Chapter 4 .1. 2: Lawful processing of sensitive data

CoE law leaves it to domestic law to lay down appropriate protection for using sensitive data, while EU law, in Article 8 of the Data Protection Directive, contains a detailed regime for processing categories of data that reveal: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information on health or sex life. The processing of sensitive data is prohibited in principle. There is, however, an exhaustive list of enumerated exemptions to this prohibition, which can be found in Article 8 (2) and (3) of the directive. These exemptions include explicit consent of the data subject, vital interests of the data subject, legitimate interests of others and public interest.

Unlike in the case of processing non-sensitive data, a contractual relationship with the data subject is not viewed as a general basis for the legitimate processing of sensitive data. Therefore, if sensitive data are to be processed in the context of a contract with the data subject, use of these data requires the data subject’s separate explicit consent, in addition to agreeing to enter into the contract. An explicit request by the data subject for goods or services which necessarily reveal sensitive data should, however, be considered to be as good as explicit consent.