Processing of Sensitive Data under the Personal Data Protection Law

The Personal Data Protection Law recognises the need for special controls in regard to certain types of datasets such as health and biometric data due to their sensitivity. This blog post will outline the provisions relating to this sensitive data. It is worth noting that the law has also other categories of personal data that have their own controls, namely children data, which will not be covered by this post.

The Personal Data Protection Law and its executive regulation do not have a definition for “sensitive data”, but article 5 of the law stipulates that it is prohibited to process “genetic data, biometric data, health data, racial origin, sex life, political or religious opinions, philosophical beliefs, criminal convictions, or those relating to security measures” without obtaining a permit from the Ministry of Transport, Communications, and Information Technology (MTCIT).

The new Executive Regulation of the Personal Data Protection Law that came out earlier this week clarified how this process takes place. According to article 5 of the regulation, the controller must fill out a form in accordance with the requirements set out by the MTCIT including providing the purpose for processing personal data and the places to which personal data will be transported or stored. Additionally, the controller must submit both their privacy policy and the precautionary measures adopted by him in case of a personal data breach, as per article 6 of the regulation.

Following the submission of the application, the MTCIT will review the application and decide on it within 45 days. If the application is rejected by the MTCIT, justification must be provided. The application is also automatically rejected if the 45 days period lapses without a response. If the application is rejected, the applicant has the option to file a grievance with the Ministry of Transport, Communications, and Information Technology. Again, if there is no response to the grievance within 30 days of its submission, it is deemed rejected.

If the application is approved, the minister may grant the permit for up to 5 years. Any amendments to the permit details must be informed to the MTCIT within 15 days. In terms of renewal, the permit can be renewed for equivalent durations using the same procedures outlined in this blog.

You can read more about the conditions for processing personal data under the Personal Data Protection Law and its executive regulation on the links below: