15 August 2020
The EU General Data Protection Regulation (GDPR) deems certain types of personal data particularly sensitive. It calls this sensitive personal data "special category data." There are strict rules about collecting special category data from people in the EU.
If you're planning a project involving special category data, you must plan carefully.
You might think of sensitive personal data as the sort of information held by healthcare companies and police departments. But you might already hold some special category data. If you didn't collect it properly, you might have a big problem on your hands.
Let's take a look at what special category data is, and how you can ensure you process it in a legally-compliant way.
The GDPR requires that you treat all personal data with care.
It doesn't matter if it's something as obvious as a person's name, as seemingly innocuous as their IP address, or as sensitive as their medical records. You must only collect personal data if you need it, you must store it securely, and you must not share it carelessly.
Special category data is the sort of personal data that you must treat extra carefully.
Article 9 of the GDPR lists the various types of special category data. Special category data is information that reveals someone's:
Special category data is always personal data. So, general information about race or political opinions is not special category data.
It must be possible to link this information to a living individual for it to be considered personal data (and thus special category data). However, EU law finds this link very readily.
For example, it might be deemed possible to link the information to an individual, even if:
Even if you don't think a piece of information is personal data, it may well be. The EU's courts have heard many cases where the defendant got this wrong.
One of the GDPR's chief aims is to protect people's rights and freedoms.
If businesses carelessly reveal their customers' personal data, this can lead to damage, distress, and discrimination. This is especially true in respect of special category data.
People have the right to keep personal data private in most circumstances. Of course, this isn't always possible or appropriate. But the GDPR's rules around special category data aim to ensure that the most sensitive types of personal data stay private except under the most exceptional circumstances.
There are some types of personal data that are not special category data, but still have special rules that apply to them. You must familiarize yourself with these rules if you process these types of personal data.
The GDPR has special rules around processing criminal convictions data. The previous law, the Data Protection Directive, grouped criminal conviction and special category data as "sensitive data." The GDPR gives criminal conviction data its own set of rules, under Article 10.
Generally speaking, only public authorities are allowed to process criminal conviction data. However, other organizations can process criminal conviction data under certain conditions.
For example, companies in specific industries must vet new staff hires by checking their criminal records. And journalists must be allowed to report on court hearings.
The GDPR delegates some responsibility for deciding the rules on criminal convictions data to EU Member States. Therefore, each EU country has its own laws regarding criminal convictions data.
The GDPR has special rules around processing the personal data of children, under Article 8.
Children are not considered capable of consenting to the processing of their personal data. Businesses offering online services (such as an app, social media platform, or website) to children must obtain parental consent.
Each EU country can decide the age at which children can consent to the processing of their personal data. This age must be above 13 years old. For example, the UK's implementation of the GDPR, the Data Protection Act 2018, sets the age at 13.
So let's say you provide an online service that collects children's personal data. For children in the UK aged under 13, you need to get parental consent. For children in the UK aged 13 or older, you can get consent directly from the child.
Whenever you're processing any type of personal data, you should consider the risks involved.
For example, location data isn't a type of special category data, but it's highly sensitive in some contexts. Your users wouldn't feel comfortable if your mobile app tracked their all of their movements without their consent.
Credit card data isn't special category data either. But you need to treat it carefully to protect your users against fraud.
It's all about context. Consider how you can apply the GDPR's six principles of data processing whenever you're collecting or using any type of personal data. And for certain projects, you may need to conduct a Data Protection Impact Assessment.
You may already be processing special category data without having considered the implications.
For example, if you provide a mobile app, you could be collecting special category data in all sorts of ways. Here's what the European Union Agency for Network and Information Security has to say about this (at page 15 of the linked document):
Many things can fall under the definition of special category data - Photos, information about relationships, messages between users, just to name a few. You might not realize that you're collecting special category data unless you think creatively about what sort of information you're accessing.
Facebook recognized the nature of this problem in 2018 when it brought in new restrictions around how third-party developers collect certain types of information on its platform:
Conducting a GDPR data audit will help you better understand what personal data your business processes.
It's obvious why health data is a type of special category data. But there are hundreds of apps and services that collect information about a person's workouts, wellbeing, and fitness. Are all of these apps processing health data?
The Article 29 Working Party (an official EU data protection advisory body) makes some useful points about health data.
Health data doesn't only mean "obvious" information about people's medical conditions. Health data can include information that, when combined with other information, tells you something about a person's health.
This sort of indirectly identifying personal data could include information collected from sensors on smart devices, e.g. sleep trackers, step counters, heart rate monitors.
The context is important. If your app only counts a user's steps, and the data is erased regularly, you might not be "processing health data." If your app collects data about several variables over a longer period, it could easily build up a very revealing profile about the user's health.
Bear in mind that if your users are allowed to contribute to your comments or posts to your website or app, this material could contain special category data.
Your users are volunteering this information to you. But you think carefully about how securely you're storing it, how regularly you're erasing it, and who can access it.
For more information about how to handle user-generated content, see our article on Legal Issues with User-Generated Content.
The GDPR opens Article 9 by stating that processing special category data "shall be prohibited." But in fact, the GDPR recognizes many reasons for processing special category data. These reasons are characterized as "exemptions" to this general ban.
You may be familiar with the concept of lawful bases for processing personal data under the GDPR. Every time you process any type of personal data, you need a good legal reason for doing so.
You can forget most of what you know about lawful bases in respect to special category data. Special category data has its own set of rules.
There are ten reasons you might be allowed to process special category data. In each case, you must always act in accordance with law, and you need to have assessed and safeguarded against the risks involved.
Depending on the context in which your business operates, you could rely on a number of these reasons when processing special category data. But the most relevant to most businesses will be point A: consent.
One falsehood about the GDPR is that it requires consent for all processing of personal data. In fact, consent is only one of the six lawful bases for processing personal data.
Other lawful bases are also appropriate for certain business activities, most notably "contract" and "legitimate interests." However, with certain exceptions for healthcare providers and charities, you cannot rely on contract or legitimate interests for processing special category data.
Most businesses will be already relying on the lawful basis of consent for some of their business activities. For example, you must normally earn consent for activities such as:
Consent under the GDPR is very strict. You must ensure that your users truly understand what they're consenting to.
The GDPR's definition of consent can be broken down into six elements. Consent must be:
Any time you seek consent, as you'll normally need to do when processing special category data, you need to do so in a way that complies with each of these six elements.
Check out our free tools for website owners:
We're going to take a look at how Tinder requests consent to process special category data. Tinder processes a lot of special category data about people's religious beliefs, ethnicity, and, of course, their sex lives.
Tinder states that by choosing to provide the company with special category data during account setup, you consent to the processing of that data by Tinder.
How does this match up against the GDPR's requirements?
Let's focus on that last point. Here's how Tinder allows its users to withdraw consent.
At setup, Tinder asks users about their sexual orientation. They can provide this information if they choose to do so. Within the Tinder app, users can deselect whatever options they chose:
This is a clear and simple way to withdraw consent.
Tinder's means of processing special category data during its account setup process does seem to be GDPR-compliant. Although users are not asked to tick a box to confirm their consent, they are still consenting via an unambiguous, affirmative action.
But remember that Tinder doesn't only process the personal data that appears on users' profiles. The messages that users send one another can also contain special category data. It's not clear how Tinder earns specific consent to store these messages on its servers.
Take special care whenever you're processing information that reveals someone's:
Don't ask for this sort of information unless you really need it. And make sure you get consent where appropriate.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.