Article 9- Processing of special categories of personal data

Article 9 of the GDPR talks about the conditions in place for the processing of special categories of personal data. This special category is nothing other than sensitive data of data subjects which is as follows:

Image credit: piwik.pro

“…..racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation…”

The above as can be understood is very personal and sensitive data since if that is hacked or made easily available, it could lead to serious repercussions to the data subject. Hence, GDPR forbids the processing of this sensitive data in order to safeguard the privacy of the data subjects. 

However, there a few exceptions to the data processing and it is permitted in the following cases:

  1. Express consent given by the data subject:

If the data subject has agreed to the processing of his/her sensitive data, then it shall be permitted unless the Union or Member State law forbids such kind of processing.

  1. Social security:

If the Union or Member State law permits, processing of sensitive data shall be done for the purpose of employment and social security law. 

  1. Protection of vital interests:

In times of a humanitarian crisis, sensitive data can be processed since it shall be done with the sole purpose of protecting the life and safety of the data subject. However, this route should be taken only when there is no other legal alternative.

  1. Processing carried out by an association, foundation or not for profit entity:

The above entities can do the processing to carry out their activities and only limit themselves to their members’ data. Such sensitive data shall not be shared with any third party partners without the consent of the members.

  1. Processing of sensitive data shall also be carried out when the data subject has made the sensitive data public
  1. To defend, exercise or establish legal claims
  1. Public interest:

Public interest is a very wide term and it covers many aspects of social life such as national security, public health, social care, historical or scientific research. It would also include processing sensitive data by a political party for better functioning of the democratic system or processing by recognised religious communities. 

The above gives a broad understanding of the exceptions to the processing of sensitive data which gives leeway to the Member States to allow many entities especially the Government to process sensitive data of its citizens on a large scale. But this does not mean that the fundamental rights of the data subjects are compromised in any manner and in the name of public interest, liberties are taken and volumes of data are stored with or without their knowledge. 

In today’s times when hacking is so rampant, it must be seen how government and private entities are able to put in place the safeguards necessary to protect this sensitive data which the data subjects have consented to processing.