2. Sensitive personal data requires particularly careful protection

The icon features a rectangle depicting information. There is an eye crossed over with a line on the bottom right corner of the rectangle. The icon is surrounded by a light green frame. The icon can be used to indicate the processing of special categories of personal data or instructions for such processing.

The icon features an open palm holding a rectangle, which represents personal data, with a symbol depicting a person in the centre. The icon is surrounded by a light green frame. This icon can be used to express that the situation involves the controller's obligations related to the processing of personal data.

‘Special categories of personal data’ include sensitive information indicating the person’s ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health status, sexual orientation or sex life, as well as genetic and biometric data. As a rule, the processing of such personal data is prohibited. Such data may only be processed on special grounds and with special care.

Hobby organisers may process data about a person’s

health,
religious or philosophical beliefs,
ethnic origin,
political opinions,
sex life and sexual orientation, and
trade union membership.ammattiliiton jäsenyydestä.

Sensitive data must be protected especially well. The processing of special categories of personal data is only allowed on specific grounds laid down in the GDPR or other legislation. Hobby organisers can process such data on the following grounds:

The data can be processed with the person’s informed and unambiguous consent. Explicit consent can be given by means such as signing a written statement, or with an electronic signature or two-factor authentication. For example, the person can first reply to an email sent by the hobby organiser, after which an electronic confirmation link or code will be sent to them.
A political, philosophical or religious association or other non-profit organisation can process special categories of personal data when all of the following requirements are met:
- The data is being processed in connection with the organiser’s legal activities.
- The data is appropriately protected (e.g. technical safeguards, access rights management and password protection).
- The organisation is only processing the data of its members, former members or individuals with a close connection to the organisation.
- Data is not disclosed to outside parties without the person’s consent.

What do hobby organisers need to take into account when processing sensitive personal data?

1. Identify the special categories of personal data being processed in your hobby activities and make sure that it is necessary to process them.

2. Make sure that the hobby organiser has special grounds for processing the data. For example, the processing of a participant’s allergy information during a scout camp in the woods could be based on the participant’s specific consent. If sensitive data is being processed on the basis of the person’s consent, you need to be able to demonstrate that the consent has been given.

3. Make sure that special categories of personal data are well protected, for example with technical safeguards, access rights management and password protection.

4. Specify the individuals whose duties include the processing of special categories of personal data in the hobby activity. Make sure that only the people whose duties include the processing of sensitive data have access to the data, and that those people are aware of the special requirements related to the processing of sensitive data.

5. Specify the storage period for the personal data. The storage period must reflect the purpose of the processing. For example, if information on the participants’ allergies has only been collected for a scout camp in the woods, the data must be erased at the end of the camp.

Remember

Take special care to protect sensitive data. Make sure that you have special grounds for processing special categories of personal data.