Processing special categories of personal data

In the case of special categories of personal data, processing is basically not allowed under Article 9 of the GDPR, processing is only possible in the case of certain exceptional circumstances.

Such special categories of personal data are: -racial and ethnic origin -political opinion(s) -religious or philosophical belief(s) -genetic data -biometric data uniquely identifying a natural person -health data -data on sexual life -data concerning the sexual orientation of a natural person -union affiliation

Due to this particular prohibitive nature of Art. 9 GDPR, the sanctions for violations are much harsher. Processing is only made possible by certain opening facts under Art. 9(2) GDPR (see above). These include consent, protection of vital interests of the data subject, health care, public security and balancing of the public interest, as well as some other, rarer cases.

At this point, it should also be noted that the mere performance of a contract does not allow the processing of special personal data. The processing of political opinions is also unlikely to be enabled by the public health exception.

In most cases therefore the only permission left for the processing of special categories of personal data is the explicit consent of the data subjects.

Such consent is subject to extensive requirements. If you want to learn more about this, see our article on informed consent.

What do you have to consider when handling special categories of data?

It is essential to ensure that personal data from such special categories is kept secure and protected. Ideally, this data should be stored separately from the rest of the database and should also only be displayed after an additional authorization check of the users. It is also advisable to restrict access to such data so that only authorized users can access it at the right time.

What are authorized users?

Authorized users with access to patient data should only be employees who actually need to handle the data.

It should also be noted that this data must be shared, as access by physician assistants to other sensitive areas of the patient record for (purely) scheduling appointments is not necessary and should therefore also be prevented.

What does "at the right time" mean?

Employees who assist a physician require partial access to patient data and records from time to time. A good example of this is in the dental assistant profession, where access to patient records is required during treatment.

However, once treatment is completed, this access is no longer required, so it should not be possible for a dental assistant to access patient records after treatment is completed, as this would no longer be "timely."

Often-overlooked requirement for health records

An obligation often overlooked in this context arises from Art. 9(3) of the GDPR. This restricts the scope of persons for permissible processing activities under Art. 9(2)(h) of the GDPR (including for the processing of data for the purpose of health care/treatment in the health or social sector) to professional staff who are subject to professional secrecy or are otherwise bound to secrecy by national or European regulations.

This inevitably leads to an even more "sensitive category" of data below the already sensitive categories of Art. 9 GDPR.

You have questions about the special categories of personal data? Glasskube supports you with data control! Contact us right now.