What are an employer's obligations under the General Data Protection Regulation (GDPR) in relation to the processing of sensitive personal data?

The General Data Protection Regulation (GDPR) uses the phrase "special categories of personal data" to refer to what is known as "sensitive personal data" under the current regime. The special categories of personal data under the GDPR are:

  • data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
  • genetic data and biometric data for the purpose of uniquely identifying an individual; and
  • data concerning health, sex life or sexual orientation.

The processing of special categories of personal data is prohibited unless one of the specific grounds set out in the GDPR applies. The grounds most relevant in the employment context are likely to be that:

  • the data subject has given his or her explicit consent to the employer processing the data for the particular purpose;
  • processing is necessary for carrying out obligations or exercising rights under employment law, social security law or social protection law, or under a collective agreement; or
  • processing is necessary for the establishment, exercise or defence of legal claims, or where courts are acting in their judicial capacity.

The processing of personal data relating to criminal convictions and offences is regulated separately under the GDPR and is therefore not included as a special category of personal data.

The GDPR will come into effect on 25 May 2018.