As mentioned in our previous GDPR update, the fifth update in this series will deal with how an employer processes sensitive personal data which are now known as 'special categories' of personal data under the GDPR.
For the purposes of the GDPR, sensitive personal data include information in relation to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique id purposes, data concerning health or sex life or sexual orientation. Interestingly for employers, the definition of sensitive personal data includes the processing of employee personal data relating to his or her membership of a trade union.
It is important to note that the processing of all personal data (regardless of whether it is sensitive personal data or not) requires a legal basis for processing. There are six legal bases set out in the GDPR. Examples of these legal bases include having the consent of the data subject or where the processing is necessary for the performance of a contract. At least one legal basis is required when processing any kind of personal data.
When it comes to processing sensitive personal data however, an employer will need to satisfy at least one additional condition in order to process the data. There are ten of these additional conditions from which to choose. If an employer cannot meet any one of the ten additional conditions, they will be legally prohibited from processing the sensitive personal data.
The ten additional conditions for processing sensitive personal data include where:
the employee has given explicit consent to the processing; the processing is necessary in connection with rights and obligations under employment, social security and social protection law; the data are manifestly made public by the employee; the processing is necessary for the establishment, exercise or defence of legal claims; or the processing is necessary for reasons of substantial public interest, and the employer provides suitable measures to safeguard the employee's rights. The term 'explicit' consent above refers to the way consent is expressed by an employee. It means that the...