The processing of "special categories" of personal data (previously known as sensitive data) is prohibited unless a ground for processing is met.
Special categories includes personal data revealing:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade-union membership
- health or sex life
- unique identity of a person by processing biometric or genetic data
The grounds for processing are set out in Article 9 of the GDPR and in summary are:
- explicit consent (unless law prohibits the processing and that prohibition cannot be overriden by the person)
- legal obligation on the controller in respect of employment, social security etc.
- protection of the vital interests of the data subject or another person where the data subject is legally or physically incapable of giving consent
- legitimate activities of a non-profit making organisation with a political, philosophical or trade-union aim
- the personal data is manifestly made public by the data subject
- necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
- substantial public interest (based on a Union or State law which is proportionate to the aim pursued, respects the essence of the right to data protection and provides specific measures to protect the fundamental rights and freedoms of the data subject)
- necessary for the purposes of preventative or occupational medicine, assessment of working capacity, medical diagnosis, provision of health or social care or treatment or the management of health and social care systems and services on the basis of Union or State law
- public health (on the basis of Union or State law)
- archiving in the public interest, research and statistics.
Processing of personal data relating to criminal convictions and offences may only be carried out under the control of official authority or when authorised by Union or State law (A new and separate EU Data Protection Directive applies to the processing of such personal data).
Recitals 41-50 of the GDPR provide additional guidance on sensitive personal data.