The General Data Protection Regulation (‘GDPR’) was enforced on 25 May 2018, harmonizing privacy laws across Europe and marking a transformative shift in privacy regulations in two decades. GDPR places a greater compliance burden on processing of ‘sensitive special data’. Information such as race, ethnicity, religious, political and ideological affiliations, biological and biometric information (e.g. fingerprints, genetic profile), to name a few, qualify as ‘sensitive personal data’.
Processing of sensitive personal data is permissible only under specific circumstances as per GDPR norms. Processing of sensitive personal data for any other purpose - that is, any purpose that does not fall under these justifications is prohibited and therefore unlawful.
Some of these justifications envisioned include explicit prior consent being sought from the person concerned, unless reliance on consent is prohibited by EU or Member State law. Consent to such processing of sensitive personal data should be freely, specifically and unambiguously given by a data subject. There may even be cases where such data has manifestly been made public by a person.
An exception has been carved out for situations where processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent. Processing of sensitive personal data is also permitted in situations where processing of such data is necessary to protect substantial public interest (for example, in matters of public health, scientific or for historic research purposes).
Crucially, a data subject has the option to withdraw consent given at any later time. These withdrawal requests also need to be captured and updated by organizations handling sensitive personal data, along with undertaking a comprehensive review of existing data collected so far by the organization to ascertain whether such information qualifies as sensitive personal data and whether the circumstances requiring disclosure falls under the specific exceptions carved out by GDPR.