GDPR compliance and categories of personal data

The GDPR frames the processing of personal data in such a way as to ensure the protection of data subjects' privacy: thus, there are certain data processing operations, which, due to their particularly sensitive nature, are strictly prohibited.

This is what we're going to find out in this new blog post: what data do organisations not have the right to process? Are there any exceptions to these prohibited data processing operations?

So-called "sensitive" personal data

The GDPR distinguishes between 'standard' personal data and so-called 'sensitive' personal data. This sensitive personal data is characterised by the impact of a potential data breach.

Thus, the greater the impact of a data breach on the privacy of data subjects, the more sensitive this data is considered to be.

Let's take an example.

Your first and last name are personal data, but they are not considered sensitive. If this data were to lose its confidentiality, integrity or availability, the impact on your privacy would be minimal!

However, your health data is considered sensitive personal data. If your health information were to lose its integrity, confidentiality or availability, the impact on your privacy would be enormous, and so would the potential risks to which you would be exposed!

This is what distinguishes sensitive data from "non-sensitive" data: in the event of a data breach, the greater the impact on people's privacy, the more sensitive the data is considered to be, and the greater the protection afforded to it.

Not all data is suitable for processing

Certain types of personal data processing are therefore considered "at risk", given the sensitive nature of the information processed:

• Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership.

• Processing of genetic or biometric data, for the purpose of uniquely identifying a natural person.

• Health data or data concerning sex life or sexual orientation.

It is therefore strictly forbidden to process personal data with the above-mentioned high-risk personal data.

There are, however, certain exceptions that allow us to process these rather special types of personal data.

Special categories of personal data: exceptions

Thus, the prohibition on processing this slightly unusual personal data does not apply when at least one of the following conditions is met:

• The data subject has given their explicit consent to the processing of their personal data for one or more specific purposes. However, there are also certain contexts in which the data subject's consent cannot lift the prohibition set out above.

• The processing of data is necessary for the performance of the obligations and exercise of the rights of the controller or the data subject in matters of employment law, social security or social protection.

• Processing is necessary in order to protect the vital interests of the data subject or of another natural person (where the data subject is physically or legally incapable of giving consent).

• The data is processed (in the context of legitimate activities and subject to appropriate safeguards) by a foundation, association or any other non-profit-making body with a political, philosophical, religious or trade union purpose. In this case, data processing may only relate to members or former members of the said organisation, or to persons who have regular contact with it. Under no circumstances may this personal data be communicated outside this organisation without the consent of the persons concerned.

• Processing is necessary for the establishment, exercise or defence of legal claims, or whenever the courts act in their judicial capacity.

• Processing is necessary for reasons of substantial public interest.
  

• The processing is necessary for the purposes of preventive medicine or occupational medicine, the assessment of a worker's capacity to work, medical diagnosis, health or social care, or the management of health or social care systems and services.

• Processing is necessary for reasons of public interest in the field of public health.
  

• The processing is necessary for archival purposes in the public interest, for scientific research, for historical or statistical purposes.
  

Member States may also maintain or introduce additional conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

Personal data relating to criminal convictions and offences

The processing of personal data relating to criminal convictions and offences or related security measures is subject to Article 6 (1) of the GDPR, the article relating to the lawfulness of the processing of personal data.

For more details on what is required for the lawful processing of personal data, please read more in our blog post on the subject.

The processing of this slightly unusual personal data may only be carried out under the supervision of the public authority, or if the processing is authorised by Union law or by the law of a Member State, which provides appropriate safeguards for the rights and freedoms of the data subjects. The complete register of criminal convictions may only be kept under the supervision of the public authority.

Treatments that do not require identification

Where the purposes for which personal data are processed do not (or no longer) require the controller to identify a data subject, the controller is not required to keep, obtain or process additional information in order to identify the data subject, for the sole purpose of complying with this Regulation.

Where this is indeed the case, the controller is able to demonstrate that it is unable to identify the data subject, and must therefore inform the data subject where possible.

To conclude

Not all personal data is accorded the same degree of importance: by its very nature, some personal data is considered to be particularly sensitive. Sensitive data (i.e. data relating to genetic, biometric, religious or political information, etc.) is therefore subject to enhanced protection. The processing of this very specific type of personal data is therefore strictly regulated, and it is only permitted to process such data in very specific circumstances.

Related blog posts:

• GDPR: purpose and objectives

• GDPR : who is concerned?

• The GDPR and the principles relating to the processing of personal data

• Legality of personal data processing: the different legal bases

• Register of personal data processing: what does the CNIL say?

• GDPR: Conditions applicable to consent and its exceptions

Did you enjoy this blog post?

Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!

We need your answers!

By completing this survey, you will help us to better understand your interactions with our site and your potential needs.

Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information will be asked of you!

Thank you for your responses!

Would you like to be informed of our news and receive our latest blog articles directly in your mailbox? Subscribe to our monthly newsletter!

Would you like to discuss your difficulties, your needs, our offers? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts!