The processing of "special categories" of personal data is prohibited unless a ground for processing is met. The 'special categories' are defined in Article 9(1)of the Applied GDPR. Recitals 41-50 of the Applied GDPR provide additional guidance on sensitive personal data.
Special categories includes personal data revealing:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade-union membership
- health or sex life
- unique identity of a person by processing biometric or genetic data
The grounds for processing special categories of personal data are set out in Article 9(2) of the Applied GDPR and in summary are:
- explicit consent (unless law prohibits the processing and that prohibition cannot be overriden by the person)
- legal obligation on the controller in respect of employment, social security etc.
- protection of the vital interests of the data subject or another person where the data subject is legally or physically incapable of giving consent
- legitimate activities of a non-profit making organisation with a political, philosophical or trade-union aim
- the personal data is manifestly made public by the data subject
- necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
- substantial public interest (based on Manx law or Union law applied to the Island) which is proportionate to the aim pursued, respects the essence of the right to data protection and provides specific measures to protect the fundamental rights and freedoms of the data subject
- necessary for the purposes of preventative or occupational medicine, assessment of working capacity, medical diagnosis, provision of health or social care or treatment or the management of health and social care systems and services (on the basis of Manx law or Union law applied to Island)
- public health (on the basis of Manx law or Union law applied to Island)
- archiving in the public interest, research and statistics(on the basis of Manx law or Union law applied to Island).
Personal data relating to criminal convictions and offences is not classed as "special categories" but is separately defined in Article 10 of the Applied GDPR. Any processing of such personal data, can only be carried out in accordance with Article 10, i.e. under the control of official authority or when authorised by Manx law or Union law applied to Island.
Controllers must be aware of the types of personal data they process and which of the relevant grounds for processing is being met as this will impact on the