3.5 Processing of special categories of data

Special categories of personal data according to the Data Protection Ordinance are data disclosing racial or ethnic origin, political opinions, religious or philosophical beliefs or membership of a trade union and treatment of genetic data, biometric data to uniquely identify a natural person, health data or data on a person’s sexually activity or sexual orientation. The basic rule is that the processing of such information is prohibited, except in cases where the data subject agrees to the treatment. 

There are a number of exceptions to this rule, where those who are most useful for the education activities are:

  • if it is required to fulfill an important public interest
  • if the processing is necessary to determine, claim or defend legal claims,
  • or in the cases specified in Chapter 3. Section 3 of Dataskyddslagen (The Data protection act) with additional provisions to the General Data Protection Regulation.

These exceptions are: sensitive personal data may be obtained and processed by an authority pursuant to Article 9.2 g of the General Data Protection Regulation

  • In text describing a case if the information has been submitted or is necessary for the handling of the case,
  • if the data has been submitted to the authority and the processing is required by law, or
  • in occasional cases, if it is absolutely necessary for the purpose of processing and the processing does not constitute an improper infringement of the personal privacy of the data subject.
Data protection impact assessment

The General Data Protection Regulation requires an impact assessment to be made if the treatment is likely to lead to high risk for the rights and freedoms of the data subject. The person responsible for processing will then assess the consequences of the processing in regard to the protection of personal data. This assessment shall be documented in writing and made in cooperation with the Data Protection Officer. If it is unclear whether the planned treatment is likely to lead to a high risk, the Data Protection Officer should be consulted.