The GDPR identifies certain types of personal data as ‘special categories’ of personal data meriting specific protections, as the nature of these categories means their processing could create significant risks to individuals’ fundamental rights and freedoms. These are ‘personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’.
Genetic data is defined as ‘personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question’.
Additional guidance is also given on the meaning of data that relates to health, a phrase clearly meant to be given a broad interpretation. It means personal data ‘related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about his or her health status’ and includes ‘all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject’, including: