We have recently have had some issues with clients over how personal data should be dealt with, see some information below.
Personal data is any information relating to an individual, whether it relates to their private, professional or public life. It can be anything from a name, a photo, an email address, a person’s bank details, posts on social networking websites, medical information, work performance, subscriptions, purchases, tax number, education or competencies, location, username and password, hobbies, habits, lifestyle, or a person’s computer’s IP address. The GDPR applies when a person can be directly or indirectly identified by such data, or when a person can be uniquely singled out in a group of individuals.
Although the GDPR does not differentiate between types of personal
data based on sensitivity, some types of personal data are clearly of a more sensitive nature than others. First of all, in several places the GDPR highlights personal data of children as a type of personal data that requires extra care. The ‘duty of care’ argument can also be made for other categories of vulnerable people, such as the elderly.
Also, data processing that poses (high) risk to the rights and freedoms of the individual is considered extra sensitive, thus requiring data protection impact assessments to be carried out prior to the processing and notifications of data breaches to supervisory authorities and individuals. Unfortunately, the GDPR does not contain a list of personal data that would fall into the category of ‘sensitive data.’ However, based on the guidelines of supervisory authorities regarding data breach notification and classification of data in relation to data security, the following types of personal data should be regarded as having increased sensitivity:
Special data (see next paragraph);
- Data relating to the financial or economic situation of an individual;
- Data that may lead to stigmatisation of or discrimination against the individual;
- Usernames, passwords, and other user credentials;
- Data which are protected by a legal or professional secrecy obligation, and
- Data that could be misused for identity fraud.
The GDPR identifies a number of personal data as ‘special data.’ The GDPR contains a strict prohibition to process such data, unless a specific exemption also mentioned in the GDPR applies, like a narrowly described use case (for example, employment law), a specific controller (for example, a non-profit organisation) or with the explicit consent of the individual. The data that fall into this category are:
- Data revealing racial or ethnic origin (for example, photos);
- Data revealing political opinions;
- Data revealing religious or philosophical beliefs;
- Data revealing trade-union membership;
- Genetic data;
- Data concerning health;
- Data concerning sex life, including sexual orientation; and
- Data related to criminal convictions, offences and related security measures.