Special category personal data

encompasses personal data that reveals the following:

  • race
  • ethnic origin
  • political opinion
  • religious or philosophical beliefes
  • trade union membership
  • genetic data
  • biometric data for the purpose of uniquely identifying a natural person
  • data concerning health
  • data concerning a natural person’s sex life or sexual orientation.

GDPR Article 9 prohibits any data processing of special category personal data unless the data controller can meet one or more conditions in addition to having an appropriate legal basis for the data processing.

Conditions for processing special category personal data

The data subject has given explicit consent to the processing of those personal data for one or more specified purposes (except where this right is superceded by either EU or Member State law)

Close

Where the processing of special category personal data is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

Close

Where the processing of special category personal data is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law

The data processing must be:

  • authorised by EU or Member State law or a collective agreement pursuant to Member State law
  • provide for appropriate safeguards for the fundamental rights and the interests of the data subject.
Close

Where the processing of special category personal data is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.

Close

Where the processing of special category personal data is carried out in the course of its legitimate activities by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim.

The data processing must:

  • have appropriate safeguards in place
  • relate solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and
  • the personal data must not be disclosed outside that body without the consent of the data subjects.
Close

Where the data subject has already manifestly made the data public.

Close

Where the processing of special category personal data is necessary for reasons of substantial public interest, on the basis of EU or Member State law.

The data processing must be:

  • proportionate to the aim pursued
  • respect the essence of the right to data protection and
  • provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Close

Where the processing of special category personal data is necessary for the purposes of:

  • preventive or occupational medicine
  • for the assessment of the working capacity of the employee
  • medical diagnosis
  • the provision of health or social care or treatment
  • the management of health or social care systems and services

The processing must be:

  • supported by either EU or Member State law or be pursuant to contract with a health professional
  • the personal data  are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under EU or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

Member States may also maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

In Ireland, the following new Regulations govern the processing of personal data for  health research purposes specifically:

  • Data Protection Act 2018 (Suitable and Specific Safeguards for the Processing of Personal Data for Health Research) Regulations 2018 (referred to in these webpages as the Health Research Regulations 2018)
Close

Where the processing of special category personal data is necessary for:

  • archiving purposes in the public interest
  • scientific or historical research purposes or
  • statistical purposes.

The processing must be:

  • in accordance with GDPR Article 89(1)
  • based on EU or Member State law
  • proportionate to the aim pursued
  • respect the essence of the right to data protection
  • provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.

 

In Ireland, the following new Regulations govern the processing of personal data for health research purposes specifically:

  • Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (referred to in these webpages as the Health Research Regulations 2018)
Close

Where the processing of special category personal data is necessary for reasons of public interest in the area of public health

For example,

  • Protecting against serious cross-border threats to health or
  • Ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

The data processing must:

  • Have a basis in EU or Member State law
  • Must provide for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.
Close
Where can I find 'special category of personal data' in GDPR and in Irish legislation?

GDPR Article 9 and recitals 51, 52, 53, 54

The Data Protection Act 2018 Chapter 2.

Disclaimer

This guidance has been prepared by the HRB to help researchers in the health domain comply with GDPR requirements.

It is intended to be general guidance for educational and informational purposes only.

It is not legal advice.