Processing special categories of data (i.e. sensitive data) in accordance with European Data Protection Law
Council of Europe (CoE) law leaves it to domestic law to lay down appropriate protections for using sensitive data, provided the conditions of Article 6 of Modernized Convention 108 are fulfilled, namely that appropriate safeguards complementing the other provisions of the Convention are enshrined in law. European Union (EU) law (acquis communitaire) especially in Article 9 of the GDPR, contains a detailed regime for processing special categories of data (also called ‘sensitive data’). These data reveal racial or ethnic origin, political opinions, religious or philosophical beliefs and trade union membership as well as for processing genetic and biometric data for the purposes of uniquely identifying a natural person, and for data concerning health, a person’s sex life or sexual orientation. The processing of sensitive data is prohibited in principle. (Former Data Protection Directive 95/46/EC, Art. 7 (f), now General Data Protection Regulation, Art. 9 (1).
There is, however, an exhaustive list of exemptions to this prohibition, which can be found in Article 9 (2) of the regulation and which amount to lawful grounds for processing sensitive data. These exemptions include situations where:
➢ the data subject explicitly consents to the data processing;
➢ processing is carried out by a non-profit body with political, philosophical, religious or trade union purposes in the course of its legitimate activities and only relates to its (former) members or to persons who have regular contact with it for such purposes;
➢ processing concerns data explicitly made public by the data subject;
➢ processing is necessary: to carry out the obligations of, and to exercise the specific rights of, the controller or of the data subject in the employment, social security and social protection context;
➢ to protect the vital interests of the data subject or another natural person (when the data subject cannot give consent);
➢ to establish, exercise or defend legal claims or when courts act in their judicial capacity;
➢ for preventative or occupational medicine purposes: “for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional”;
➢ for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
➢ for public interest reasons in the area of public health; or
➢ for substantial public interest reasons.
To process special categories of data, a contractual relationship with the data subject is thus not viewed as a legal basis for the legitimate processing of sensitive data, except for a contract with a health
professional subject to the obligation of professional secrecy.
Explicit consent of the data subject
Under EU law, the first possible ground for lawful processing of any data, irrespective of whether they are non-sensitive or sensitive data, is the consent of the data subject. In the case of sensitive data, such consent must be explicit. Union or Member State law may, however, provide that the prohibition on processing special categories of data may not be lifted by the individual. This could be the case, for
example, when processing involves unusual risks for the data subject.
Employment law or social security and social protection law
Under EU law, the prohibition of Article 9 paragraph 1 can be lifted if the processing is necessary for carrying out obligations or rights of the controller or the data subject in the field of employment or social security. However, the processing needs to be authorized by EU law, national law or a collective
agreement under national law, which provide appropriate safeguards for the fundamental rights and
interests of the data subject. Employment records held by an organization may include sensitive
personal data under certain conditions specified in the GDPR and relevant national law. Examples of
sensitive data may include trade union membership or health information.
Vital interests of the data subject or another person
Under EU law, as in the case for non-sensitive data, sensitive data may be processed because of the vital interests of the data subject or another natural person. Where processing is based on the vital
interests of another person, this legitimate ground may only be invoked if such processing “cannot be
manifestly based on another legal basis”. (ultima ratio)In some cases, processing personal data may
protect both individual and public interests, for instance when processing is necessary for
For the processing of sensitive data to be legitimate on this basis, it would have to be impossible to ask the data subject for consent, because, for example, the data subject was unconscious or was absent and could not be reached. In other words, the person was physically or legally incapable of giving consent.
Charities or not-for-profit bodies
Processing personal data is also allowed in the course of the legitimate activities of foundations, associations or other non-profit-seeking bodies with a political, philosophical, religious or trade union aim. However, the processing must relate solely to the members or former members of the body, or to
those who have regular contact with the body. The sensitive data cannot be disclosed outside of those
bodies without the data subject’s consent.
Data manifestly made public by the data subject
Article 9 (2) (e) of the GDPR provides that processing is not prohibited if it relates to data which are manifestly made public by the data subject. Even though the meaning of “manifestly made public by the data subject” is not defined in the regulation, since it is an exception to prohibiting sensitive data
processing, it must be construed strictly and as requiring the data subject to deliberately make his or her personal data public. Thus, where the television broadcasts a video taken from a video surveillance
camera, showing, among other things, a firefighter getting injured trying to evacuate a building, it cannot be considered that the firefighter has manifestly made public the data. On the other hand, if the firefighter decides to describe the incident and publish the video and photos on a public internet page, he or she would have made a deliberate, affirmative act to make the personal data public. It is important to note that making one’s data public does not constitute consent, but it is another permission for processing special categories of data.
The fact that the data subject had made public the processed personal data does not exempt controllers from their obligations under data protection law. For instance, the principle of purpose limitation continues to apply to personal data even if such data have been made publicly available.
The processing of special categories of data which “is necessary for the establishment, exercise or
defense of legal claims”, whether in court proceedings or in an administrative or out-of-court procedure, is also allowed under the GDPR. In this case, processing must be relevant to a specific legal claim and its exercise or defense respectively, and may be requested by any one of the disputing
When acting in their judicial capacity, courts may process special categories of data within the context of resolving a legal dispute. Examples of these special categories of data processed in this context could include for example, genetic data when establishing parentage, or health status when part of the evidence concerns details of an injury sustained by a victim of crime.
Reasons of substantial public interest
According to Article 9 (2) (g) of the GDPR, Member States may introduce further circumstances in
which sensitive data may be processed, as long as:
- processing data is for reasons of substantial public interest;
- it is provided for by European or national law;
- the European or national law is proportionate, respects the right to data protection and provides suitable and specific measures to safeguard the rights and interests of the data subject.
A prominent example are electronic health file systems. Such systems permit health data, collected by health care providers in the course of treating a patient, to be made available to other health care providers of this patient on a large scale, usually nationwide.
The Article 29 Working Party concluded that the establishment of such systems could not occur under existing legal rules for processing data about patients. However, it is possible for electronic health file systems to exist if they are based on “reasons of substantial public interest”. This would require an explicit legal basis for their establishment, which would also contain the necessary safeguards to ensure that the system is protected by appropriate data security tools.
Other grounds for processing of sensitive data
The GDPR provides that sensitive data can be processed where processing is necessary for:
- preventative or occupational medicine purposes, for the assessment of the working capacity of
the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services on the basis of EU or Member State law, or pursuant to a contract with a health professional;
- reasons of public interest in the area of public health, such as protecting against serious
crossborder threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or Member State law. The law must provide for suitable and specific measures to safeguard the rights of the data subject;
- archiving, scientific or historical research or statistical purposes on the basis of Union or
Member State law. The law must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to safeguard the rights and interests of the data subject.
One particular decision of European Court of Human Rights (ECtHR) can be given as an example in this context. In Y v. Turkey, ECtHR, Y v. Turkey, No. 648/10, 17 February 2015, the applicant was HIV positive. As he was unconscious during his arrival at the hospital, the ambulance crew informed the hospital staff that he was HIV positive. The applicant argued before the ECtHR that the disclosure of this information had violated his right to respect for private life. ECtHR especially mentioned the possibility of profiling and discrimination with regard to HIV positive people and reiterated its established case law concerning personal data protection. However, given the need to protect the safety of the hospital staff, sharing the information was not regarded as a breach of his rights as long as appropriate security measures are taken and only medical professionals who are supposed to use relevant information have access to patient’s health data.
 General Data Protection Regulation, Art. 9 (2) (h) and (i).
Ibid., Art. 9 (2) (a).
 General Data Protection Regulation, Art. 9 (2) (b).
 Ibid., Art. 9 (2) (c).
 Ibid., Recital 46.
Ibid., Art. 9 (2) (d).
 Article 29 Working Party (2013), Opinion 3/13 on purpose limitation, WP 203, Brussels, 2 April 2013, p. 14.
 General Data Protection Regulation, Preamble Recital 52.
 Ibid., Art. 9 (2) (f).
Ibid., Art. 9 (2) (g).
 Article 29 Working Party (2007), Working Document on the processing of personal data relating to health in electronic health records (EHR), WP 131, Brussels, 15 February 2007.
 General Data Protection Regulation, Art. 9 (2) (g).
 General Data Protection Regulation, Art. 9 (2) (h), (i) and (j).