Sensitive personal data

Sensitive personal data is more protected than other personal data. Certain kinds of such data may only be processed in exceptional cases and must always be protected to a greater degree than other personal data. These web pages explain how sensitive personal data may be processed.

Sensitive personal data

The main principle

Sensitive personal data are prohibited from being processed except in exceptional cases. Sensitive personal data as meant by the GDPR includes all data on:

  • health,
  • ethnic origin,
  • political opinions,
  • a person's sex life or sexual orientation,
  • religious or philosophical beliefs,
  • membership of a trade union, as well as any processing of
  • biometric data, such as fingerprints for fingerprint scanning and
  • genetic data.

Exceptions to the prohibition

HR

Sensitive personal data may be processed, subject to certain limitations, if the processing is necessary for the university or individuals to fulfil their obligations and exercise their rights according to labour legislation.

HR/Student Health Care

Sensitive personal data may be processed if the processing is necessary for preventive health care, assessment of workers' work capacity, medical diagnoses, provision of health care or social care, and the processing is carried out by a person subject to a statutory obligation of professional confidentiality.

Case management and similar

Sensitive personal data may be processed if the processing is necessary for the handling of a case, such as an application for an approved leave from studies.

They may also be processed if the data have been provided to the university and the processing is required by law, such as record keeping regarding documents received.

In addition, sensitive personal data may be processed if necessary due to there being something of important public interest and there not constituting an undue breach of the personal privacy of the subject.

In all these cases, however, searches are prohibited for the purpose of obtaining a sample of persons based on sensitive personal data. This includes all technical measures whereby data is used to structure or systematise information so that sensitive personal data is disclosed.

Research

Sensitive personal data may be processed if the processing is necessary for research purposes. Such processing always requires an approved ethical review application.

Other

Otherwise, the scope for processing sensitive personal data is limited. Sensitive personal data may be processed if the data subjects have consented to it, but remember that consent cannot, as a rule, be used when it comes to employees and students.