Under GDPR, companies have obligations regarding the personal data of data subjects, but there is also a separate category of data that is treated differently – GDPR special category data.

What is GDPR special category data and how do the rules differ for processing that information?

GDPR Special Category Data

GDPR special category data is personal information of data subjects that is especially sensitive, the exposure of which could significantly impact the rights and freedoms of data subjects

GDPR special category data includes the following information:

  • Race and ethnic origin
  • Religious or philosophical beliefs
  • Political opinions
  • Trade union memberships
  • Biometric data used to identify an individual
  • Genetic data
  • Health data
  • Data related to sexual preferences, sex life, and/or sexual orientation.

Because these data elements are particularly sensitive, an organisation must have a legitimate and lawful reason for collecting, storing, transmitting, or processing these data. If special category data are collected, stored, processed, or transmitted data controllers must ensure that additional protections are put in place to ensure that information is appropriately safeguarded.

Why do we process Special category data?

We process Special Categories of Personal Data for the following purposes (this list is not exhaustive):

(a) assessing an employee's fitness to work
(b) complying with health and safety obligations
(c) complying with the Equality Act 2010
(d) checking applicants' and employees' right to work in the UK
(e) verifying that candidates are suitable for employment or continued employment