Payments to and from persons are personal data. Special personal data can be derived from payment details. Special categories of personal data require extra protection. The processing of such data is prohibited, unless there is a statutory exception With the Don't-PSD2-me egistry, we want to be able to filter account details of organisations whose transaction data should be considered as special categories of personal data.
Personal data is any information about an identified or identifiable person. Special categories of personal data are personal data that indicate:
- racial or ethnic origin,
- political views,
- religious or philosophical beliefs or
- turn out to be trade union membership,
- and processing genetic data,
- biometric data for the unique identification of a person, or
- data concerning health, or
- data relating to a person's sexual behavior or sexual orientation
Don't-PSD2-me register and special categories of personal data
Probably the Don't-PSD2-me registry cannot filter all data. Therefore, at this stage, we will set up the Don't-PSD2-me registry in such a way that only account numbers that clearly show that they are personal data in themselves will be included.
Special categories of personal data are often Connect 1-on-1 to organisations. This has to do with the way in which organisations are registered. A selection at the Dutch Chamber of Commerce yielded 2400 organisations that complied with the Sbi codes and process special categories of personal data of individuals.
Relevant are the transactions between the organisation and the person. Sometimes this is simple, think of membership of a trade union. Another gives transaction data no direct information, but can give an indiction through which profiling can take place. Think, for example, of the amount and frequency of payments at a pharmacy (amount, frequency). Other special personal data can (probably) not or only after interpretation be seen as special personal data. The most obvious category are account numbers for contribution payments, membership payments and donations to:
- political groups
- trade unions
- associations active in the field of sexual behaviour or sexual orientation
- religious institutions.
Criminal data require further investigation
Criminal data are not special categories of personal data under the GDPR. However, there is a separate, strict regime under which they may only be processed by the said parties. As far as we are concerned, this extra protection also applies to payments to the judicial authorities, such as the account number of the Dutch CJIB, because these can be regarded as criminal data. Read more about in this item.
There is no clearer criminal record than if you are in prison. Can you infer detention from someone's payments? An inmate has an own account in a penitentiary institution. Transfers can be made to the account number of the location, stating the registration number, last name and initial(s) of the detainee. From this information a detention can be derived. We have not included these account numbers because the information about the detention does not concern the sender, and the recipient is difficult to identify.
Health data cannot be derived directly
Healthcare deserves special attention because payments are not always made directly from a person to a healthcare provider. However, you do have to deal with patient organisations where it is possible to derive special personal data from them. There is a relationship with ROM data, see these. external site.
Personal contributions are processed for the CAK. This involves determining and collecting the personal contribution under the Long-Term Care Act (Wlz) and the Social Support Act (Wmo) for the municipalities and making payments to care providers under the Long-Term Care Act (Wlz). Each scheme has its own account number. These songs could be included because their own contributions can be derived from them.
Another way is to find a complete register of healthcare-related institutions. A central place is the UZOVI register. UZOVI stands for Unique Healthcare Insurer Identification. The UZOVI register contains the UZOVI numbers and other data of health care insurers and other bodies (including authorised insurance advisers, care offices, label organisations and branch offices). The register contains current and historical information. The UZOVI number to submit claims in the correct manner and to the correct insurer. On enquiry it appears that this register does not register account numbers.
Sometimes ordinary personal data are special
Sometimes ordinary personal data are special. An example of this is the statement that Being a sex worker is special categorie of personal data is. Or what about the statement of the Advertising Code Committee on likes of a cancer patient on Facebook: within the limits of the law, and yet violating privacy? These examples show how far-reaching the issue can be.