The GDPR identifies certain types of personal data as ‘special categories’ of personal data meriting specific protections, as the nature of these categories means their processing could create significant risks to individuals’ fundamental rights and freedoms. These are ‘personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’.
Genetic data is defined as ‘personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question’.
Additional guidance is also given on the meaning of data that relates to health, a phrase clearly meant to be given a broad interpretation. It means personal data ‘related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about his or her health status’ and includes ‘all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject’, including:
- information about the natural person collected in the course of the registration for,
or the provision of, health care services;
- a number, symbol or particular assigned to a natural person to uniquely identify the
natural person for health purposes;
- information derived from the testing or examination of a body part or bodily
substance, including from genetic data and biological samples;
- and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment, or the physiological or biomedical state of the data subject
- independent of its source, for example, from a physician or other health
professional, a hospital, a medical device or an in vitro diagnostic test
The recitals also say that the ‘processing of photographs should not systematically be considered the processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person’. However, they do not address the point that photographs may also reveal a person’s racial origin, religious beliefs or certain physical disabilities, which may be regarded as information about the individual’s health status.