Special categories of personal data in the Personal Data Bill

According to the new Law, certain categories of data must be processed with greater care due to the extent of privacy concerns involved. Improper processing of these kinds of data may entail harmful consequences for their data subjects, so the new law sets forth greater requirements for controllers.

Learn how the New Data Protection Law regulates these special categories of data below.

Law 19,628 v/s New Data Protection Law

Law 19,628 regulated the protection of personal data without establishing separate regulations for special categories of data, except for sensitive data, for which it establishes special sources of lawfulness.

The following is a brief comparison of the changes introduced by the new law in relation to Law No.19,628:

Law 19.628	Draft Law on Personal Data
Provides a definition of sensitive data and regulates the legal bases to process them: its processing is prohibited unless the law authorizes it, there is consent of the data subjects or they are necessary data for the determination or granting of health benefits that correspond to their data subjects. Other types of special personal data are not regulated in depth.	Categories of sensitive data, such as sensitive health data and biological profile, and biometric data are regulated in depth. In addition, new categories of data are regulated, such as data regarding children and adolescents, data for historical, statistical, scientific and study or research purposes, and geolocation data. Obligations are established for those responsible (controllers) for the processing of this type of data.

Law 19.628

Draft Law on Personal Data

Provides a definition of sensitive data and regulates the legal bases to process them: its processing is prohibited unless the law authorizes it, there is consent of the data subjects or they are necessary data for the determination or granting of health benefits that correspond to their data subjects.

Other types of special personal data are not regulated in depth.

Categories of sensitive data, such as sensitive health data and biological profile, and biometric data are regulated in depth.

In addition, new categories of data are regulated, such as data regarding children and adolescents, data for historical, statistical, scientific and study or research purposes, and geolocation data.

Obligations are established for those responsible (controllers) for the processing of this type of data.

Special categories

The new law regulates special categories of data in Title II, dividing its regulation as follows:

Processing of sensitive personal data
Processing of special categories of personal data

Sensitive Personal Data

The new law defines sensitive personal data as those relating to:

Physical or moral characteristics of people.
Facts or circumstances of the private life or intimacy of people.
- Some examples of the sensitive data that the project includes are the following Racial or ethnic origin
- Political, trade union or trade union affiliation
- Socio-economic situation
- Ideological or philosophical convictions
- Religious beliefs
- Data relating to human health and biological profile
- Biometric data
- Information relating to sex life, sexual orientation and gender identity.

The general rule for processing sensitive data is consent from the data subject. However, the new law allows the processing of such data without the subject’s authorization under certain expressly regulated grounds, which include: (i) that the processing is based on the existence of a legitimate interest carried out by a public or private legal person that does not pursue profit purposes and certain additional conditions expressly established in the new law are met; (ii) that the processing is indispensable to safeguard the life, health or physical or psychological integrity of the holder or of another person or, that the holder is physically or legally prevented from granting his consent; (iii) that it is mandated by law; among others.

Sensitive Personal Data relating to Health and Human Biological Profiling

The new law does not define health data, but regulates them in a special way, considering them as a kind of sensitive data. It also refers to data relating to the human biological profile, and although it does not expressly define them, it does list some examples of this type of data:

Genetic data
Proteomic data
Metabolic data

According to the new law, all these types of sensitive data (health data and data relating to the human biological profile) may only be processed with the consent of the data subjects and for the purposes provided for by special laws on health matters.

However, the new law establishes special legal bases that allow processing this type of data without consent from the data subject, such as: (i) in case of health alert; (ii) when the processing is indispensable to safeguard the life or physical or psychological integrity of the holder or of another person or when the holder is physically or legally unable to give his consent; (iii) when the processing of the data is necessary for the formulation, exercise or defense of a right before the courts of justice or an administrative body; among others.

Biometric Personal Data

The new law also considers biometric data as personal data and defines them as those obtained from a specific technical treatment, related to the physical, physiological or behavioral characteristics of a person that allow or confirm the unique identification of the person, such as fingerprint, iris, hand or facial features and voice.

Such data may only be processed with the consent of the owners and after informing the owner about: a) the identification of the biometric system used; b) the specific purpose for which the data will be used; c) the period during which the data will be used; and d) the way in which the owner may exercise his or her rights.

However, these data may be processed without the consent of the holder in the same exceptional cases contemplated for health and biological profile data.

Infractions due to non-compliance in the processing of Sensitive Personal Data

The new law attaches great importance to the care of sensitive data and therefore establishes the following conducts as very serious infringements: Breaching security and confidentiality obligations on the processing of sensitive personal data.
Knowingly processing, communicating or transferring sensitive personal data in contravention of the law.

Obligation to communicate security breaches of Sensitive Personal Data to the data subjects

The controller has the obligation to notify both the Agency and the data subjects if it suffers a security breach affecting sensitive data.

Special Categories of Personal Data

1. Personal data relating to children and adolescents (Data of NNA)

In relation to the data of children and adolescents, the new law establishes that their processing must attend to the best interests of them and with respect to their progressive autonomy.

The new law, in relation to the source of legality of these data, makes a relevant distinction:

Personal data of children (data of children under fourteen years of age): the consent of the parents or legal representatives or by the person in charge of the personal care of the child is required, unless expressly authorized or mandated by law.
Personal data of adolescents (over fourteen and under eighteen):
- Adolescents over 16 years of age: they may be processed according to the authorization rules provided by law for adults.
- Adolescents under 16 years of age: they may only be processed with the consent granted by their parents or legal representatives or who are responsible for the personal care of the minor, unless expressly authorized or mandated by law.

In the event of violations of the data security obligations regarding the processing of personal data of children under 14 years of age, the person in charge, in addition to reporting to the Agency, must report to the parents or legal representatives or by the person in charge of the personal care of the child, unless expressly authorized or mandated by law.

2. Personal data for historical, statistical, scientific and study or research purposes

In relation to this type of personal data, the new law establishes that with respect to them there is a cause of legitimate interest that authorizes their processing, when the processing is carried out exclusively for historical, statistical, scientific purposes and for studies or research, all of which must serve purposes of public interest.

To process personal data for these purposes, the data controller must adopt and prove that it has complied with all the quality and security measures necessary to safeguard that the data is used exclusively for such purposes.

Once these conditions have been met, the controller may store and use the data for an indefinite period of time and if he wishes to publish the results and analyses obtained, he must anonymize such data.

It is necessary to make the prevention that this type of data is not the same as the “statistical data“, defined by the new law as the “data that, in its origin, or as a consequence of its processing, can not be associated with an identified or identifiable data subject“. The latter are not personal data, unlike personal data for historical, statistical, scientific and study or research purposes.

3. Geolocation data

Although the new law does not define Geolocation data, it is established with respect to it that the data subjects of said data must be informed in a clear, sufficient and timely manner about:

The type of geolocation data that will be processed.
Purpose and duration of the processing.
Possibility of communication or transfer to a third party for the provision of a service with added value.