Special categories of personal data in the Personal Data Bill

Current regulatory context v/s Personal Data Bill

Law 19,628 regulates the protection of personal data without establishing separate regulations for special categories of data, except for sensitive data, for which it establishes special sources of lawfulness.

The following is a brief comparison of the changes introduced by the bill in relation to the current Law 19,628:

Law 19.628	Draft Law on Personal Data
Provides a definition of sensitive data and regulates the legal bases to process them: its processing is prohibited unless the law authorizes it, there is consent of the data subjects or they are necessary data for the determination or granting of health benefits that correspond to their data subjects. Other types of special personal data are not regulated in depth.	Categories of sensitive data, such as sensitive health data and biological profile, and sensitive biometric data are regulated in depth. In addition, new categories of data are regulated, such as data regarding children and adolescents, data for historical, statistical, scientific and study or research purposes, and geolocation data. Obligations are established for those responsible (controllers) for the processing of this type of data.

Law 19.628

Draft Law on Personal Data

Provides a definition of sensitive data and regulates the legal bases to process them: its processing is prohibited unless the law authorizes it, there is consent of the data subjects or they are necessary data for the determination or granting of health benefits that correspond to their data subjects. Other types of special personal data are not regulated in depth.

Categories of sensitive data, such as sensitive health data and biological profile, and sensitive biometric data are regulated in depth. In addition, new categories of data are regulated, such as data regarding children and adolescents, data for historical, statistical, scientific and study or research purposes, and geolocation data. Obligations are established for those responsible (controllers) for the processing of this type of data.

Special categories

Bill on Personal Data regulates special categories of data in Title II, dividing its regulation as follows:

Processing of sensitive personal data
Processing of special categories of personal data

Sensitive Personal Data

The Bill defines sensitive personal data as those relating to:

Physical or moral characteristics of people.
Facts or circumstances of the private life or intimacy of people.

Some examples of these sensitive data that the project includes are the following

Racial or ethnic origin
Political, trade union or trade union affiliation
Socio-economic situation
Ideological or philosophical convictions
Religious beliefs
Data relating to human health and biological profile
Biometric data
Information relating to sex life, sexual orientation and gender identity.

The general rule for processing sensitive data is consent from the data subject. However, the bill allows the processing of such data without the subject’s authorization under certain expressly regulated grounds, which include: (i) that the processing is based on the existence of a legitimate interest carried out by a public or private legal person that does not pursue profit purposes and certain additional conditions expressly established in the bill are met; (ii) that the processing is indispensable to safeguard the life, health or physical or psychological integrity of the holder or of another person or, that the holder is physically or legally prevented from granting his consent; (iii) that it is mandated by law; among others.

Sensitive Personal Data relating to Health and Human Biological Profiling

The Bill does not define health data, but regulates them in a special way, considering them as a kind of sensitive data. It also refers to data relating to the human biological profile, and although it does not expressly define them, it does list some examples of this type of data:

Genetic data
Proteomic data
Metabolic data

According to the bill, all these types of sensitive data (health data and data relating to the human biological profile) may only be processed with the consent of the data subjects and for the purposes provided for by special laws on health matters.

However, the bill establishes special legal bases that allow processing this type of data without consent from the data subject, such as: (i) in case of health alert; (ii) when the processing is indispensable to safeguard the life or physical or psychological integrity of the holder or of another person or when the holder is physically or legally unable to give his consent; (iii) when the processing of the data is necessary for the formulation, exercise or defense of a right before the courts of justice or an administrative body; among others.

Sensitive Biometric Personal Data

Like health and biological profile data, the Bill considers biometric data as sensitive personal data and defines such data as that obtained from specific technical processing and relating to the physical, physiological or behavioral characteristics of a person that allow or confirm the unique identification of him or her, such as fingerprint, iris, hand or facial features and voice.

This data can only be processed with the consent of the data subject. However, they may be processed without consent, complying with the exceptional cases contemplated for health data and biological profile.

Infractions due to non-compliance in the processing of Sensitive Personal Data

The Bill considers sensitive personal data as very important. Because of this, it establishes as a very serious infraction the following conducts:

Violation of the obligation of security of processing or confidentiality on the processing of sensitive personal data.
Knowingly process, communicate or transfer sensitive personal data in contravention of the rules of the law.

Obligation to communicate security breaches of Sensitive Personal Data to the data subjects

In the event of breaches of sensitive personal data security measures, the person in charge must also notify the Agency, report to the data subjects of these data directly or through their representatives when appropriate.

Special Categories of Personal Data

1. Personal data relating to children and adolescents (Data of NNA)

In relation to the data of children and adolescents, the Bill establishes that their processing must attend to the best interests of them and with respect to their progressive autonomy.

The Bill, in relation to the source of legality of these data, makes a relevant distinction:

Personal data of children (data of children under fourteen years of age): the consent of the parents or legal representatives or by the person in charge of the personal care of the child is required, unless expressly authorized or mandated by law.
Personal data of adolescents (over fourteen and under eighteen):
Adolescents over 16 years of age: they may be processed according to the authorization rules provided by law for adults.
Adolescents under 16 years of age: they may only be processed with the consent granted by their parents or legal representatives or who are responsible for the personal care of the minor, unless expressly authorized or mandated by law.

In the event of violations of the data security obligations regarding the processing of personal data of children under 14 years of age, the person in charge, in addition to reporting to the Agency, must report to the parents or legal representatives or by the person in charge of the personal care of the child, unless expressly authorized or mandated by law.

2. Personal data for historical, statistical, scientific and study or research purposes

In relation to this type of personal data, the Bill establishes that with respect to them there is a cause of legitimate interest that authorizes their processing, when the processing is carried out exclusively for historical, statistical, scientific purposes and for studies or research, all of which must serve purposes of public interest.

To process personal data for these purposes, the data controller must adopt and prove that it has complied with all the quality and security measures necessary to safeguard that the data is used exclusively for such purposes.

Once these conditions have been met, the controller may store and use the data for an indefinite period of time and if he wishes to publish the results and analyses obtained, he must anonymize such data.

It is necessary to make the prevention that this type of data is not the same as the “statistical data“, defined by the Bill as the “data that, in its origin, or as a consequence of its processing, can not be associated with an identified or identifiable data subject“. The latter are not personal data, unlike personal data for historical, statistical, scientific and study or research purposes.

3. Geolocation data

Although the Bill does not define Geolocation data, it is established with respect to it that the data subjects of said data must be informed in a clear, sufficient and timely manner about:

The type of geolocation data that will be processed.
Purpose and duration of the processing.
Possibility of communication or transfer to a third party for the provision of a service with added value.