1. I am running an charity NGO. Are there any specific GDPR rules I need to consider?
2. The NGO is supporting people with disabilities and we have a data base of the persons that received help from us. Am I allowed to hold this data base?
3. The data base contains also the disability and medical condition. Do I need consent to keep this data?
4. We also have copies of medical prescriptions which we reimburse to some of our members. Is this ok?
2. Health data falls under the special category data and you need to be extremely careful when processing it. There are specific requirements relating to the processing of special category data.
3. First of all if you rel y on consent the "express" consent is necessary which is more strictly regulated by the GDPR. Basically you would needed a statement from the data subject that you can process health data.
4. The same rule around express consent applies if you want to keep the prescriptions. However you should find ways not to keep the prescription or maybe anonymize the content to remove any medical information.