Article 30: Sensitive Personal Data

Article 30.01

Without prejudice to the principles set out in this Act, a data controller or data processor shall not process, or permit a data processor to process on its behalf, sensitive personal data, unless the — (a) data subject has given and not withdrawn c...

Article 30.02

The Commission may make regulations or issue directives prescribing — (a) further categories of personal data that may be classified as sensitive personal data; (b) further grounds on which such personal data may be processed; and (c) safeguards t...

Article 30.03

The Commission shall, in making regulations or issuing directives under subsection (2), have regard to the — (a) risk of significant harm that may be caused to a data subject or a class of data subjects by the processing of such category of personal d...