Originally written by Katelin Kennedy
One of my fondest childhood memories involves a dinner plate. Yes, a dinner plate. Our family had a red plate that read “You Are Special Today” in white lettering around the outer edge. The special plate wasn’t an everyday dinner plate, and it wasn't used as bait to get me or my brother to show up at the table on a regular basis. It was saved for rare occasions, like birthdays or tee ball grand slams. Well, under the GDPR, you have to handle certain categories of special data like the special plate. This analogy may be ridiculous, but it's my blog to spice up (see what I did there?), and you won’t forget it.
You can’t process special data (or use the special plate) without a special condition.
What types of data are considered special data?
Special data includes:
Data that reveals an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership
Genetic data
Biometric data
Data concerning health, sex life, or sexual orientation
Genetic data relates to a person’s genetic characteristics, and generally results from analyzing a biological sample.
Biometric relates to a person’s physical, physiological, or behavioral characteristics and is used to confirm the identity of a person. The obvious examples are fingerprints and facial recognition. A less obvious example could include location tracking that is used to confirm a person’s identity, such as Amazon’s new grab and go store that charges your account based on what items you take out of the store.
Health data relates to a person’s past, current, or future physical or mental health. This covers any and all health related information, including from medical devices and fitness tracking devices.
What if my business uses special data?
The general rule is simple: You cannot process special category data, unless there is a special condition.
This is one of the sections in the GDPR that starts looking like Swiss cheese after you get through all of the exceptions to the rule, so it’s easier to think of it the other way around.
You can ONLY process special data if…
You have explicit consent from the individual
Processing relates to special data that is made public by the individual (aka, the data subject)
Processing is necessary to protect vital interests where the data subject is unable to consent (e.g., medical emergencies)
Processing is done by a nonprofit to serve its legitimate interests, subject to certain additional restrictions
Processing is necessary for a legal obligation related to employment or social security
Processing is necessary for prosecution or defense of legal claims
Processing is necessary for reasons related to substantial public interest, subject to EU law
Processing is necessary for medical reasons or for certain justifiable medical assessments, subject to EU law
Processing is necessary for archiving purposes in the public interest, scientific or historical research, or statistical purposes, subject to EU law
The key takeaway is this:
In most cases, you will need explicit consent to process special data of individuals in the EU, unless the data you are processing was made public by the individual (e.g, something posted on a publicly accessible Facebook profile).
Consent is it’s own major concept under the GDPR, so we’ll cover it in more detail in a separate post. As a quick recap from our previous post on the lawful basis analysis, consent must be informed, specific, and freely given by an unambiguous and affirmative action.
Does a US company have to comply with special data rules before it has any EU customers?
Not necessarily, but you should at least consider planning ahead.
Quick recap– A U.S. company is only required to comply with GDPR if it has an office in the EU, intentionally offers goods or services to individuals in the EU, or monitors behavior of individuals in the EU.
Let’s say you are developing a wearable technology product to track fitness data. You won’t be on the hook to follow the special data rules for the health data that is processed through your product until you have customers actually using your product in the EU. That said, the best business owners think about the bigger picture. If you anticipate that your product may be used by individuals in the EU in the not-too-distant future, it would be wise to get ahead of the curve and plan your data processing activities to comply with the special data rules before you have EU-Customer #1. The special data rules will likely impact how your technology actually collects and processes special data, and it may not be so easy to change functional elements of the technology after your product hits the market. Planning for compliance the the GDPR special data rules now could save you from having to make significant changes to your data processing practices down the road; and that translates to time and money in the long run.
Not sure if you actually process data that would be considered special data under the GDPR? Send us a note and we’ll help get you on track.
Stay tuned for more about consent.
*This blog provides general information for educational purposes only. It is not intended to constitute specific legal advice and does not create an attorney-client relationship.*