Personal data reveal information about an identified or identifiable natural person (called the “data subject” in the Privacy Act). Personal data include an individual’s name, a picture, a phone number, even a professional phone number, a code, a bank account number, an e-mail address, a fingerprint, etc.
Special Category of personal data
According to Art. 9 of the GDPR special category data includes:
- personal data revealing racial or ethnic origin,
- personal data revealing political opinions, religious or philosophical beliefs, or trade union membership
- genetic data
- biometric data
- data concerning health
- data concerning a natural person’s sex life or sexual orientation.
- criminal records
The processing of this type of data is prohibited unless one of the conditions in Art. 9 (2) applies:
- Processing is necessary for the protection of human life, but to which the data subject is unable to give their consent because of a legal incapacity or physical impossibility;
- processing is carried out by an association or any other non-profit-seeking religious, philosophical, political or trade union body, under certain conditions;
- processing relates to personal data that the data subject has made public;
- processing is necessary for the establishment, exercise or defence of a legal claim;
- processing is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare or treatment, or for the management of healthcare services and carried out by a member of a medical profession, or by any other person who, due to their functions, is bound by a duty of confidentiality;
- statistical processing is carried out by the National Institute of Statistics and Economic Studies (INSEE) or one of the statistical services of Ministries;
- processing is necessary for medical research according to the Data Protection Act.
Apart from the GDPR, Austrian law typically provides for sector specific regulations on the processing of sensitive personal data (e.g. for insurance companies, telecommunications providers, pharma companies or healthcare organisations).
The GDPR definition of ‘consent’, written in Art. 4 (11) is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Consent to process sensitive personal data must be explicit.
Under Austrian case law, the consent wording has to explicitly reference the right to consent revocation.
The Article 29 Working Party has issued Guidelines on Consent (WP259).
The age at which a child can provide a valid consent is reduced to 14 years old by the DSG.