Article 30.01
Without prejudice to the principles set out in this Act, a data controller or data processor shall not process, or permit a data processor to process on its behalf, sensitive personal data, unless the —
(a) data subject has given and not withdrawn c...
Article 30.02
The Commission may make regulations or issue directives prescribing —
(a) further categories of personal data that may be classified as sensitive personal data;
(b) further grounds on which such personal data may be processed; and
(c) safeguards t...
Article 30.03
The Commission shall, in making regulations or issuing directives under subsection (2), have regard to the —
(a) risk of significant harm that may be caused to a data subject or a class of data subjects by the processing of such category of personal d...