Recherche avancée

Sur d’autres sites (8832)

• A Guide to GDPR Sensitive Personal Data

  13 mai 2024, par Erin

  The General Data Protection Regulation (GDPR) is one of the world’s most stringent data protection laws. It provides a legal framework for collection and processing of the personal data of EU individuals.

  The GDPR distinguishes between “special categories of personal data” (also referred to as “sensitive”) and other personal data and imposes stricter requirements on collection and processing of sensitive data. Understanding these differences will help your company comply with the requirements and avoid heavy penalties.

  In this article, we’ll explain what personal data is considered “sensitive” according to the GDPR. We’ll also examine how a web analytics solution like Matomo can help you maintain compliance.

  What is sensitive personal data ?

  The following categories of data are treated as sensitive :

  1. 1. Personal data revealing :
        • Racial or ethnic origin ;
        • Political opinions ;
        • Religious or philosophical beliefs ;
        • Trade union membership ;
     2. Genetic and biometric data ;
     3. Data concerning a person’s :
        • Health ; or
        • Sex life or sexual orientation.

  

  Sensitive vs. non-sensitive personal data : What’s the difference ?

  While both categories include information about an individual, sensitive data is seen as more private, or requiring a greater protection. 

  Sensitive data often carries a higher degree of risk and harm to the data subject, if the data is exposed. For example, a data breach exposing health records could lead to discrimination for the individuals involved. An insurance company could use the information to increase premiums or deny coverage. 

  In contrast, personal data like name or gender is considered less sensitive because it doesn’t carry the same degree of harm as sensitive data. 

  Unauthorised access to someone’s name alone is less likely to harm them or infringe on their fundamental rights and freedoms than an unauthorised access to their health records or biometric data. Note that financial information (e.g. credit card details) does not fall into the special categories of data.

  

  Legality of processing

  Under the GDPR, both sensitive and nonsensitive personal data are protected. However, the rules and conditions for processing sensitive data are more stringent.

  Article 6 deals with processing of non-sensitive data and it states that processing is lawful if one of the six lawful bases for processing applies. 

  In contrast, Art. 9 of the GDPR states that processing of sensitive data is prohibited as a rule, but provides ten exceptions. 

  It is important to note that the lawful bases in Art. 6 are not the same as exceptions in Art. 9. For example, while performance of a contract or legitimate interest of the controller are a lawful basis for processing non-sensitive personal data, they are not included as an exception in Art. 9. What follows is that controllers are not permitted to process sensitive data on the basis of contract or legitimate interest. 

  The exceptions where processing of sensitive personal data is permitted (subject to additional requirements) are : 

  • Explicit consent : The individual has given explicit consent to processing their sensitive personal data for specified purpose(s), except where an EU member state prohibits such consent. See below for more information about explicit consent. 
  • Employment, social security or social protection : Processing sensitive data is necessary to perform tasks under employment, social security or social protection law.
  • Vital interests : Processing sensitive data is necessary to protect the interests of a data subject or if the individual is physically or legally incapable of consenting. 
  • Non-for-profit bodies : Foundations, associations or nonprofits with a political, philosophical, religious or trade union aim may process the sensitive data of their members or those they are in regular contact with, in connection with their purposes (and no disclosure of the data is permitted outside the organisation, without the data subject’s consent).
  • Made public : In some cases, it may be permissible to process the sensitive data of a data subject if the individual has already made it public and accessible. 
  • Legal claims : Processing sensitive data is necessary to establish, exercise or defend legal claims, including legal or in court proceedings.
  • Public interest : Processing is necessary for reasons of substantial public interest, like preventing unlawful acts or protecting the public.
  • Health or social care : Processing special category data is necessary for : preventative or occupational medicine, providing health and social care, medical diagnosis or managing healthcare systems.
  • Public health : It is permissible to process sensitive data for public health reasons, like protecting against cross-border threats to health or ensuring the safety of medicinal products or medical devices. 
  • Archiving, research and statistics : You may process sensitive data if it’s done for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

  In addition, you must adhere to all data handling requirements set by the GDPR.

  Important : Note that for any data sent that you are processing, you always need to identify a lawful basis under Art. 6. In addition, if the data sent contains sensitive data, you must comply with Art. 9.

  Explicit consent

  While consent is a valid lawful basis for processing non-sensitive personal data, controllers are permitted to process sensitive data only with an “explicit consent” of the data subject.

  The GDPR does not define “explicit” consent, but it is accepted that it must meet all Art. 7 conditions for consent, at a higher threshold. To be “explicit” a consent requires a clear statement (oral or written) of the data subject. Consent inferred from the data subject’s actions does not meet the threshold. 

  The controller must retain records of the explicit consent and provide appropriate consent withdrawal method to allow the data subject to exercise their rights.

  Examples of compliant and non-compliant sensitive data processing

  Here are examples of when you can and can’t process sensitive data :

  • When you can process sensitive data : A doctor logs sensitive data about a patient, including their name, symptoms and medicine prescribed. The hospital can process this data to provide appropriate medical care to their patients. An IoT device and software manufacturer processes their customers’ health data based on explicit consent of each customer. 
  • When you can’t process sensitive data : One example is when you don’t have explicit consent from a data subject. Another is when there’s no lawful basis for processing it or you are collecting personal data you simply do not need. For example, you don’t need your customer’s ethnic origin to fulfil an online order.

  Other implications of processing sensitive data

  If you process sensitive data, especially on a large scale, GDPR imposes additional requirements, such as having Data Privacy Impact Assessments, appointing Data Protection Officers and EU Representatives, if you are a controller based outside the EU.

  Penalties for GDPR non-compliance

  Mishandling sensitive data (or processing it when you’re not allowed to) can result in huge penalties. There are two tiers of GDPR fines :

  • €10 million or 2% of a company’s annual revenue for less severe infringements
  • €20 million or 4% of a company’s annual revenue for more severe infringements

  In the first half of 2023 alone, fines imposed in the EU due to GDPR violations exceeded €1.6 billion, up from €73 million in 2019.

  Examples of high-profile violations in the last few years include :

  • Amazon : The Luxembourg National Commission fined the retail giant with a massive $887 million fine in 2021 for not processing personal data per the GDPR. 
  • Google : The National Data Protection Commission (CNIL) fined Google €50 million for not getting proper consent to display personalised ads.
  • H&M : The Hamburg Commissioner for Data Protection and Freedom of Information hit the multinational clothing company with a €35.3 million fine in 2020 for unlawfully gathering and storing employees’ data in its service centre.

  One of the criteria that affects the severity of a fine is “data category” — the type of personal data being processed. Companies need to take extra precautions with sensitive data, or they risk receiving more severe penalties.

  What’s more, GDPR violations can negatively affect your brand’s reputation and cause you to lose business opportunities from consumers concerned about your data practices. 76% of consumers indicated they wouldn’t buy from companies they don’t trust with their personal data.

  Organisations should lay out their data practices in simple terms and make this information easily accessible so customers know how their data is being handled.

  Get started with GDPR-compliant web analytics

  The GDPR offers a framework for securing and protecting personal data. But it also distinguishes between sensitive and non-sensitive data. Understanding these differences and applying the lawful basis for processing this data type will help ensure compliance.

  Looking for a GDPR-compliant web analytics solution ?

  At Matomo, we take data privacy seriously. 

  Our platform ensures 100% data ownership, putting you in complete control of your data. Unlike other web analytics solutions, your data remains solely yours and isn’t sold or auctioned off to advertisers. 

  Additionally, with Matomo, you can be confident in the accuracy of the insights you receive, as we provide reliable, unsampled data.

  Matomo also fully complies with GDPR and other data privacy laws like CCPA, LGPD and more.

  Start your 21-day free trial today ; no credit card required. 

  Disclaimer

  We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to GDPR. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns.

  Try Matomo for Free

  21 day free trial. No credit card required.

  
  

  Your email address
  

  Your website address
  

  Your Analytics subdomain will be .matomo.cloud (change)

  Choose your analytics subdomain
  

  .matomo.cloud

  I accept the terms and conditions and data processing agreement (DPA)

  
  Your information will be used to create an account on our cloud service. For more information please consult our privacy policy.
  
  
  

  Start improving your websites now

  

• French CNIL recommends Piwik : the only analytics tool that does not require Cookie Consent

  29 octobre 2014, par Matthieu Aubry — Press Releases

  There has been recent and important changes in France regarding data privacy and the use of cookies. This blog post will introduce you to these changes and explain how you make your website compliant.

  Cookie Consent in the data freedom law

  Since the adoption of the EU Directive 2009/136/EC “Telecom Package”, Internet users must be informed and provide their prior consent to the storage of cookies on their computer. The use of cookies for advertising, analytics and social share buttons require the user’s consent :

  It is necessary to inform users of the presence, purpose and duration of the cookies placed in their browsers, and the means at their disposal to oppose it.

  What is a cookie ?

  Cookies are tracers placed on Internet users’ hard drives by the web hosts of the visited website. They allow the website to identify a single user across multiple visits with a unique identifier. Cookies may be used for various purposes : building up a shopping cart, storing a website’s language settings, or targeting advertising by monitoring the user’s web-browsing.

  Which cookies are exempt from the Cookie Consent rule ?

  France has exempted certain cookies from the cookie consent rule : for those cookies that are strictly necessary to offer the service sought after by the user you do not need to ask consent to user. Examples of such cookies are :

  • the shopping cart cookie,
  • authentication cookies,
  • short lived session cookies,
  • load balancer cookies,
  • certain first party analytics (such as Piwik cookies),
  • persistent cookies for interface personalisation.

  Asking users for consent for Analytics (tracking) Cookies

  For all cookies that are not exempted from the Cookie Consent then you will need to :

  • obtain consent from web users before placing or reading cookies and similar technologies,
  • clearly inform web users of the different purposes for which the cookies and similar technologies will be used,
  • propose a real choice to web users between accepting or refusing cookies and similar technologies.

  You don’t need Cookie Consent with Piwik

  The excellent news is that there is a way to bypass the Cookie Consent banner on your website :

  If you are using another analytics solution other than Piwik then you will need to ask users for consent. If you do not want to ask for consent then download and install Piwik or signup to Piwik Cloud to get started.

  If you are already using Piwik you need to do two simple things : (1) anonymise visitor IP addresses (at least two bytes) and (2) include the opt-out iframe solution in your website (learn more).

  Note that these recommendations currently only apply in France, but because the law is European we can expect similar findings in other European countries.

  CNIL recommends Piwik

  We are proud that the CNIL has identified Piwik as the only tool that respects all privacy requirements set by the European Telecom law.

  

  About the CNIL

  The CNIL is an independent administrative body that operates in accordance with the French data protection legislation. The CNIL has been entrusted with the general duty to inform people of the rights that the data protection legislation allows them.

  The role and responsabilities of the CNIL are :

  • to protect citizens and their data
  • to regulate and control processing of personal data
  • to inspect the security of data processing systems and applications, and impose penalties

  Piwik and Privacy

  At Piwik we love Privacy – our open analytics platform comes with built-in Privacy.

  Future of Privacy at Piwik

  Piwik is already the leader when it comes to respecting user privacy but we plan to continue improving privacy within the open analytics platform. For more information and specific ideas see Privacy enhancing issues in our issue tracker.

  References

  Learn more in these articles in French [fr] or English :

  • [fr] Sites web, cookies et autres traceurs
  • [fr] Comment me mettre en conformité avec la recommandation “Cookies” de la CNIL ?
  • [fr] Recommandation sur les cookies : obligations pour les responsables de sites ?
  • CNIL Starts Controlling Cookie Settings in October 2014
  • CNIL recommends Piwik for compliance with data protection laws

  Contact

  To learn more about Piwik, please visit piwik.org,

  Get in touch with the Piwik team : Contact information,

  For professional support contact Piwik PRO.

• French CNIL recommends Piwik : the only analytics tool that does not require Cookie Consent

  29 octobre 2014, par Matthieu Aubry — Press Releases

  There has been recent and important changes in France regarding data privacy and the use of cookies. This blog post will introduce you to these changes and explain how you make your website compliant.

  Cookie Consent in the data freedom law

  Since the adoption of the EU Directive 2009/136/EC “Telecom Package”, Internet users must be informed and provide their prior consent to the storage of cookies on their computer. The use of cookies for advertising, analytics and social share buttons require the user’s consent :

  It is necessary to inform users of the presence, purpose and duration of the cookies placed in their browsers, and the means at their disposal to oppose it.

  What is a cookie ?

  Cookies are tracers placed on Internet users’ hard drives by the web hosts of the visited website. They allow the website to identify a single user across multiple visits with a unique identifier. Cookies may be used for various purposes : building up a shopping cart, storing a website’s language settings, or targeting advertising by monitoring the user’s web-browsing.

  Which cookies are exempt from the Cookie Consent rule ?

  France has exempted certain cookies from the cookie consent rule : for those cookies that are strictly necessary to offer the service sought after by the user you do not need to ask consent to user. Examples of such cookies are :

  • the shopping cart cookie,
  • authentication cookies,
  • short lived session cookies,
  • load balancer cookies,
  • certain first party analytics (such as Piwik cookies),
  • persistent cookies for interface personalisation.

  Asking users for consent for Analytics (tracking) Cookies

  For all cookies that are not exempted from the Cookie Consent then you will need to :

  • obtain consent from web users before placing or reading cookies and similar technologies,
  • clearly inform web users of the different purposes for which the cookies and similar technologies will be used,
  • propose a real choice to web users between accepting or refusing cookies and similar technologies.

  You don’t need Cookie Consent with Piwik

  The excellent news is that there is a way to bypass the Cookie Consent banner on your website :

  If you are using another analytics solution other than Piwik then you will need to ask users for consent. If you do not want to ask for consent then download and install Piwik or signup to Piwik Cloud to get started.

  If you are already using Piwik you need to do two simple things : (1) anonymise visitor IP addresses (at least two bytes) and (2) include the opt-out iframe solution in your website (learn more).

  Note that these recommendations currently only apply in France, but because the law is European we can expect similar findings in other European countries.

  CNIL recommends Piwik

  We are proud that the CNIL has identified Piwik as the only tool that respects all privacy requirements set by the European Telecom law.

  

  About the CNIL

  The CNIL is an independent administrative body that operates in accordance with the French data protection legislation. The CNIL has been entrusted with the general duty to inform people of the rights that the data protection legislation allows them.

  The role and responsabilities of the CNIL are :

  • to protect citizens and their data
  • to regulate and control processing of personal data
  • to inspect the security of data processing systems and applications, and impose penalties

  Piwik and Privacy

  At Piwik we love Privacy – our open analytics platform comes with built-in Privacy.

  Future of Privacy at Piwik

  Piwik is already the leader when it comes to respecting user privacy but we plan to continue improving privacy within the open analytics platform. For more information and specific ideas see Privacy enhancing issues in our issue tracker.

  References

  Learn more in these articles in French [fr] or English :

  • [fr] Sites web, cookies et autres traceurs
  • [fr] Comment me mettre en conformité avec la recommandation “Cookies” de la CNIL ?
  • [fr] Recommandation sur les cookies : obligations pour les responsables de sites ?
  • CNIL Starts Controlling Cookie Settings in October 2014
  • CNIL recommends Piwik for compliance with data protection laws

  Contact

  To learn more about Piwik, please visit piwik.org,

  Get in touch with the Piwik team : Contact information,

  For professional support contact Piwik PRO.