Your choice of legal basis under Article 6 does not dictate which condition you must apply and vice versa. You can choose the condition that best suits the circumstances, regardless of your legal basis. Where the processing of special categories of personal data is necessary to protect the vital interests of the data subject or of another natural person, where the data subject is physically or legally incapable of giving consent. The University must obtain the consent of a data subject before processing his or her personal data if no other legal basis is available, including situations where the personal data is special category data and none of the exceptions to consent apply. If you do not have a response to your privacy questions or concerns after contacting [the organizational unit to which you provided information], you may also contact the Boise State Office of Institutional Compliance and Ethics at 208-426-1258 or johnnymcdonald@boisestate.edu. You also have the right to lodge a complaint with your supervisory authority in the EU. When the processing of personal data of a particular category is carried out in the context of its lawful activity by a foundation, association or other non-profit organization with political, philosophical, religious or trade union objectives. This is not the case. These Terms do not replace or replace the usual rules on a legal basis for processing. Instead, they act as an extra layer of conditions on top of the usual rules. The 2018 DSA does not add more specific conditions for genetic, biometric or health data, although the Secretary has the authority to issue regulations to add or amend conditions. Remember that for your processing to be lawful, you must always provide a basis for processing under Article 6.
Five of the conditions only apply if your processing is authorised or based on EU or Member State law. In the United Kingdom, this authorisation or legal basis is set out in the 2018 DPA. Special category data includes personal data that discloses or relates to the above types of data. So, if you have inferred or guessed details about someone who falls into one of the above categories, this data can be considered special category data. It depends on the certainty of that conclusion and whether you intentionally draw that conclusion. An explicit privacy statement is generally required for any lawful processing of personal data under the GDPR if the legal basis for such processing is not the consent of the data subject. If a privacy policy is required, it must provide: (1) when personal information is collected from residents of the European Union (EU); (2) where the first contact is made with a Union citizen whose personal data were collected indirectly or within one month of receipt of the data, whichever comes first; or (3) before the information is used for purposes other than those originally identified when the information was collected. In addition, you may only process special category data if you are able to comply with one of the conditions of Article 9 of the UK GDPR, as well as any corresponding conditions of Annex 1 of the DPA, if necessary. This table summarizes when you need a list 1 condition: it is not enough to argue that the processing is necessary because it is part of your business model, processes or procedures, or because it is a common practice. The question arises whether the processing of the special category of data is a targeted and proportionate means of achieving the objective described in the condition. These guidelines from the UK Information Commissioner`s Office deal with special category data in detail, in particular to help organisations understand the conditions for processing special category data and ensure compliance with the GDPR.
☐ Where we use special categories of data for automated decision-making (including profiling), we have verified compliance with Article 22. Legal basis for processingLegitimate interestsConsent An explicit privacy statement is not required if: (1) it would be impossible or would require disproportionate effort; or (2) the data subject already has the required reporting information. Five of the processing conditions are provided for in Article 9 of the GDPR alone. The other five require approval or a basis in UK law, which means you must meet additional conditions set out in the 2018 CCA. In order to lawfully process special categories of data, you must provide both a legal basis in accordance with Article 6 of the GDPR and a separate requirement for processing in accordance with Article 9. There is no need to link them. For some of these conditions, the essential element of the public interest is incorporated. For others, you must be able to demonstrate on a case-by-case basis that your specific processing is “necessary for reasons of substantial public interest”. Please note that if the University wishes to collect personal data from a data subject under the age of 16, it must obtain the consent of the parent or guardian of the data subject. If you intend to make exclusively automated decisions (including profiling) based on special category data, the rules are stricter.
If it can have a significant impact on the person, you can only proceed with explicit consent or a material condition of public interest. You should also read our separate advice on rights related to automated processing. Where special categories of data are collected, stored, processed or transmitted, controllers must ensure that additional safeguards are in place to ensure adequate protection of the information. However, some of the legal bases are not directly linked to a specific condition, such as a contract or legitimate interests. Indeed, the conditions applicable to special category data are more restrictive and specific. This doesn`t mean you`ll never have a condition – just that you`ll have to look at them all to see if you can identify one that fits the circumstances and justifies that element of your treatment. Given the potential risks to people`s rights, the conditions are narrow and often require you to meet detailed criteria and take specific safeguards and accountability measures. Some conditions are also limited to certain types of controllers and others only apply to certain types of special category data. If Boise State University collects personal data directly from a data subject in the EU, a GDPR-compliant privacy statement must contain all of the following: The processing of these special categories is prohibited, except in the limited circumstances referred to in Article 9 of the GDPR. You must establish your conditions for processing special categories of data before commencing such processing under the GDPR, and you must document this.
Boise State may also use this information to comply with its legal obligations. Records are retained in accordance with Boise State University Policy 1020 – Academic Records, Archives and Publications or for the duration of your relationship with Boise State. The records will be accessible to those who have a legitimate business linked to the State of Boise to access them. [ADD, IF APPLICABLE: Explanation of the third parties with whom information may be shared, for example: “In order to provide you with this service, we may share your personal information with third party service providers as necessary to provide the service. These third parties are required to protect your personal data by reasonable and proportionate means.”] The public interest encompasses a wide range of values and principles related to the common good or what is in the best interest of society. It must be real and substantial. Given the risks inherent in special category data, it is not sufficient to present a vague or general public interest argument. You should be able to make specific arguments about the concrete and broader benefits of your treatment. What is a special category of GDPR data and how do the rules for processing this information differ? The DPA 2018 complements and adapts the conditions of the UK GDPR for the processing of special categories of data. If the processing of personal data of special categories is necessary for the establishment, exercise or defence of legal claims or if the courts are acting in their judicial role.
The ICO cannot allow the use of special category data if there is no condition.