The Commission may make regulations or issue directives prescribing —
(a) further categories of personal data that may be classified as sensitive personal data;
(b) further grounds on which such personal data may be processed; and
(c) safeguards that may apply.