Topic 2: Using and Sharing Sensitive Data

GDPR Article 4, defines “personal data” as:

Any information relating to an identified or identifiable natural person (‘data subject’); a natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The following personal data is considered ‘personal’, for example in a school setting:

  • Name
  • Address
  • Contact details
  • Disciplinary records
  • Marks and progress reports.

The following personal data is considered ‘sensitive’ and is subject to specific processing conditions and as a rule, the processing of such data is prohibited:

  • Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
  • Trade-union membership;
  • Genetic data, biometric data processed solely to identify a human being;
  • Health-related data;
  • Data concerning a person’s sex life or sexual orientation

The term ‘personal data’ refers to any information that identifies or identifies a living person. Information that when combined can identify a particular individual is also considered personal data.

In cases where it’s unclear whether and when personal data will have to be deleted, you may exercise your right to restriction of processing. That right can be exercised when:

  • The accuracy of the data in question is contested;
  • You don’t want the data to be erased;
  • The data is no longer needed for the original purpose but may not be deleted yet because of legal grounds;
  • The decision on your objection to processing is pending.

GDPR requires businesses that handle EU citizens’ personal data to provide certain information in the form of a privacy policy. The purpose of this document is to explain how the organization processes personal data and how data protection principles are applied.

The privacy policy must state the owner of the data processing, the rights of the users, the place and purpose of the processing, the type of data processed, the cookies that are issued by the website, the data storage, the links to external content and also how to change the settings.

The following actions are necessary to have a GDPR-compliant website or platform:

  • Having a compliant privacy policy. The first rule is to have the privacy policy document complete and compliant with EU Regulation 2016/679.
  • Having a compliant cookie policy. As with the privacy policy, having a cookie policy is essential to comply with the Regulation.
  • Having an up-to-date and compliant banner. After the cookie policy has been drafted, the information banner is derived accordingly and necessary to acquire the user’s consent to the installation of cookies
  • Updating contact forms. The basic rule is always transparency, so to use the data provided by the user, it is necessary for the user to provide explicit consent to its use and for the purpose of processing to be clear.

The above cannot be regarded as final instructions to make any website GDPR-compliant but rather a guideline, as each website has its own characteristics, it is therefore necessary, before proceeding with implementations to carry out an analysis to understand what personal data is collected, how it is processed and what types of cookies are used.