GDPR: what should I keep in mind when processing special categories of personal data?

Special categories of personal data (sensitive personal data)

Some personal data belong to the group of “special categories” of personal data: these are personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, membership of a trade union, genetic data, biometric data, data about health or someone's sexual behavior or sexual orientation. 

  • Race
    • Eg. Caucasian
  • Political views
    • Eg. even of well-known politicians
  • Religious or philosophical beliefs
    • Even location data (eg. church visits) can indirectly reveal information about someone’s religious or philosophical beliefs
  • Trade union membership
  • Genetic data
    • Genetic data are personal data relating to inherited or acquired genetic characteristics of a natural person, and which provide unique information on the physiology or health of that natural person, by analyzing biological sample of that natural person.
  • Biometric data
    • Biometric data are personal data which result from a specific technical processing relating to physical, physiological or behavior related characteristics of a natural person, allowing unambiguous identification of that natural person, like facial photos or fingerprints.
      • Morphological: fingerprints, detailed facial photos, shape of the ear/ hand, iris scans, …
      • Physiological: DNA, …
      • Behavior related characteristics: eye tracking, walking or running pace, signature analysis, handwriting, analysis of keystrokes, …
    • Also voice and video recordings are biometric data, even when the recordings are not used to identify the data subjects; the possibility to identification – which is inherent to raw voice and video recordings – is sufficient.
      If you decide that voice or video recording are necessary for you research, you should check if the voice and video recordings could be distorted, without jeopardizing the research purposes. Remember to delete these recordings as soon these are not needed anymore to achieve your research purpose.
      For example, when researching dialects or facial expressions, the distortion of voice or video recordings will be impossible, because the raw recordings are crucial for achieving the research purposes.
      Video and raw voice recordings are rather unnecessary in case of an online interview where only the content of the conversation matters.
      Moreover, it is recommended to delete voice and video recordings as soon these are not needed anymore to achieve your research purpose.
  • Health data
    •  Health data are personal data relating to the historical, actual or future (physical or mental) health status of a natural person.
    •  For example:
      • Information on injuries, diseases, disease risks, medical history or results of medical examination or treatments;
      • Data collected by means of smart apps, such as fitness or activity trackers;
      • Data collected in the context of health (care) services;
      • Data relating to doctor appointments (e.g. the frequency of visits to the psychologist says something about mental health)
      • Data relating to self-confidence, fear of failure, (sensitivity to) burn outs or other psychological features.
  • Forensic data
    • Data of a criminal investigation (e.g. legal evidence on computers and digital storage media)
  • Data on a person's sexual behaviour or sexual orientation
    • If this information becomes publicly available, for example as a result of a data breach, this can have very adverse consequences for the data subjects.
  • Data relating to criminal convictions and offences
    • In a strict sense, these personal data are no special category of personal data, but these data are considered to be sensitive personal data for which the GDPR imposes stricter rules.

Exceptions for processing special categories of personal data

Although the processing of special categories of personal data is in principle prohibited, the GDPR provides an exception for scientific research purposes or projects where the processing of special categories of personal data is necessary. However, this does not mean that you no longer have to comply with other GDPR conditions: you must take appropriate and specific measures to protect the interests and privacy of the data subjects.

In addition to scientific research, there are various other exceptions that allow the processing of special categories of personal data such as when:

  • the data subject has given his or her explicit consent to the processing for one or more specified purposes. Please do not confuse the consent to participate to the research with the consent for the processing of personal data for research purposes;
  • the data have been manifestly made public by the data subject;
  • the processing is necessary for reasons of public interest in the field of public health;
  • the processing is necessary for the purposes of preventive or occupational medicine, medical diagnoses, or the provision of healthcare;
  • the processing is necessary to protect the vital interests of the data subject or another natural person;
  • the processing is necessary for reasons of substantial public interest.

In order to lawfully process special categories of personal data, your processing activity (within your research) must be based on one of these exceptions.

Registration in the GDPR register

If you are processing special categories of personal data, such as health data or patient data, you must indicate this in the GDPR Register. In this register you must also motivate why this exception for the processing of special categories of personal data applies to your research. 

More tips

Translated tip

Last modified Aug. 28, 2023, 10:15 a.m.