The processing of "special categories" of personal data is prohibited unless an exception set out in Article 9(2) applies.
The 'special categories' are defined in Article 9(1)of the Applied GDPR. Recitals 51-54 of the Applied GDPR provide additional narrative on special category data.
Special categories include personal data revealing:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade-union membership
- health or sex life
- unique identity of a person by processing biometric or genetic data
Before you start processing special category data you must be able to demonstrate that one of the exceptions to the prohibition on processing set out in Article 9(2) applies and, with the exception of "explicit consent", it is necessary to process that special category data.
In summary, the exceptions are:
- explicit consent (unless law prohibits the processing and that prohibition cannot be overridden by the person)
- legal obligation on the controller in respect of employment, social security etc.
- protection of the vital interests of the data subject or another person where the data subject is legally or physically incapable of giving consent
- legitimate activities of a non-profit making organisation with a political, philosophical or trade-union aim
- the personal data is manifestly made public by the data subject
- necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
- substantial public interest (based on Manx law or Union law applied to the Island) which is proportionate to the aim pursued, respects the essence of the right to data protection and provides specific measures to protect the fundamental rights and freedoms of the data subject
- necessary for the purposes of preventative or occupational medicine, assessment of working capacity, medical diagnosis, provision of health or social care or treatment or the management of health and social care systems and services (on the basis of Manx law or Union law applied to Island)
- public health (on the basis of Manx law or Union law applied to Island)
- archiving in the public interest, research and statistics(on the basis of Manx law or Union law applied to Island).
You must complete a Data Protection Impact Assessment or ‘DPIA’ if the intended processing is likely to result in a high risk to the rights and freedoms of natural persons and if you intend to process special category data on a large scale.
Personal data relating to criminal convictions and offences is not classed as "special category data" but is separately defined in Article 10 of the Applied GDPR. Any processing of such personal data, can only be carried out in accordance with Article 10, i.e. under the control of official authority or when authorised by Manx law or Union law applied to Island.
Controllers must be aware of the types of personal data they process and which of the relevant grounds for processing, or exception to the prohibition on processing, is being met.