Sensitive Personal Data and the GDPR

Sensitive Personal Data and the GDPR

The EU General Data Protection Regulation (GDPR) deems certain types of personal data particularly sensitive. It calls this sensitive personal data "special category data." There are strict rules about collecting special category data from people in the EU.

If you're planning a project involving special category data, you must plan carefully.

You might think of sensitive personal data as the sort of information held by healthcare companies and police departments. But you might already hold some special category data. If you didn't collect it properly, you might have a big problem on your hands.

Let's take a look at what special category data is, and how you can ensure you process it in a legally-compliant way.


Special Category Data

The GDPR requires that you treat all personal data with care.

It doesn't matter if it's something as obvious as a person's name, as seemingly innocuous as their IP address, or as sensitive as their medical records. You must only collect personal data if you need it, you must store it securely, and you must not share it carelessly.

Special category data is the sort of personal data that you must treat extra carefully.

Types of Special Category Data

Types of Special Category Data

Article 9 of the GDPR lists the various types of special category data. Special category data is information that reveals someone's:

  • Race
  • Ethnicity
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetics
  • Biometrics (if used to identify them)
  • Health
  • Sex life
  • Sexual orientation

Is Special Category Data Personal Data?

Special category data is always personal data. So, general information about race or political opinions is not special category data.

It must be possible to link this information to a living individual for it to be considered personal data (and thus special category data). However, EU law finds this link very readily.

For example, it might be deemed possible to link the information to an individual, even if:

  • The data is stored separately from other information about the person
  • The data is encrypted
  • You didn't ask for the person's name or contact details when you collected the information

Even if you don't think a piece of information is personal data, it may well be. The EU's courts have heard many cases where the defendant got this wrong.

What's Special About Special Category Data?

What's Special About Special Category Data?

One of the GDPR's chief aims is to protect people's rights and freedoms.

If businesses carelessly reveal their customers' personal data, this can lead to damage, distress, and discrimination. This is especially true in respect of special category data.

People have the right to keep personal data private in most circumstances. Of course, this isn't always possible or appropriate. But the GDPR's rules around special category data aim to ensure that the most sensitive types of personal data stay private except under the most exceptional circumstances.

Other Types of Sensitive Personal Data

Other Types of Sensitive Personal Data

There are some types of personal data that are not special category data, but still have special rules that apply to them. You must familiarize yourself with these rules if you process these types of personal data.

Criminal Conviction Data

The GDPR has special rules around processing criminal convictions data. The previous law, the Data Protection Directive, grouped criminal conviction and special category data as "sensitive data." The GDPR gives criminal conviction data its own set of rules, under Article 10.

Generally speaking, only public authorities are allowed to process criminal conviction data. However, other organizations can process criminal conviction data under certain conditions.

For example, companies in specific industries must vet new staff hires by checking their criminal records. And journalists must be allowed to report on court hearings.

The GDPR delegates some responsibility for deciding the rules on criminal convictions data to EU Member States. Therefore, each EU country has its own laws regarding criminal convictions data.

Children's Personal Data

The GDPR has special rules around processing the personal data of children, under Article 8.

Children are not considered capable of consenting to the processing of their personal data. Businesses offering online services (such as an app, social media platform, or website) to children must obtain parental consent.

Each EU country can decide the age at which children can consent to the processing of their personal data. This age must be above 13 years old. For example, the UK's implementation of the GDPR, the Data Protection Act 2018, sets the age at 13.

So let's say you provide an online service that collects children's personal data. For children in the UK aged under 13, you need to get parental consent. For children in the UK aged 13 or older, you can get consent directly from the child.

Personal Data in General

Whenever you're processing any type of personal data, you should consider the risks involved.

For example, location data isn't a type of special category data, but it's highly sensitive in some contexts. Your users wouldn't feel comfortable if your mobile app tracked their all of their movements without their consent.

Credit card data isn't special category data either. But you need to treat it carefully to protect your users against fraud.

It's all about context. Consider how you can apply the GDPR's six principles of data processing whenever you're collecting or using any type of personal data. And for certain projects, you may need to conduct a Data Protection Impact Assessment.

Identifying Special Category Data in Your Business

Identifying Special Category Data in Your Business

You may already be processing special category data without having considered the implications.

For example, if you provide a mobile app, you could be collecting special category data in all sorts of ways. Here's what the European Union Agency for Network and Information Security has to say about this (at page 15 of the linked document):

enisa: Privacy and Data Protection in Mobile Apps: Section on consent and sensitive information

Many things can fall under the definition of special category data - Photos, information about relationships, messages between users, just to name a few. You might not realize that you're collecting special category data unless you think creatively about what sort of information you're accessing.

Facebook recognized the nature of this problem in 2018 when it brought in new restrictions around how third-party developers collect certain types of information on its platform:

Facebook News for Developers: Requirements for Facebook login - Sensitive personal data permissions

Conducting a GDPR data audit will help you better understand what personal data your business processes.

Health and Fitness Apps

It's obvious why health data is a type of special category data. But there are hundreds of apps and services that collect information about a person's workouts, wellbeing, and fitness. Are all of these apps processing health data?

The Article 29 Working Party (an official EU data protection advisory body) makes some useful points about health data.

Health data doesn't only mean "obvious" information about people's medical conditions. Health data can include information that, when combined with other information, tells you something about a person's health.

This sort of indirectly identifying personal data could include information collected from sensors on smart devices, e.g. sleep trackers, step counters, heart rate monitors.

The context is important. If your app only counts a user's steps, and the data is erased regularly, you might not be "processing health data." If your app collects data about several variables over a longer period, it could easily build up a very revealing profile about the user's health.

User-Generated Content

Bear in mind that if your users are allowed to contribute to your comments or posts to your website or app, this material could contain special category data.

Your users are volunteering this information to you. But you think carefully about how securely you're storing it, how regularly you're erasing it, and who can access it.

For more information about how to handle user-generated content, see our article on Legal Issues with User-Generated Content.

Rules Around Processing Special Category Data

Rules Around Processing Special Category Data

The GDPR opens Article 9 by stating that processing special category data "shall be prohibited." But in fact, the GDPR recognizes many reasons for processing special category data. These reasons are characterized as "exemptions" to this general ban.

You may be familiar with the concept of lawful bases for processing personal data under the GDPR. Every time you process any type of personal data, you need a good legal reason for doing so.

You can forget most of what you know about lawful bases in respect to special category data. Special category data has its own set of rules.

Acceptable Reasons for Processing Special Category Data

There are ten reasons you might be allowed to process special category data. In each case, you must always act in accordance with law, and you need to have assessed and safeguarded against the risks involved.

  1. Consent - You can process special category data with the specific and explicit consent of the data subject (the person who the personal data is about).
  2. Employment and social security - You may be able to process special category data to carry out obligations in the fields of employment and social security.
  3. Vital interests - You may be able to process special category data if someone's life depends on it and the data subject cannot consent.
  4. Charitable operations - Charities and foundations may be able to process special category data in pursuit of their activities.
  5. Publicly available information - You may be able to process special category data if the data subject has already made it public.
  6. Legal claims - You may be able to process special category data to bring or defend against a lawsuit.
  7. Public interest - You may be able to process special category data if it's in the public interest for you to do so.
  8. Healthcare - You may be able to process special category data in order to assess, diagnose or treat the data subject in a medical capacity, either under law or contract.
  9. Public health - You may be able to process special category data in the interests of public health.
  10. Research and statistics - You may be able to process special category data to do research or create statistics in the public interest, so long as you obey the rules under Article 89 (also see Recitals 156-160).

Depending on the context in which your business operates, you could rely on a number of these reasons when processing special category data. But the most relevant to most businesses will be point A: consent.

One falsehood about the GDPR is that it requires consent for all processing of personal data. In fact, consent is only one of the six lawful bases for processing personal data.

Other lawful bases are also appropriate for certain business activities, most notably "contract" and "legitimate interests." However, with certain exceptions for healthcare providers and charities, you cannot rely on contract or legitimate interests for processing special category data.

Most businesses will be already relying on the lawful basis of consent for some of their business activities. For example, you must normally earn consent for activities such as:

  • Setting tracking cookies
  • Sending direct marketing communications
  • Selling personal data

Consent under the GDPR is very strict. You must ensure that your users truly understand what they're consenting to.

The GDPR's definition of consent can be broken down into six elements. Consent must be:

  • Freely given - You can't force users to consent or deny them services if they refuse
  • Informed - You must ensure your users understand what they're consenting to
  • Unambiguous - You must make your consent request clear
  • Specific - You must ask for consent to process for a specific purpose
  • Affirmative - A failure to opt out of something is not consent
  • Easily withdrawn - You must provide a simple way for a user to withdraw consent if they change their mind

Any time you seek consent, as you'll normally need to do when processing special category data, you need to do so in a way that complies with each of these six elements.

Check out our free tools for website owners:

  • Cookie Consent - a free cookie consent solution to comply with GDPR + ePrivacy Directive.
  • CCPA Opt-Out - a free CCPA opt-out solution to allow visitors to opt-out from personalized ads and comply with GDPR.
  • I Agree Checkbox - a free solution to enforce your legal agreements.

Generate legal agreements for your website or app in minutes with TermsFeed: Privacy Policy, Terms & Conditions, Cookies Policy and more.


Consent Case Study - Tinder

We're going to take a look at how Tinder requests consent to process special category data. Tinder processes a lot of special category data about people's religious beliefs, ethnicity, and, of course, their sex lives.

Here's an excerpt from Tinder's Privacy Policy:

Tinder Privacy Policy: Sensitive information clause excerpt

Tinder states that by choosing to provide the company with special category data during account setup, you consent to the processing of that data by Tinder.

How does this match up against the GDPR's requirements?

  • Freely given - Tinder requests special category data on account setup. However, Tinder doesn't require this information in order to set up an account. Therefore, it is freely given.
  • Informed - Tinder does present its Privacy Policy when a user sets up an account. This contains information about how long profile information will be stored, and with whom Tinder may share it. This means the user is informed.
  • Unambiguous - Tinder provides users with an option to skip questions about special category data, so it's clear that they aren't required to answer them. This means that the request is unambiguous.
  • Specific - In addition to asking for profile information, Tinder also asks, separately and specifically, for consent to send direct marketing communications and access device location.
  • Affirmative - Getting "affirmative" consent is often associated with ticking a box. In fact, affirmative consent can, in theory, be given via any positive action. Here, it's the act of providing the special category information.
  • Easily withdrawn - Tinder makes it easy for its users to withdraw consent.

Let's focus on that last point. Here's how Tinder allows its users to withdraw consent.

At setup, Tinder asks users about their sexual orientation. They can provide this information if they choose to do so. Within the Tinder app, users can deselect whatever options they chose:

Tinder app: Sexual orientation screen

This is a clear and simple way to withdraw consent.

Tinder's means of processing special category data during its account setup process does seem to be GDPR-compliant. Although users are not asked to tick a box to confirm their consent, they are still consenting via an unambiguous, affirmative action.

But remember that Tinder doesn't only process the personal data that appears on users' profiles. The messages that users send one another can also contain special category data. It's not clear how Tinder earns specific consent to store these messages on its servers.

Summary

Take special care whenever you're processing information that reveals someone's:

  • Race
  • Ethnicity
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetics
  • Biometrics (if used to identify them)
  • Health
  • Sex life
  • Sexual orientation

Don't ask for this sort of information unless you really need it. And make sure you get consent where appropriate.

Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.