If you’d like to discuss the GDPR and how it impacts your business, get in contact.

The General Data Protection Regulation (GDPR) of the European Union (EU) has been shaking up the web in terms of privacy policies and procedures for some time now — I have written at some length on the general best practices for a GDPR compliant privacy policy and the potential “loophole” of the legitimate interests exception.

The GDPR requires a heightened level of protection for certain sensitive data categories. The categories are:

• Health Data (including genetic data);

• Biometric data;

• Trade union memberships;

• Political opinions;

• Religious or philosophical beliefs;

• Race and ethnicity; and

• Data related to sexual preference or orientation.

The directive takes a policy position that these particular data are of a uniquely sensitive nature and, thus, a business must have a specific, legitimate reason for collecting the individual data type.

The GDPR restricts the collection and processing of the data unless one of the following circumstances are met:

• The data subject has given explicit consent for the collection or processing of that particular data AND the EU or the Member State of the data subject has not explicitly prohibited the collection or processing of that data type;

• Processing is necessary for carrying out the obligations and exercising specific rights of the controller or the data subject in the field of employment, social security, and social protection law;

• Processing is necessary to protect the vital interests of the data subject or another natural person;

• Processing is carried out in the course of the legitimate activities of a foundation, association, or other not-for-profit body with a political, philosophical, religious or trade union aim;

• Processing relates to personal data which is made public by the data subject — i.e. a published materials exception;

• Processing is necessary for the exercise or defense of legal claims;

• There is a substantial public interest in the data;

• Processing is necessary for public health; AND

• Processing is necessary for archiving purposes as it relates to subjects with a substantial public interest — i.e. an historical record exception.

Importantly, these special categories are not exhaustive, and act more as a floor than a ceiling — individual member states can define other categories of data as being “special categories” for purposes of data collection and processing. Care must be taken to not only ensure compliance with the EU through the GDPR, but to ensure you are compliant with any individual member state laws, when your business entails handling especially sensitive data.

Please get in touch if you want to discuss any of the ramifications for your business.