Personal data reveal information about an identified or identifiable natural person (called the “data subject” in the Privacy Act). Personal data include an individual’s name, a picture, a phone number, even a professional phone number, a code, a bank account number, an e-mail address, a fingerprint, etc.
Special Category of personal data
According to Art. 9 of the GDPR special category data includes:
- personal data revealing racial or ethnic origin,
- personal data revealing political opinions, religious or philosophical beliefs, or trade union membership
- genetic data
- biometric data
- data concerning health
- data concerning a natural person’s sex life or sexual orientation.
The processing of this type of data is prohibited unless one of the conditions in Art. 9 (2) applies:
- Processing is necessary for the protection of human life, but to which the data subject is unable to give their consent because of a legal incapacity or physical impossibility;
- processing is carried out by an association or any other non-profit-seeking religious, philosophical, political or trade union body, under certain conditions;
- processing relates to personal data that the data subject has made public;
- processing is necessary for the establishment, exercise or defence of a legal claim;
- processing is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare or treatment, or for the management of healthcare services and carried out by a member of a medical profession, or by any other person who, due to their functions, is bound by a duty of confidentiality;
- statistical processing is carried out by the National Institute of Statistics and Economic Studies (INSEE) or one of the statistical services of Ministries;
- processing is necessary for medical research according to the Data Protection Act.
In all cases involving the processing of special category of personal data, authorisation from the DPA is required.
Personal data relating to offences, convictions and security measures are also regulated by special provisions in the Data Protection Act. The processing of this category of data can be put in place only by certain controllers under certain conditions established by the Act.
The GDRP give its definition of consent as “any free, specific, informed and unambiguous demonstration of the will by which the data subject accepts, by a declaration or by a clear positive act, that personal data concerning him / her are being processed”
Under Article 45 of law “Informatique et Libertés” the parents have to provide their consent until the child turns 15.