Sensitive data: A GDPR sensitivity
Sensitive data cannot in principle be collected. However, there are exceptions to the rule that require special security.
According to the CNIL, a sensitive data can be defined as any “Information concerning:
- racial or ethnic origin,
- political, philosophical or religious opinions,
- trade union membership,
- health or sex life.
In theory, sensitive data can only be collected and used with the individuals’ explicit consent.»
Nota bene: philosophical opinion-opinion is a sentiment, a judgement, whereas philosophy is about every conception regarding the principles of beings and things, the role of the man in the universe, God, history and, in general, all the great problems of metaphysics.
- In other words and in a short way, it is all that will allow you to determine the person’s opinions on the concepts which surround us and which make us (humanity, things, metaphysical problems, universe, God…)
Processing sensitive data
As a matter of principle, collecting such data is forbidden.
But as you know, every principle has its exceptions…
By way of exception, you can collect these data if your situation meets one of the following criterion:
- You have obtained the person’s express consent, i.e. a written, clear and explicit consent. In other words, you have obtained unambiguous consent.
- These data are necessary for a medical purposes or for research relating to the health sector. For example, you must know a person’s blood type in order to treat them.
- The use that you make of these data is of public interest or authorized by the supervisory authority.
- If the sensitive data concerns a member or an adherent of an association/ political organization/ religious/ philosophical/ political/ trade union.
Only in these four cases you will be allowed to be in possession of sensitive data.
WARNING: you are in possession of data relating to criminal offences? Although the law does not directly consider them as sensitive data, you must protect them as such. Be careful!
Sensitive data: the to-do list
In addition to the complex collection of these data, you should know that once they have been collected, they must benefit from a special security.
Here’s a to-do list if you have sensitive data:
- MANDATORY implementation of a PIA
- Establishment of an adequate protection for this kind of data
To find out more about how to effectively protect your websites / web applications.
Do you want to go further the processing of your sensitive data within your company? Discover our GDPR 2.0 training! The Ziwit Academy provides a complete training divided into 8 modules for a perfect understanding of the GDPR.