Contributed By Vondst Advocaten N V
The GDPR indicates a special category of personal data that, by its nature, merits higher protection as the context of its processing could create significant risks to fundamental rights and freedoms.
This special category of personal data includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a person’s sex life or sexual orientation. Personal data relating to criminal convictions and offences or related security measures is not considered a special category of personal data, but there are specific rules for processing this type of data. Data relating to criminal convictions and offences is treated in the same way as sensitive data by the AP.
In addition to the exceptions for processing this type of special category of data mentioned in the GDPR, the Implementation Act provides for a number of exceptions.
In addition to the various types of sensitive data mentioned in the GDPR, the AP also treats other data as sensitive, such as financial data, location data, behavioural data and communications data.
Although financial information as such is not qualified as sensitive data in the GDPR, information about someone’s financial details will nonetheless most probably be treated as sensitive data by the AP. The code of conduct for financial institutions, which is binding for almost all Dutch financial institutions, gives important guidance on the use of personal data, even though the formal approval of this code from the AP has lapsed.
The GDPR defines data concerning health as personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about his or her health status. Health data may be processed inter alia if necessary to protect the vital interest of the data subject, for the purpose of medical diagnosis, for reasons of public interest in the area of public health and scientific purposes. The Implementation Act provides for additional exceptions for administrative bodies, pension funds and employers, for schools, institutions of rehabilitation, healthcare providers and insurers.
In 2013 the AP investigated the Nike running app and concluded that it measured how many calories the user burns, how much, how often and how intensively the user runs. The AP concluded that this type of data can be considered as health data and therefore constitutes sensitive data.
In an investigation by the AP in 2013 into smart TVs, the AP considered that personal data with regard to online viewing behaviour should be considered as sensitive data. This type of data provides a lot of information about the viewer (viewed broadcasts, rented movies, visits to and use by data subjects of apps and websites, times of switching on and off the device etc). The AP refers to ArtWP29 Opinion 13/2011 on geolocation services on smart mobile devices (WP 185).