Payments to and from persons are personal data. Special personal data can be derived from payment details. Special categories of personal data require extra protection. The processing of such data is prohibited, unless there is a statutory exception With the Don't-PSD2-me egistry, we want to be able to filter account details of organisations whose transaction data should be considered as special categories of personal data.
Personal data is any information about an identified or identifiable person. Special categories of personal data are personal data that indicate:
- racial or ethnic origin,
- political views,
- religious or philosophical beliefs or
- turn out to be trade union membership,
- and processing genetic data,
- biometric data for the unique identification of a person, or
- data concerning health, or
- data relating to a person's sexual behavior or sexual orientation
Don't-PSD2-me register and special categories of personal data
Probably the Don't-PSD2-me registry cannot filter all data. Therefore, at this stage, we will set up the Don't-PSD2-me registry in such a way that only account numbers that clearly show that they are personal data in themselves will be included.
Special categories of personal data are often Connect 1-on-1 to organisations. This has to do with the way in which organisations are registered. A selection at the Dutch Chamber of Commerce yielded 2400 organisations that complied with the Sbi codes and process special categories of personal data of individuals.
Relevant are the transactions between the organisation and the person. Sometimes this is simple, think of membership of a trade union. Another gives transaction data no direct information, but can give an indiction through which profiling can take place. Think, for example, of the amount and frequency of payments at a pharmacy (amount, frequency). Other special personal data can (probably) not or only after interpretation be seen as special personal data. The most obvious category are account numbers for contribution payments, membership payments and donations to:
- political groups
- trade unions
- associations active in the field of sexual behaviour or sexual orientation
- religious institutions.
Criminal data require further investigation
Criminal data are not special categories of personal data under the GDPR. However, there is a separate, strict regime under which they may only be processed by the said parties. As far as we are concerned, this extra protection also applies to payments to the judicial authorities, such as the account number of the Dutch CJIB, because these can be regarded as criminal data. Read more about in this item.
Health data cannot be derived directly
Healthcare deserves special attention because payments are not always made directly from a person to a healthcare provider. However, you do have to deal with patient organisations where it is possible to derive special personal data from them. There is a relationship with ROM data, see these. external site.
Sometimes ordinary personal data are special
Sometimes ordinary personal data are special. An example of this is the statement that Being a sex worker is special categorie of personal data is. Or what about the statement of the Advertising Code Committee on likes of a cancer patient on Facebook: within the limits of the law, and yet violating privacy? These examples show how far-reaching the issue can be.