The GDPR prohibits the processing of special categories of personal data, such as data revealing the data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, etc. It also prohibits the processing of genetic and biometric data for the purpose of uniquely identifying a person, as well as data concerning health, sexuality or sexual orientation.
The catalogue of special categories of personal data covers a wide range of types of personal data that are not defined in the GDPR, and which may in practice refer to different information. The way in which the different types of data are described in the catalogue may also raise questions as to what information is actually involved.
However, the processing of the above categories of data is permitted if one of the conditions set out in GDPR Article 9(2) is met.
What are special categories of personal data?
GDPR Article 9 concerns the processing of so-called special categories of data. GDPR Article 9(1) contains a closed catalogue of the types of data that constitute special categories. This catalogue covers very different types of personal data that are not defined in the GDPR and that may in practice relate to different information. The way in which the different types of data are described in the catalogue may also raise questions about what information is actually covered. Below, we briefly discuss the types of data listed in GDPR Article 9(1), together with a reference to selected issues of interpretation.
Type of information
Comment
Personal data revealing racial origin
The processing of this type of data occurs whenever information is processed that attributes certain individuals to a particular race (in particular, on the basis of skin colour or physical features).
Such processing may also occur when the racial origin of a person is indirectly attributed, i.e. it reveals or identifies the racial origin of a person without explicitly mentioning it.
Personal data revealing ethnic origin
The processing of this type of data occurs whenever information is processed that attributes to certain persons a membership of an ethnic group, mainly information on “nationality” in the broadest sense, i.e. a subjective feeling of the data subject with regard to his or her national identity. Such processing may also occur when this membership is indirectly attributed to the person or can be inferred from the information concerned.
Conversely, the processing of information relating to nationality in the legal sense, i.e. the possession of an identity document issued by the State concerned, does not constitute the processing of special categories of data.
Personal data revealing political views
Processing of this type of data occurs in any situation where information about a person's “political views” is processed. The lack of a definition of “political views” may make it very broad and may give rise to important questions of interpretation. Indeed, in the colloquial sense that should be applied in the absence of a legal definition, “political views” may encompass very different information.
In particular, it appears that this type of information may include:
Information about voting preferences, such as the political party or politician with whom the data subject sympathises;
Information about political party membership (although doctrine presents different views in this respect – see, for example, P. Fajgielski [in:] Commentary to Regulation No. 2016/679 on the protection of individuals in relation to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (General Data Protection Regulation) [in:] General Data Protection Regulation. Personal Data Protection Act. Commentary, 2nd edition, Warsaw 2022, Article 9);
Information on how the data subject voted in an election or referendum.
However, it is debatable whether a person's opinion on a specific governmental or public matter, e.g. a law or regulation, or information about a person's participation in a march, demonstration or political rally, can be considered as “information revealing political views”. Nonetheless, such an interpretation cannot be ruled out. Nor can it be ruled out that such information should also be treated as information about the person's worldview - see below.
Personal data revealing religious beliefs
Processing of this type of data occurs in any situation where information about religious beliefs or information that may reveal such beliefs is processed. This type of information includes any data that can be directly attributed to a person's religious beliefs, such as membership of a particular church or religious denomination (whether in a general form, such as “Christian”, “Muslim” or “Buddhist”, or in a more specific form, such as indicating that someone is a member of a particular religious organisation).
Information about a person's religious practices, such as celebrations, active participation in religious rituals, prayers or fasting, also appears to be of this type. On the other hand, information about the mere fact of visiting temples or places of worship (e.g. documented in the form of photographs) is not necessarily equivalent to information revealing religious beliefs.
In addition, it appears that religious beliefs may be disclosed both in the case of information on membership of churches or religious organisations with a formal structure that exist in Poland in a legal sense (including those entered in the Register of Churches and Other Religious Associations) and those that are generally recognised, and in the case of information on religious beliefs relating to denominations that do not have a legal existence in Poland in the form of a church or religious organisation (for example, Jediism or Rastafarianism), provided that they can be classified as “religions” or “beliefs” in the colloquial sense of the word, especially if they have such an attribute under the laws of other EU Member States.
Personal data revealing philosophical beliefs
Processing of this type of data occurs in any situation where information revealing philosophical beliefs is processed. The dictionary definition of the word ‘worldview’ is a set of someone's views on the world and on life that influence his or her behaviour (see the PWN Polish Language Dictionary available at www.sjp.pwn.pl).
In theory, therefore, any information that reveals a set of views about the world and about a person's life that influence that person's behaviour is special category data. Such an understanding leads to what may be a very broad perception of the concept. For example, can the information that a particular person has a ‘healthy lifestyle’ or adheres to the principle of ‘seize the day’ or is an advocate of stoicism be considered as information that reveals a worldview? What about the information in a cover letter that the candidate for a given job is always smiling and has an optimistic approach to work, the world and people? It seems unlikely that this is a special category of data, as a worldview is a “set of views” and not individual views or opinions on selected areas of life. However, a different interpretation cannot be ruled out, depending primarily on the context of the case and the assessment of the totality of the information.
Personal data revealing trade union membership
Processing of this type of data occurs in any situation where information revealing trade union membership is processed, even indirectly.
Whether an organisation is a ‘trade union’ and whether a person is a member of a trade union should be assessed, for the purposes of this provision, on the basis of the provisions of collective labour law.
Genetic data
Processing of this type of data occurs whenever information is processed concerning a person’s inherited or acquired genetic characteristics which reveal unique information about that person's physiology or health and which is obtained in particular from the analysis of a biological sample taken from that person, in particular (according to GDPR Recital 34) from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.
From a practical point of view, it is important to note that in order to generate genetic data within the meaning of the GDPR, it is in principle necessary to first analyse biological samples of an individual (e.g. saliva, epidermis, hair, semen) and to record the result of the analysis in such a way that it contains information about the inherited or acquired genetic characteristics of the individual that reveal unique information about his or her physiology or health.
Biometric data
Processing of this type of data occurs whenever information about an individual is processed, which results from specific technical processing and relates to the physical, physiological or behavioural characteristics of that individual and permits or confirms the unambiguous identification of that person, such as a facial image or dactyloscopic data.
From a practical point of view, it is important to note that, in principle, for biometric data to be created within the meaning of the GDPR, it is necessary that:
Personal data of a specific individual relating to his or her physical characteristics (e.g. facial features, fingerprints, retina), physiological characteristics (i.e. relating to bodily processes) or behavioural characteristics (e.g. relating to his or her behaviour, such as the way he or she moves or speaks) must have been technically processed beforehand;
Such processing must have enabled or confirmed the unambiguous identification of that person.
Importantly, according to GDPR Recital 51, “The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.”
Health data
Processing of this type of information occurs in any situation where information about the physical or mental health of an individual is processed, including the use of health services that reveal information about the individual's state of health.
As the jurisprudence points out, “such a definition is a broad view of health data, as it includes not only information about a person's physical or mental health (e.g. information about what disease a person suffers from), but also information about the use of health services (e.g. doctor visits, medical services, prescribed medication, etc.)- see P. Fajgielski [in:] Commentary to Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), [in:] General Data Protection Regulation. Personal Data Protection Act. Commentary, 2nd edition, Warsaw 2022, Article 4).
It seems that the following information should also be considered as health data:
Information on addictions (for example, see P. Fajgielski [in:] Commentary to Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (General Data Protection Regulation), [in:] General Data Protection Regulation. Personal Data Protection Act. Commentary, 2nd edition, Warsaw 2022, Article 4);
Information about past and present illnesses or diseases or health disorders (e.g. miscarriages, mechanical injuries), insofar as they affect the person's state of health;
Information about past medical treatments, including, for example, operations;
Information about the person's vaccinations.
Information on sexuality
Processing of this type of information occurs in any situation where information about a person's sexuality is processed. However, it is not clear what ‘sexuality’ means in this provision.
The word ‘sexual’ in everyday language means related to sex and the satisfaction of the sex drive (see the PWN Polish Language Dictionary available at www.sjp.pwn.pl). Such an understanding of the term ‘sexuality’ would mean that “information on sexuality” would be primarily data on the satisfaction of the sexual drive by the given person. However, it seems that, if the EU legislator had wanted to include information on sex among the special categories of personal data, he would have explicitly and directly mentioned such data in the catalogue of information referred to in GDPR Article 9(1). Therefore, it should be assumed that ‘information on sexuality’ is primarily data relating to the satisfaction of the person's sexual drive. However, even with this clarification, the concept of sexuality is still open to different interpretations. Does data on sexuality include information about the person's sexual practices and preferences (apparently it does), about sexual activity in general, e.g. frequency of intercourse or sexual abstinence (apparently it does), or about a person's sexual partners (apparently not quite)? It is impossible to answer the above questions unequivocally, especially as the answers may vary depending on the context of the information in question.
Data on sexual orientation
Processing of this type of data occurs whenever information is processed that attributes a particular sexual orientation to an individual, regardless of the nature of that orientation. Sexual orientation appears to be understood as information about which sexes or, in certain circumstances, groups of people with certain characteristics are sexually attractive to the individual.
An example of this type of information - the processing of which is prohibited - is information about homosexuality or bisexuality.
These challenges of interpretation, combined with the prohibition on processing special categories of data, mean that in practice:
A detailed analysis is recommended in each case where the processing of special categories of personal data is potentially possible, in order to organise the processing properly and to minimise the legal risks associated with such processing;
Whenever there is unresolved doubt as to whether a particular process involves the processing of special categories of personal data, a precautionary approach is recommended and the process should be treated as involving the processing of special categories of data.
Prohibition on processing special categories of personal data
The GDPR prohibits the processing of personal data that reveals racial or ethnic origin, political views, religious or philosophical beliefs and trade union membership, as well as the processing of genetic and biometric data for the purpose of uniquely identifying an individual or data concerning an individual’s health, sexuality or sexual orientation.
For the processing of this type of personal data to be considered compliant with the GDPR, it must meet one of the conditions set out in GDPR Article 9(2), which excludes the prohibition on processing this type of data. If a controller of personal data is unable to identify the resulting Article 9(2) condition that applies to the intended processing, such processing will constitute a breach of the GDPR by that controller.
GDPR Article 9(2) sets out ten circumstances in which the processing of special categories of data is permitted. A selection of these is discussed below.
Consent of the data subject
One of the conditions that exempts the processing of special categories of personal data from the prohibition is the explicit consent of the data subject. The consent of the data subject as a basis for the processing of personal data is described in the commentary to GDPR Article 7, and, unlike the consent as a basis for the processing of ordinary personal data, the consent referred to in GDPR Article 9(2) should be explicit consent. Indeed, pursuant to the 05/2020 Guidelines on consent under Regulation 2016/679, explicit consent is required in specific situations where a serious data protection risk arises and therefore where a high level of individual control over personal data is deemed appropriate.
How to ensure that consent is given explicitly?
According to the Guidelines, the term 'explicit' means that:
the data subject must make an explicit declaration of consent. An obvious way to ensure that consent is explicit would be to confirm it explicitly in a written statement. Where appropriate, the controller could ensure that the written statement is signed by the data subject in order to dispel any possible doubt and prevent a possible lack of evidence in the future. However, such a signed statement is not the only way to obtain explicit consent and it cannot be argued that the GDPR provides for an obligation to obtain written and signed statements in all circumstances where valid explicit consent is required. For example, in a digital or online context, a data subject may be able to make the required declaration by filling in an electronic form, sending an email, sending a scanned document bearing the data subject's signature or providing an electronic signature. In theory, the use of verbal statements may also be considered a sufficient means of obtaining valid explicit consent, but it may be difficult for a controller to prove that all the conditions for valid explicit consent were met at the time the statement was taken. An organisation may also obtain explicit consent during a telephone call, provided that the information regarding the choice is fair, understandable and clear and that the organisation asks the data subject for specific confirmation (e.g. a button press or verbal confirmation).
Thus, if the controller wishes to base the processing of special categories of data on GDPR Article 9(2)(a) (in the absence of any other condition of GDPR Article 9(2) that might apply) the controller must:
Obtain the data subject's explicit, voluntary consent to process such data and, in accordance with the principle of accountability, be able to demonstrate that explicit consent has been obtained;
Before doing so, the controller should also ensure that European Union or Member State law does not provide that the data subject cannot override the prohibition referred to in GDPR Article 9(1). In this context, it is worth mentioning the specific provisions of the Labour Code regarding the processing of special categories of personal data of employees and job applicants - according to Labour Code Article 22 §1, the consent of an applicant for employment or an employee may constitute the basis for the employer's processing of personal data referred to in GDPR Article 9(1) only if the transfer of such personal data is made on the initiative of the job applicant or employee.
Necessity for fulfilling obligations and exercising specific rights in the field of labour law, social security and social protection
The processing of special categories of personal data shall be lawful if and to the extent that the following conditions are cumulatively met:
The processing is necessary for the fulfilment of obligations and the exercise of specific rights of the controller or the data subject in the field of labour law, social security and social protection;
It is permitted by the law of the European Union or of the Member States, or by a collective agreement in accordance with the law of the Member States, providing adequate safeguards for the fundamental rights and interests of the data subject.
An example of the application of the above condition is the processing by the employer of certain categories of personal data of persons entitled to benefits from the company social benefits fund and their family members (this has been confirmed by the PUODO). This processing is permitted by the local provisions of the Act on the Company Social Benefits Fund, which provide for appropriate safeguards for the data subjects (e.g. it defines the data storage period, the method of data collection and provides for the obligation to conduct audits).
If the controller relies on this premise, it is advisable from a practical point of view to consider, inter alia, the following points in each case:
If the legislation contains more specific processing obligations - e.g. indicating what personal data and how it must be processed in order to fulfil a given obligation and exercise rights - the controller should strictly comply with the content of the legislation when processing personal data;
Where the law does not explicitly specify which personal data and how it is to be processed, it should be assessed whether and to what extent the processing of personal data is objectively necessary for the performance of such an obligation and the exercise of specific rights.
The need for processing to protect the vital interests of the data subject or of another person
The processing of special categories of personal data carried out by the controller which is necessary to protect the vital interests of the data subject or of another individual and where the data subject is physically or legally incapable of giving his or her consent is also in compliance with the GDPR.
This condition is discussed in the commentary to GDPR Article 6, the difference with Article 9 being that the condition shall exempt from the prohibition on processing special categories of personal data where the data subject is physically or legally incapable of giving his or her consent.
The discussed ground for processing shall apply in exceptional circumstances. Processing of personal data on the basis of the discussed ground shall be lawful if and to the extent that the following conditions are met:
The vital interests of the data subject or of another individual are at stake and must be protected;
The controller is able to protect the abovementioned interests and the processing of personal data by the controller is necessary for that purpose – ‘necessity’ in this context should be understood as meaning that, objectively speaking, the vital interests cannot be effectively protected without the processing of personal data;
The data subject is physically or legally incapable of giving consent (e.g. is unconscious or lacks legal capacity).
The practical application of this premise appears to be particularly relevant for entities providing health care. Practical guidance on how to proceed in this regard can be found in the PUODO-approved Code of Practice for the Healthcare Sector. According to the Code, the premise in question may apply in particular to the following situations:
A patient's sudden loss of consciousness combined with the need to obtain additional information about the patient's state of health in order to provide health services;
The patient is in a condition that prevents him or her from giving informed consent or from providing reliable information, combined with the need to obtain additional information about his or her state of health in order to provide health services;
The need for urgent medical action following the result of a diagnostic test, combined with the inability to contact the patient in a timely manner by standard means of communication.
The Code highlights the need to be guided by the following principles:
Every time a patient's personal information is disclosed for this reason, the existence of a risk to the patient's life or health should be documented;
This ground can only be invoked in exceptional situations where it is not possible to share or obtain data from persons authorised under medical law or from other healthcare providers who have previously provided healthcare to the patient on the basis of GDPR Article 9(2)(h);
Where possible, take steps to make it reasonably likely that contact with a third party is justified in order to protect the vital interests of the patient (e.g. contact with a person close to the patient, contact with a person who answers the telephone number previously indicated in the patient's medical records, asking follow-up questions about the patient to a third party who should know the answers, contact with a witness to the incident during or as a result of which the patient was harmed);
The healthcare provider should, as far as possible, verify and record the identity of the third party to whom or from whom he or she discloses or receives the patient's personal data.
Necessity of the processing for the establishment, investigation or defence of claims
The processing of special categories of personal data is lawful if and to the extent that the following conditions are cumulatively met:
There are, or reasonably may be, claims:
Which the controller may wish to assert in the future or is currently asserting; or
Which the controller may wish to pursue in the future or is currently pursuing; or
Which the controller may wish to defend in the future or is currently defending;
and at the same time:
The processing of special categories of data by the controller is objectively necessary in order to achieve the above purposes.
Objective necessity should be understood as meaning that, without the processing of the data, it would not be reasonably possible to achieve the purposes of the processing.
In this context, it should be noted that it is sometimes argued (including by the supervisory authority, e.g. in the Employer's Guide) that in order to justify processing on the basis in question, the occurrence of the claims to which the processing relates should be probable, and that it is not justified to process data in relation to claims that may arise in a purely theoretical manner, but for which there is no reasonable indication that their occurrence is probable.
The necessity of processing personal data for the purposes of preventive or occupational health care, assessment of an employee’s fitness for work, medical diagnosis, the provision of health care or social security, the treatment or management of healthcare or social security systems and services under the European Union or national law or pursuant to a contract with a health professional, subject to the conditions and safeguards referred to in GDPR Article 9(3)
The processing of special categories of personal data is lawful if and to the extent that the following conditions are cumulatively met:
The processing is necessary for the purposes of preventive or occupational health care, assessment of the employee’s fitness for work, medical diagnosis, the provision of health care or social security, treatment or the management of health care or social security systems and services; and
Such processing is authorised by the European Union or national law;
or
Such processing is permitted under the contract with a health professional, in which case personal data may be processed when it is processed by, or under the responsibility of, a person subject to the obligation of professional secrecy under the European Union or national law or rules established by national competent authorities, or by another person also subject to the obligation of professional secrecy under the EU or national law or rules established by national competent authorities.
An example of the application of the above condition is:
The processing of special categories of personal data by an employer in the context of an initial or periodic occupational health assessment;
Processing of data by treatment providers in connection with the provision of treatment.
From a practical point of view, if a controller relies on these grounds, he or she should consider, inter alia, whether:
The legislation contains more specific processing obligations – for example, specifying which personal data and how it is to be processed in relation to a particular purpose indicated in the provision - the controller should strictly comply with the content of such legislation when processing personal data;
The legislation does not explicitly specify which personal data and how it is to be processed, it should be assessed whether and to what extent the processing of personal data is objectively necessary for the purposes for which the processing is carried out.
Processing of special categories of data and performance of a contract with a data subject - on what basis?
There is no requirement of necessity for the performance of the contract in GDPR Article 9(2). If none of the conditions in Article 9(1)(b-j) apply, the controller may process a special category of data only if the data subject has given his or her explicit consent to such processing. Guidelines 05/2020 on consent under Regulation 2016/679 give the following example:
A successful company is specialised in providing custom-made ski and snowboard goggles, and other types of customised eyewear for outdoors sports. The idea is that people could wear these without their own glasses on. The company receives orders at a central point and delivers products from a single location all across the EU. In order to be able to provide its customised products to customers who are short-sighted, this controller requests consent for the use of information on customers’ eye condition. Customers provide the necessary health data, such as their prescription data online when they place their order. Without this, it is not possible to provide the requested customized eyewear. The company also offers series of goggles with standardized correctional values. Customers that do not wish to share health data could opt for the standard versions. Therefore, an explicit consent under Article 9 is required and consent can be considered to be freely given.
Commentary on art. 9
Processing of special categories of personal data
What are special categories of personal data?
GDPR Article 9 concerns the processing of so-called special categories of data. GDPR Article 9(1) contains a closed catalogue of the types of data that constitute special categories. This catalogue covers very different types of personal data that are not defined in the GDPR and that may in practice relate to different information. The way in which the different types of data are described in the catalogue may also raise questions about what information is actually covered. Below, we briefly discuss the types of data listed in GDPR Article 9(1), together with a reference to selected issues of interpretation.
Type of information
Comment
Personal data revealing racial origin
The processing of this type of data occurs whenever information is processed that attributes certain individuals to a particular race (in particular, on the basis of skin colour or physical features).
Such processing may also occur when the racial origin of a person is indirectly attributed, i.e. it reveals or identifies the racial origin of a person without explicitly mentioning it.
Personal data revealing ethnic origin
The processing of this type of data occurs whenever information is processed that attributes to certain persons a membership of an ethnic group, mainly information on “nationality” in the broadest sense, i.e. a subjective feeling of the data subject with regard to his or her national identity. Such processing may also occur when this membership is indirectly attributed to the person or can be inferred from the information concerned.
Conversely, the processing of information relating to nationality in the legal sense, i.e. the possession of an identity document issued by the State concerned, does not constitute the processing of special categories of data.
Personal data revealing political views
Processing of this type of data occurs in any situation where information about a person's “political views” is processed. The lack of a definition of “political views” may make it very broad and may give rise to important questions of interpretation. Indeed, in the colloquial sense that should be applied in the absence of a legal definition, “political views” may encompass very different information.
In particular, it appears that this type of information may include:
However, it is debatable whether a person's opinion on a specific governmental or public matter, e.g. a law or regulation, or information about a person's participation in a march, demonstration or political rally, can be considered as “information revealing political views”. Nonetheless, such an interpretation cannot be ruled out. Nor can it be ruled out that such information should also be treated as information about the person's worldview - see below.
Personal data revealing religious beliefs
Processing of this type of data occurs in any situation where information about religious beliefs or information that may reveal such beliefs is processed. This type of information includes any data that can be directly attributed to a person's religious beliefs, such as membership of a particular church or religious denomination (whether in a general form, such as “Christian”, “Muslim” or “Buddhist”, or in a more specific form, such as indicating that someone is a member of a particular religious organisation).
Information about a person's religious practices, such as celebrations, active participation in religious rituals, prayers or fasting, also appears to be of this type. On the other hand, information about the mere fact of visiting temples or places of worship (e.g. documented in the form of photographs) is not necessarily equivalent to information revealing religious beliefs.
In addition, it appears that religious beliefs may be disclosed both in the case of information on membership of churches or religious organisations with a formal structure that exist in Poland in a legal sense (including those entered in the Register of Churches and Other Religious Associations) and those that are generally recognised, and in the case of information on religious beliefs relating to denominations that do not have a legal existence in Poland in the form of a church or religious organisation (for example, Jediism or Rastafarianism), provided that they can be classified as “religions” or “beliefs” in the colloquial sense of the word, especially if they have such an attribute under the laws of other EU Member States.
Personal data revealing philosophical beliefs
Processing of this type of data occurs in any situation where information revealing philosophical beliefs is processed. The dictionary definition of the word ‘worldview’ is a set of someone's views on the world and on life that influence his or her behaviour (see the PWN Polish Language Dictionary available at www.sjp.pwn.pl).
In theory, therefore, any information that reveals a set of views about the world and about a person's life that influence that person's behaviour is special category data. Such an understanding leads to what may be a very broad perception of the concept. For example, can the information that a particular person has a ‘healthy lifestyle’ or adheres to the principle of ‘seize the day’ or is an advocate of stoicism be considered as information that reveals a worldview? What about the information in a cover letter that the candidate for a given job is always smiling and has an optimistic approach to work, the world and people? It seems unlikely that this is a special category of data, as a worldview is a “set of views” and not individual views or opinions on selected areas of life. However, a different interpretation cannot be ruled out, depending primarily on the context of the case and the assessment of the totality of the information.
Personal data revealing trade union membership
Processing of this type of data occurs in any situation where information revealing trade union membership is processed, even indirectly.
Whether an organisation is a ‘trade union’ and whether a person is a member of a trade union should be assessed, for the purposes of this provision, on the basis of the provisions of collective labour law.
Genetic data
Processing of this type of data occurs whenever information is processed concerning a person’s inherited or acquired genetic characteristics which reveal unique information about that person's physiology or health and which is obtained in particular from the analysis of a biological sample taken from that person, in particular (according to GDPR Recital 34) from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.
From a practical point of view, it is important to note that in order to generate genetic data within the meaning of the GDPR, it is in principle necessary to first analyse biological samples of an individual (e.g. saliva, epidermis, hair, semen) and to record the result of the analysis in such a way that it contains information about the inherited or acquired genetic characteristics of the individual that reveal unique information about his or her physiology or health.
Biometric data
Processing of this type of data occurs whenever information about an individual is processed, which results from specific technical processing and relates to the physical, physiological or behavioural characteristics of that individual and permits or confirms the unambiguous identification of that person, such as a facial image or dactyloscopic data.
From a practical point of view, it is important to note that, in principle, for biometric data to be created within the meaning of the GDPR, it is necessary that:
Importantly, according to GDPR Recital 51, “The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.”
Health data
Processing of this type of information occurs in any situation where information about the physical or mental health of an individual is processed, including the use of health services that reveal information about the individual's state of health.
As the jurisprudence points out, “such a definition is a broad view of health data, as it includes not only information about a person's physical or mental health (e.g. information about what disease a person suffers from), but also information about the use of health services (e.g. doctor visits, medical services, prescribed medication, etc.)- see P. Fajgielski [in:] Commentary to Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), [in:] General Data Protection Regulation. Personal Data Protection Act. Commentary, 2nd edition, Warsaw 2022, Article 4).
It seems that the following information should also be considered as health data:
Information on sexuality
Processing of this type of information occurs in any situation where information about a person's sexuality is processed. However, it is not clear what ‘sexuality’ means in this provision.
The word ‘sexual’ in everyday language means related to sex and the satisfaction of the sex drive (see the PWN Polish Language Dictionary available at www.sjp.pwn.pl). Such an understanding of the term ‘sexuality’ would mean that “information on sexuality” would be primarily data on the satisfaction of the sexual drive by the given person. However, it seems that, if the EU legislator had wanted to include information on sex among the special categories of personal data, he would have explicitly and directly mentioned such data in the catalogue of information referred to in GDPR Article 9(1). Therefore, it should be assumed that ‘information on sexuality’ is primarily data relating to the satisfaction of the person's sexual drive. However, even with this clarification, the concept of sexuality is still open to different interpretations. Does data on sexuality include information about the person's sexual practices and preferences (apparently it does), about sexual activity in general, e.g. frequency of intercourse or sexual abstinence (apparently it does), or about a person's sexual partners (apparently not quite)? It is impossible to answer the above questions unequivocally, especially as the answers may vary depending on the context of the information in question.
Data on sexual orientation
Processing of this type of data occurs whenever information is processed that attributes a particular sexual orientation to an individual, regardless of the nature of that orientation. Sexual orientation appears to be understood as information about which sexes or, in certain circumstances, groups of people with certain characteristics are sexually attractive to the individual.
An example of this type of information - the processing of which is prohibited - is information about homosexuality or bisexuality.
These challenges of interpretation, combined with the prohibition on processing special categories of data, mean that in practice:
Prohibition on processing special categories of personal data
The GDPR prohibits the processing of personal data that reveals racial or ethnic origin, political views, religious or philosophical beliefs and trade union membership, as well as the processing of genetic and biometric data for the purpose of uniquely identifying an individual or data concerning an individual’s health, sexuality or sexual orientation.
For the processing of this type of personal data to be considered compliant with the GDPR, it must meet one of the conditions set out in GDPR Article 9(2), which excludes the prohibition on processing this type of data. If a controller of personal data is unable to identify the resulting Article 9(2) condition that applies to the intended processing, such processing will constitute a breach of the GDPR by that controller.
GDPR Article 9(2) sets out ten circumstances in which the processing of special categories of data is permitted. A selection of these is discussed below.
Consent of the data subject
One of the conditions that exempts the processing of special categories of personal data from the prohibition is the explicit consent of the data subject. The consent of the data subject as a basis for the processing of personal data is described in the commentary to GDPR Article 7, and, unlike the consent as a basis for the processing of ordinary personal data, the consent referred to in GDPR Article 9(2) should be explicit consent. Indeed, pursuant to the 05/2020 Guidelines on consent under Regulation 2016/679, explicit consent is required in specific situations where a serious data protection risk arises and therefore where a high level of individual control over personal data is deemed appropriate.
How to ensure that consent is given explicitly?
According to the Guidelines, the term 'explicit' means that:
Thus, if the controller wishes to base the processing of special categories of data on GDPR Article 9(2)(a) (in the absence of any other condition of GDPR Article 9(2) that might apply) the controller must:
Necessity for fulfilling obligations and exercising specific rights in the field of labour law, social security and social protection
The processing of special categories of personal data shall be lawful if and to the extent that the following conditions are cumulatively met:
An example of the application of the above condition is the processing by the employer of certain categories of personal data of persons entitled to benefits from the company social benefits fund and their family members (this has been confirmed by the PUODO). This processing is permitted by the local provisions of the Act on the Company Social Benefits Fund, which provide for appropriate safeguards for the data subjects (e.g. it defines the data storage period, the method of data collection and provides for the obligation to conduct audits).
If the controller relies on this premise, it is advisable from a practical point of view to consider, inter alia, the following points in each case:
The need for processing to protect the vital interests of the data subject or of another person
The processing of special categories of personal data carried out by the controller which is necessary to protect the vital interests of the data subject or of another individual and where the data subject is physically or legally incapable of giving his or her consent is also in compliance with the GDPR.
This condition is discussed in the commentary to GDPR Article 6, the difference with Article 9 being that the condition shall exempt from the prohibition on processing special categories of personal data where the data subject is physically or legally incapable of giving his or her consent.
The discussed ground for processing shall apply in exceptional circumstances. Processing of personal data on the basis of the discussed ground shall be lawful if and to the extent that the following conditions are met:
The practical application of this premise appears to be particularly relevant for entities providing health care. Practical guidance on how to proceed in this regard can be found in the PUODO-approved Code of Practice for the Healthcare Sector. According to the Code, the premise in question may apply in particular to the following situations:
The Code highlights the need to be guided by the following principles:
Necessity of the processing for the establishment, investigation or defence of claims
The processing of special categories of personal data is lawful if and to the extent that the following conditions are cumulatively met:
and at the same time:
Objective necessity should be understood as meaning that, without the processing of the data, it would not be reasonably possible to achieve the purposes of the processing.
In this context, it should be noted that it is sometimes argued (including by the supervisory authority, e.g. in the Employer's Guide) that in order to justify processing on the basis in question, the occurrence of the claims to which the processing relates should be probable, and that it is not justified to process data in relation to claims that may arise in a purely theoretical manner, but for which there is no reasonable indication that their occurrence is probable.
The necessity of processing personal data for the purposes of preventive or occupational health care, assessment of an employee’s fitness for work, medical diagnosis, the provision of health care or social security, the treatment or management of healthcare or social security systems and services under the European Union or national law or pursuant to a contract with a health professional, subject to the conditions and safeguards referred to in GDPR Article 9(3)
The processing of special categories of personal data is lawful if and to the extent that the following conditions are cumulatively met:
or
An example of the application of the above condition is:
From a practical point of view, if a controller relies on these grounds, he or she should consider, inter alia, whether:
Processing of special categories of data and performance of a contract with a data subject - on what basis?
There is no requirement of necessity for the performance of the contract in GDPR Article 9(2). If none of the conditions in Article 9(1)(b-j) apply, the controller may process a special category of data only if the data subject has given his or her explicit consent to such processing. Guidelines 05/2020 on consent under Regulation 2016/679 give the following example: