Last review date: January 2025
Yes
The following are potential legal bases for processing personal data:
☒ the data subject has provided consent to the processing for the identified purposes
☒ the personal data is necessary to perform a contract with the data subject
☒ the personal data is necessary to comply with a legal obligation
☒ the personal data is necessary to fulfil a legitimate interest of the controller or third party (provided that the interest is not overridden by the data subject's privacy interests and the data subject has not made use of his/her right to object)
Last review date: January 2025
The following are potential legal bases for processing sensitive personal data:
☒ the data subject has given consent to the processing, where consent is measured to a higher standard than for non-sensitive personal data (for example, additional requirement for consent to be "explicit")
☒ other
All controllers and processors require a license issued by the PDPC to process sensitive personal data, in addition to obtaining the explicit written consent of the data subject (except where authorized by law). The pending executive regulations should include further details on the licensing criteria and process.
The PDPL also refers to an obligation on data protection officers to implement the security policies and procedures necessary to avoid a breach or infringement of sensitive personal data.
Last review date: January 2025
Yes, Data relating to children is considered to be sensitive personal data under the Personal Data Protection Law (“PDPL”), which requires a controller or processor to obtain a license for processing the same.
Last review date: January 2025
☒ generally
Last review date: January 2025
What are the special requirements that apply to collecting personal data from minors?
☒ other
Such data would automatically be considered sensitive personal data and the enhanced protections in the PDPL would apply (including a requirement to obtain a license for processing of sensitive personal data).