Processing sensitive data under the GDPR and D-DPA
With this newsletter, we aim to provide a practical overview of the most relevant differences between the General Data Protection Regulation (GDPR) and the draft revision of the Swiss Data Protection Act (D-DPA), which is still subject to debate.
In our previous article, we discussed the right to data portability under the GDPR and D-DPA. This article focusses on the processing of so-called ‘sensitive data’ under both frameworks.
Processing sensitive data under the GDPR
Sensitive data are referred to as ‘special categories of data’ in the terminology of the GDPR, and include the following types of personal data:
- data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs and trade union membership;
- genetic or biometric data; and
- data concerning health, sexuality or sexual orientation.
The GDPR generally prohibits the processing of sensitive data, except in cases in which the data subject has granted explicit consent, the personal data being processed are manifestly made public by the data subject, or the processing is necessary for any of the following reasons:
- to protect the vital interests of a natural person when the data subject concerned is unable to grant consent;
- in the course of legitimate activities (subject to appropriate safeguards) of a not-for-profit body with a political, philosophical, religious or trade union aim, provided that this body processes sensitive data solely of its members, former members or persons who have regular contact with it in connection with its purposes, and that it does not disclose these data to any third party without the consent of the data subjects concerned;
- for the establishment, exercise or defence of legal claims, or whenever courts are acting in their judicial capacity; and
- for medical purposes based on a contract with a health professional, provided that the data are processed by a person who is subject to the obligation of professional secrecy.
The processing of personal data relating to criminal convictions and offences (so-called ‘criminal data’) is even more strictly regulated than the processing of sensitive data and may occur only under the control of an official authority or when the processing is authorised by EU or member states’ law.
With regard to the processing of sensitive data, the GDPR gives EU member states some flexibility by leaving room for some specific national rules (so-called ‘opening clauses’). As such, EU member states may prohibit the processing of sensitive data based on data subjects’ consent and introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or health-related data. Furthermore, member states may enact national rules (in addition to EU law) allowing the processing of sensitive data:
- in the fields of employment, social security or social protection law;
- for reasons of substantial public interest;
- for medical purposes, including management of healthcare and the assessment of employees’ working capacity, provided that the processing is effectuated by a person who is subject to the obligation of professional secrecy;
- in the interest of public health, such as protecting against serious cross-border health threats or counterfeit medicine; or
- for archiving purposes in the public interest, or for scientific historical research or statistical purposes.
If sensitive data are processed based on one of the exceptions above, the following consequences may apply:
- There are additional limitations in case of automated individual decision-making.
- Controllers and processors located outside the EU which fall under the scope of the GDPR lose any exemption possibility with respect to the appointment of a representative in the EU if they process sensitive data on a large scale.
- Controllers and processors lose any exemption possibility with respect to the records of processing activities if they process sensitive data on a large scale.
- The processing of sensitive data on a large scale triggers the obligation to conduct a data protection impact assessment.
- If the core activity of the controller or processor consists of processing sensitive data on a large scale, then the controller or processor has the obligation to designate a data protection officer.
Processing sensitive data under the D-DPA
The definition of sensitive data under the D-DPA is similar to the one under the GDPR (see our glossary for more details). However, the D-DPA does not provide for any general prohibition of the processing of sensitive data. Instead, the processing of sensitive data may lead to the following consequences:
- If consent of data subjects is used as justification for the processing, such consent must be given explicitly.
- Processing sensitive data on a large scale triggers the obligation to conduct a data protection impact assessment.
- A breach of privacy occurs any time sensitive data is disclosed to third parties. In such cases, the processing may be lawful only if it is based on explicit consent of the data subject concerned, or on an overriding private or public interest, or if the processing is provided by law.
- Certain limitations apply to the possibility for the controller or processor to invoke an overriding private interest in order to justify the processing.
Comply with the highest standards
When dealing with sensitive data, the safest approach is to comply with the highest standards of both the GDPR and the D-DPA.
Organisations should therefore:
- Make sure that their employees are aware that special rules apply in connection with the processing of sensitive data.
- Generally avoid processing any sensitive data, and ensure their employees do the same.
- If the processing of sensitive data is absolutely necessary, organisations must check whether an exception to the general prohibition of processing is provided by the GDPR and/or by EU member states’ law. In any case, organisations must minimise such processing activities as much as possible and take all possible measures to ensure the security of the processing.
- Remember that special rules may apply to or be triggered by the processing of sensitive data, including with respect to the consent of data subjects, the appointment of a representative or data protection officer, automated individual decision-making, or data protection impact assessments.
- Keep in mind that, due to the opening clauses of the GDPR, certain rules may vary from one EU country to another.