< Back

Share |

Special data under the GDPR

November 2016

The new EU General Data Protection Regulation (GDPR) was recently adopted after over four years of negotiation. The GDPR will replace the current Data Protection Directive (DPD) and will be directly applicable in all Member States on 25 May 2018 without the need for implementing national legislation.

The main changes under the GDPR are: a reduction in notification requirements together with enhanced compliance obligations on controllers and processors in terms of security and protection of individuals’ rights and privacy.

Special data under the GDPR vs sensitive data under the DPD

With regard to special data, the changes appear, at first glance, to be minor. The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9 of the GDPR). These categories are broadly the same as those in the DPD, except that sensitive data now specifically includes; “genetic data” and “biometric data”, where processed “to uniquely identify a person”. Personal data relating to criminal convictions and offences are not included in those categories, but similar extra safeguards apply to their processing under the GDPR as are currently in effect under the DPD (see Article 10 of the GDPR).

Article 9.2 sets out the circumstances in which the processing of “special categories of personal data”, otherwise prohibited, may occur. These grounds largely replicate those under the DPD which are principally: the explicit consent of the data subject, the performance of specific contracts or processing for specific purposes (e.g. vital interest of an individual or public interest in the area of health, employment, social security, etc.).

Pursuant to these provisions, data controllers must be able to demonstrate that they have a legal basis for the processing of special data. However, the GDPR introduces a new requirement in its Article 35 to perform a Privacy Impact Assessment (PIA) when a type of processing is likely to result in a high risk to the rights and freedoms of data subjects. PIAs are mandatory in the case of large-scale processing of special categories of data (Article 35.3 (b) of the GDPR). Furthermore, Article 36.1 specifies that the data controller must consult the competent Data Protection Authority prior to starting the processing when the PIA indicates that such processing is likely to result in a high risk to individuals in the absence of measures taken by the data controller to mitigate such risk.

This means that under the GDPR, having a legal basis, such as the consent of the data subject, will no longer be sufficient to process special personal data in cases where the risk to individuals is high, unless the relevant Data Protection Authority sanctions the processing.

Health data

Of all the categories of special data, health-related information - very sensitive in nature - is of particular interest with the increasing use of big data analytics and new technologies in the health and 'wellness' sectors.

Here, the changes are more significant. It is to be noted that there are a number of exceptions to the restrictions on processing health data under Article 9.2, including where the processing is necessary for various medical assessments and where the processing is necessary for reasons of public interest in public health.

Also, Member States are entitled, under Article 9(4) GDPR, to maintain or impose further conditions (including limitations) in respect of genetic, biometric or health data. As such, existing differences in approach on these topics will likely be maintained, and further divergence across Member States will be permitted. France already has its own regime under which (i) the processing of health data requires a preliminary declaration or authorisation regime, and (ii) a very specific set of policies and regulation for organisations which host such data has been created.

The GDPR introduces a wide definition of health data: “Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test” (Recital 35). This new definition will help processors and controllers to identify whether the data they collect constitutes health data in order to implement adequate safeguards and document their records adequately.

All organisations processing special data will need to become well acquainted with the new EU data protection rules as well as relevant national law and review their existing policies, procedures, and practices to ensure compliance.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Special data under the GDPR
Diane Carpentier

Diane Carpentier      

Diane compares the GDPR's characterisation of special data with the Data Protection Directive's treatment of sensitive data.

"All organisations processing special data will need to become well acquainted with the new EU data protection rules as well as relevant national law, and review their existing policies, procedures, and practices to ensure compliance."