subject's right to informational self-determination. That is why the legislature has stipulated that the special categories of personal data must also enjoy special protection.

Note on language usage

Many decision-makers are aware that they have to be particularly careful with sensitive data. “Sensitive data”, however, is a colloquial term. Those who want to express themselves professionally correctly should rather speak of “special categories of personal data”. Ultimately, both expressions stand for the same type of data (Art. 9 Para. 1 GDPR).

Sensitive data - look at the individual categories

For a better illustration, we have added specific examples to the individual data categories below.

  • racial and ethnic origin (e.g. skin color)
  • political opinions (e.g. party membership)
  • religious or philosophical beliefs (e.g. belief)
  • Union membership (e.g. member of union XY)
  • genetic data (e.g. gene sequence from genetic test)
  • biometric data (e.g. fingerprint)
  • Health (e.g. diseases)
  • Sex life or sexual orientation (e.g. homosexuality)

When can this data be processed?

According to Art. 9 Para. 1 GDPR, the processing of special categories of personal data is initially prohibited. However, the GDPR provides for the following exceptions:

  • If the data subject has expressly consented to processing for one or more purposes (Art. 9 Para. 2 a).
  • If there is a need for processing with regard to labor law or social security (Art. 9 Para. 2 b).
  • If the processing serves to protect vital interests (Art. 9 Para. 2 c).
  • If the processing is carried out on the basis of suitable guarantees by a political, ideological, religious or union-oriented foundation, association or other organization without the intention of making a profit and the personal data is not disclosed to the outside world without the consent of the persons concerned. (Art. 9 Para. 2 d).
  • If the data has obviously been made public by the person concerned (Art. 9 Para. 2 e).
  • If the processing takes place in the context of legal / judicial tasks (Art. 9 Para. 2 f).
  • If the processing takes place on the basis of a significant public interest (Art. 9 Para. 2 g).
  • If the processing takes place in the context of health / medical tasks and there is professional secrecy / an obligation to secrecy (Art. 9 Paragraph 2 h and Art. 9 Paragraph 3).
  • If the processing is carried out for the protection of public health (Art. 9 Para. 2 i)
  • If the processing is carried out for public archiving purposes, historical research purposes or statistical purposes (Art. 9 Para. 2 j).

When collecting, processing or using the special categories of personal data, special obligations apply which, among other things, may result in the consideration / application of further laws. For example, when it comes to social data, the provisions of the Social Security Code (SGB) must be taken into account. When it comes to application data, the provisions of the General Equal Treatment Act (AGG) must be observed.

Requirements for consent

As shown above, the processing of special categories of personal data may, depending on the purpose, require express consent to be obtained beforehand (an implied act is not sufficient). In this regard, not only the requirements for the validity of consent Art. 4 No. 11 GDPR (free decision, detailed information, written form and revocability) must be taken into account. In addition, the consent text must refer to the special categories of personal data and specifically name them.

Pitfalls in practice

There are several pitfalls when dealing with special categories of personal data. In some companies it happens that the data category is not correctly recognized. Health data is a good example; it is by no means only recorded and processed in the medical environment. Companies record them, for example to document sick days of employees. But even this type of recording requires the special data protection obligations to be taken into account.