GDPR and sensitive data

Answer:

Date of birth is not special category data as defined under the GDPR, however, health data is, and in this case if you are collecting and processing personal data you need to perform a DPIA. Also note that PIA and DPIA are the same thing.

If you want to get more insight into DPIAs check out this webinar: Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/

Thank you!! This is helpful.

What constitutes "processing of health info"? What info should a company have to figure out whether GDPR applies to them?

1. “Data concerning health” or "health information" is defined by the GDPR as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

2. The GDPR primarily applies to businesses established in the EU. It will also apply to businesses based outside the EU that offer goods and services to, or monitor, individuals in the EU.

You can gain more insight into the EU GDPR by checking out our free EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//