September 14th, 2017 | Sterling

GDPR: Sensitive Personal Data & Criminal Data

Sterling is offering a 10-part webinar series about the changes to the way personal data is protected in the European Union when the EU General Data Protection Regulation (GDPR) applies on 25 May 2018. The first webinar in the series, “What You Need to Know with 12 Months to Go” introduces the changes to come. The second webinar in the series, “Consent & Legitimate Interest,” available on demand, was presented by Oran Kiazim, Vice President of Global Privacy and Beatriz Torets-Ruiz, Privacy Analyst & Legal Researcher.

The GDPR or General Data Protection Regulation is an EU law which regulates the collection, use, disclosure and processing of personal information of individuals in the EU. The GDPR will replace existing European legislation, such as the UK Data Protection Act 1998, and introduces new requirements and additional burdens on European businesses. It also alters existing concepts, which means that businesses will need to review their existing processes to make sure they are compliant.

What is “Sensitive” Personal Data under the GDPR?

It must be remembered that not all data is equal. Sensitive data is personal information that could result in illegal discrimination against an individual or pose a serious risk to an individual, such as financial loss or identity theft. Therefore, its handling is subject to certain conditions or requirements.

The elements of sensitive personal data points include:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data (New under the GDPR)
  • Biometric data where processed to uniquely identify a person (New under the GDPR)
  • Health data
  • Data about a person’s sex life or sexual orientation

What are the Requirements for Processing Sensitive Data?

The grounds for processing sensitive data generally mirror the grounds under current EU data protection law:

  • Explicit consent: There is no change here, although as we discussed in Part 2 of this webinar series, GDPR: Consent and Legitimate Interest, there are new, stricter conditions for consent.
  • Legal Necessity: This ground under the GDPR is slightly broader than under the current Data Protection Directive. It states it is necessary for carrying out obligations under employment, social security or social protection law or a collective agreement.
  • Vital Interests: The vital interests of the individual mentioned in the GDPR are identical to information under the current Directive.
  • Not-for-profit: Not-for-profit bodies with a political, philosophical, religious or trade union aim mentioned in the GDPR are identical to information in the current Directive.
  • Data Made Public: There are no changes to the information in the GDPR and the current Directive.
  • Legal Claims: Necessary legal claims mentioned in the GDPR are identical to information under the current Directive.

Criminal Conviction Data

There has been a myth going around that the GDPR makes criminal background checks illegal in the European Union. In reality, nothing has changed between the Data Directive 95/46/EC Article 8 (5) and the GDPR Article 10 states, “Processing of personal data relating to criminal convictions and offences… shall be carried out only under the control of official authority. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.” What this means is that Member States will continue setting the rules for how criminal conviction information may be accessed by employers, which may differ from country to country. Companies will need to continue to follow Member State rules and comply with Article 88 GDPR pertaining to employment data derogations.

Compliance Action Plan

It is vital to be prepared for the changes taking place in 2018 with the GDPR. Below are a few action points to help remain compliant with processing sensitive data through the changes:

  • Where you process sensitive data, make sure that the legal basis is still applicable under the GDPR
  • Where you rely on the candidate’s consent for processing sensitive personal data, make sure that the new conditions for consent are met
  • Remember to consider national law in the Member States which may impose further conditions or restrictions
  • Remember that criminal record checks are still compliant under the GDPR as long as you follow national rules for obtaining the data from official sources

Please note: Sterling is not a law firm. The material available in this publication is for informational purposes only and nothing contained in it should be construed as legal advice. We encourage you to consult with your legal counsel to obtain a legal opinion specific to your needs.

Sterling has been planning for the GDPR changes that will affect the background screening industry since 2016. One way to stay up-to-date on the GDPR changes and make sure that your organisation is compliant is to sign-up for the Sterling webinar series. We are offering 10 On-Demand webinars this summer to tackle the many aspects of the GDPR from privacy notices to candidate rights.

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.