How do the two hurdles of lawful processing and special category data fit together for data concerning health? #GDPR

The GDPR has a two-stage process for you to confirm that you have a lawful basis for any personal data you process.

First stage

The first stage is to identify which of several broad categories applies to the personal data you process. These are listed in Article 6 of the GDPR. Data concerning health may be processed because it is necessary for a task carried out in the public interest (Article 6(e)).

If the personal data is not special category data (Article 9 of the GDPR), the data may be processed lawfully, and the second hurdle or stage is not relevant. If the personal data is a special category of data, for example, data concerning health, you must consider the second stage. 

Second stage

If the personal data is a special category of personal data and, it may not be processed unless permitted by the GDPR and subject to any conditions in the GDPR. 

Data concerning health may be processed – according to Article 9 (h) but the condition is that a professional subject to the obligation of confidentiality, such as pharmacist or pharmacy technician, must be responsible for a pharmacy company’s processing of that data concerning health.

View our GDPR page for more information