Special Category Data

Question

0

Asked: May 20, 20212021-05-20T16:54:17+01:00 2021-05-20T16:54:17+01:00In: GDPR

Special Category Data

0

Special Category Data (round 2!)

Hi apologies if my last post wasnt clear.

When processing Special Category Data I get tied up in knots! Can I clarify my thinking please?

Each time I process special category data do I need each of these three things below:
A Lawful basis (Article 6)
An exemption (Article 9)
A DPIA

Then on top of that do I also need an Appropriate Policy Document too?

Many thanks for your help.

4 Answers

Leave an answer
Cancel reply

You must login to add an answer.

Dominga Leone · Answer 1 · 2021-05-23T11:20:49+01:00

Dominga Leone

View Profile

Dominga Leone Bronze contributor

2021-05-23T11:20:49+01:00Added an answer on May 23, 2021 at 11:20 am

You need to have a lawful basis under article 6 and an exception under article 9. You only need to do a DPIA if the processing of special categories of data is large scale or in combination with other risk processing.

You should always be clear in your privacy notice what data you are processing and the lawful basis and exceptions you rely upon.

2

Reply
Share
Share

HellenB · Answer 2 · 2021-05-23T14:27:04+01:00

HellenB

View Profile

HellenB Silver contributor

2021-05-23T14:27:04+01:00Added an answer on May 23, 2021 at 2:27 pm

Agree completely with Dominga. With regards to Appropriate Policy Document, it’s always a good idea to have a record of why you are processing special category data in your general processing records.

1

Reply
Share
Share

BlueBottle · Answer 3 · 2021-05-26T11:09:59+01:00

BlueBottle

View Profile

BlueBottle Bronze contributor

2021-05-26T11:09:59+01:00Added an answer on May 26, 2021 at 11:09 am

Agreed on what has been said before, but regarding your Schedule 1 conditions and references to legislation, remember the DPA has been amended and is not currently showing on Legislation.gov.uk in its updated form. You can use the Keeling Schedule at https://www.gov.uk/government/publications/data-protection-law-eu-exit

That being said, there shouldn’t be any consequential differences and Legislation.gov.uk is easier to navigate. Just worth double-checking – it’s more relevant if you need to look at the newly-added Schedule 21, particularly with regard to international transfers.

0

Reply
Share
Share

Simon · Answer 4 · 2021-05-24T08:40:04+01:00

Simon

View Profile

Simon Bronze contributor

2021-05-24T08:40:04+01:00Added an answer on May 24, 2021 at 8:40 am

To add to Dominga and Hellen, you may also need to document that you’ve met the provisions in the Data Protection Act 2018. Section 10 of the DPA18 sets out conditions that need to be met to rely on special category lawful bases for employment, substantial public interest, health and social care, public health, and research. https://www.legislation.gov.uk/ukpga/2018/12/section/10/enacted

These are found in Schedule 1 of the DPA18. https://www.legislation.gov.uk/ukpga/2018/12/schedule/1/enacted

0

Reply
Share
Share

Dominga Leone

HellenB

BlueBottle

Simon

Smurf333

Dave_Wylie

CRodica

Atis

Ian G

Revoke.com - new third party portal for customer right requests

Instagram!!

DPO in EU and UK

DBS scenario with HR retaining excessive information for longer than ...

Parties role towards employees data for administrative purposes

Sign Up

Sign In

Forgot Password

Special Category Data

4 Answers

Leave an answerCancel reply

Leave an answer
Cancel reply