GDPR Series: (special) personal data

As we wrote earlier, the General Data Protection Regulation  (‘GDPR’) entered into force on 24 May 2016. The Dutch Personal Data Protection Act  (de “Wet Bescherming Persoonsgegevens” hereinafter called: ‘Wbp‘) provides for the protection of personal data until 25 May 2018, after which the GDPR will take over the baton.

The aforementioned legislation contains rules on the lawful processing of personal data. The processing of personal data soon becomes an issue, not only because processing is a broad concept, but also because more and more information is labelled as legally relevant personal data.

What is personal data?

Personal data means all information about an identified or identifiable natural person. The information must be able to lead directly or indirectly (by means of tracing) to the identification of a natural person.

The obvious personal details are someone’s name, address, place of residence, BSN number and (e-mail) address. Less obvious personal data are license plate details and IP addresses.

What are special personal data and what will change in the GDPR?

More sensitive data such as a person’s race, religion, sexual life, political opinion, health, membership of a trade union and criminal behavior are considered as special categories of personal data in both the Wbp and the GDPR, for which the law offers a high degree of protection.

Changes have been made to the wording of the categories of special personal data in the GDPR and the number of categories of special personal data has been expanded to include genetic data and biometric data.

Genetic data are explicitly laid down as a category of special personal data in the GDPR. The sensitivity of genetic data, such as DNA, follows from the fact that they say something about the state of health of a person and his family members.

Biometric data are included in the GDPR as a special category of personal data in so far as they are processed for the purpose of unique identification of a person. Biometric data include fingerprints, voice, handwriting, geometry of the hand circumference and scans of retina, iris and face. The sensitivity of these exact measurement data results from the fact that they contain unique body characteristics of a person. However, a photograph of a person is not necessarily special personal data on the basis of the above. After all, special personal data only exists when the photograph is processed with the aid of certain technical means and thus makes it possible to uniquely identify a person. The importance of legal regulation of biometric data derives, inter alia, from the developments in the use of biometrics as a means of identification to regulate access to certain places, buildings and information systems.

Why is the distinction between personal data and special categories of personal data relevant?

The processing of special personal data is prohibited under both the WBP and the GDPR, unless there is a statutory exception. An example of a legal exception is the explicit consent of the person whose personal data are involved. These and other legal exceptions will be discussed later in the GDPR series.

What do the changes in the GDPR mean in practice?

It is important for organizations to realize that personal data are accompanied by statutory rules that aim to guarantee that they are processed lawfully. When the GDPR enters into force next year, organizations will also have to be even more alert than at present to the processing of special personal data because of the expansion of the categories of special personal data. As a result, the business processes related to the processing of personal data may have to be adapted in the run-up to 25 May 2018. It is therefore wise to make an inventory of which personal data your organization processes on time, whether these can be seen as special personal data and whether the processing of these personal data is based on a legally valid basis.