Processing of special categories of personal data

As a rule, the processing of personal data belonging to special categories is prohibited.

Such data reveals the person’s

  • racial or ethnic origin
  • political opinions
  • religion or philosophical beliefs
  • trade union membership
  • data concerning health
  • sexual orientation or activity and
  • genetic and biometric data for identifying the person.

Such data merits specific protection, because their processing could create significant risks to the fundamental rights and freedoms of the individual.

When is the processing of special categories of personal data permitted?

Personal data belonging to special categories can be processed if an exception to the prohibition has been provided for in the EU's General Data Protection Regulation (GDPR) or specifically in Union law or national legislation. It is important to recognise whether data can be processed by virtue of the GDPR or whether processing will require separate legislation or agreements in addition to the GDPR.

Special categories of personal data can be processed by virtue of the GDPR in the following cases:

  • When the data subject has given his or her explicit consent for the processing of the personal data in question.
  • When the processing is necessary to protect the vital interests of the data subject or another person if the data subject is physically or legally incapable of giving consent.
  • When the personal data is processed in the course of the legitimate activities of a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and the processing is appropriately protected. Such processing may only relate to members or former members of the body or to persons who have regular contact with it in connection with its purposes. Data may not be disclosed outside that body without the consent of the data subjects.
  • When the processing relates to personal data which are manifestly made public by the data subject, such as by publishing them on the data subject's own website.
  • When the processing is necessary for the establishment, exercise or defence of legal claims. Processing is also permitted whenever courts are acting in their judicial capacity.

In the following cases, processing is not possible by virtue of the GDPR alone, but requires more specific regulations or other procedures.

  • When processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law. Measures for safeguarding the fundamental rights and benefits of the data subject must also be stipulated in this connection.
  • When processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law. The regulations that permit processing shall be proportionate to the aim pursued and respect the essence of the right to data protection. Measures for safeguarding the fundamental rights and benefits of the data subject must also be stipulated in this connection.
  • When processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional. Such processing requires that the data is only processed by a professional or person subject to a statutory obligation of secrecy.
  • When processing is necessary for reasons of public interest in the area of public health, on the basis of Union or Member State law which also provides for measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.
  • Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with the GDPR and based on Union or Member State law. The regulations that permit processing shall be proportionate to the aim pursued and respect the essence of the right to data protection. Measures for safeguarding the fundamental rights and benefits of the data subject must also be stipulated in this connection.