Special categories

The processing of "special categories" of personal data is prohibited unless an exception set out in Article 9(2) applies.

The 'special categories' are defined in Article 9(1)of the Applied GDPR. Recitals 51-54 of the Applied GDPR provide additional narrative on special category data.

Special categories include personal data revealing:

Before you start processing special category data you must be able to demonstrate that one of the exceptions to the prohibition on processing set out in Article 9(2) applies and, with the exception of "explicit consent", it is necessary to process that special category data.

In summary, the exceptions are:

You must complete a Data Protection Impact Assessment or ‘DPIA’ if the intended processing is likely to result in a high risk to the rights and freedoms of natural persons and if you intend to process special category data on a large scale.

Personal data relating to criminal convictions and offences is not classed as "special category data" but is separately defined in Article 10 of the Applied GDPR.  Any processing of such personal data, can only be carried out in accordance with Article 10, i.e. under the control of official authority or when authorised by Manx law or Union law applied to Island.

Controllers must be aware of the types of personal data they process and which of the relevant grounds for processing, or exception to the prohibition on processing, is being met.