The following personal data are qualified as special categories of personal data (a.k.a. fragile or sensitive):
1) data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership,
2) data processing of genetic data, biometric data for the purpose of uniquely identifying a natural person,biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images (photographs) or dactyloscopic data (fingerprints);
3) data concerning health or data concerning a natural person’s sex life or sexual orientation
Some specific situations:
1) processing of facial images (photographs) should not be systematically regarded as sensitive data; they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person;
2) addictions are not particularly considered in the Regulation as fragile personal data.
Processing of so-called fragile personal data is prohibited, except for the following situations:
(1) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, if the consent is applicable;
(2) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law;
(3) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
(4) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim;
(5) processing relates to personal data which are manifestly made public by the data subject;
(6) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
(7) processing is necessary for reasons of substantial public interest;
(8) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;
(9) processing is necessary for reasons of public interest in the area of public health;
(10) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
It is worth remembering that it is not a legal basis for processing of fragile data if that processing is necessary (comparing to processing of non-fragile data):
1) for the performance of a contract;
2) for compliance with every legal obligation to which the controller is subject;
3) to protect the vital interests of the data subject or of another natural person in every situation.