Lexicon >
Special categories of data

IT Glossary

Special categories of data

The following are special categories of personal data within the meaning of the GDPR.This includes data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health and data concerning sex life or sexual orientation.

Their processing is prohibited as a matter of principle, even if the processing is not aimed at the data for the sensitive element they contain, unless:

  • The data subject has given his/her express consent, for one or more specific purposes;
  • The processing is necessary for the fulfilment of the obligations and exercise of the rights of the controller or the data subject in the field of labour law, social security and social protection;
  • The processing is necessary to safeguard the vital interests of the data subject;
  • The treatment concerns a member of a political, religious, philosophical, political or trade union organization;
  • The processing relates to information which is manifestly made public by the data subject;
  • The processing is necessary for the establishment, exercise or defense of legal claims;
  • The processing is necessary for reasons of public interest;
  • The processing is necessary for the purposes of preventive or occupational medicine, assessment of the worker’s capacity to work, medical diagnosis, health or social care, or the management of health or social care systems and services;
  • The processing is necessary for reasons of public interest in the field of public health;
  • The processing is necessary for archival purposes in the public interest, for scientific or historical research or for statistical purposes.

Restrictions on the processing of special categories of data are justified in particular by the fact that they present a risk of affecting the most intimate sphere of the data subjects as well as a serious risk of harm to them.

GDPR focus

Personal data that are, by nature, particularly sensitive from the point of view of fundamental rights and freedoms deserve specific protection, as the context in which they are processed could give rise to significant risks for these rights and freedoms

Recital 51 of the GDPR

Case law focus

The CNIL was able to remind the Ministry of the Interior “Article 99 of the Data Protection Act imposes a heightened security obligation on data controllers when they process so-called sensitive data within the meaning of Article 6 of the Act, such as fingerprints and palm prints, which are “biometric data for the purpose of uniquely identifying a natural person.”

CNIL, September 24, 2021, N°SAN-2021-016

The Bouchara firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.