Processing of sensitive personal data

Please let me know if there is anything we need to do about this.

Answer:

The EU GDPR places much stronger controls on the processing of sensitive personal data. While there are a number of processing conditions, those conditions are narrower. Any processing of personal data must sat isfy at least one of the following conditions:
a. Explicit consent - The individual has given explicit consent. However, Union or Member State law may limit the circumstances in which consent is available;
b. Legal obligation related to employment - The processing is necessary for a legal obligation in the field of employment and social security law or for a collective agreement;
c. Vital interests - The processing is necessary in order to protect the vital interests of the individual or of another natural person. This is typically limited to processing needed for medical emergencies;
d. Not for profit bodies - The processing is carried out in the course of the legitimate activities of a not-for-profit body and only relates to members or related persons and the personal data is not disclosed outside that body without consent;
e. Public information - The processing relates to personal data which is manifestly made public by the data subject;
f. Legal claims - The processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
g. Substantial public interest - The processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law; h. Healthcare - The processing is necessary for healthcare purposes and is subject to suitable safeguards;
i. Public health - The processing is necessary for public health purposes and is based on Union or Member State law; or
j. Archive - The processing is necessary for archiving, scientific or historical research purposes or statistical purposes and is based on Union or Member State law.

However, since you are a processor is the controller`s duty ensure that it has a proper legal basis. And if the controller asks you to put the information in reports is his duty again to ensure that its request is lawful.

So, the question is whether or not the process is legal. There seems to be very specific limitations on what one can do with special categories of data - including race and ethnicity.

Assessing the legality of the processing activity as regards to sensitive personal data is something that the controller needs to do. What you need to ensure is that in the contract with the your customer you state that he is fully liable for ensuring that the personal data is collected and processed in a lawful manner.