OneTrust Certified Privacy Professional Practice Exam

Which of the following constitutes a lawful basis for processing sensitive personal data under GDPR?

• A. General consent
• B. Explicit consent or necessity for employment, health, or vital interests tasks
• C. Public interest only
• D. Legitimate interests of the processor

The correct answer is: Explicit consent or necessity for employment, health, or vital interests tasks

The correct choice highlights that explicit consent or necessity for employment, health, or vital interests tasks is indeed a lawful basis for processing sensitive personal data under the General Data Protection Regulation (GDPR). Under GDPR, sensitive personal data includes information such as racial or ethnic origin, political opinions, religious beliefs, health information, and sexual orientation. Because of the potential risks associated with the processing of such data, GDPR requires that organizations identify specific lawful bases for processing this category of data. Explicit consent is one of the most common lawful bases and requires that individuals provide clear and unmistakable evidence of their agreement to the processing of their sensitive data. This means that consent cannot be assumed or inferred from silence or pre-ticked boxes. Additionally, processing is lawful if it is necessary for carrying out the obligations and exercising specific rights under employment law or for the purposes of health care and medical treatment. This shows a strong link between the necessity of processing and the protection of vital interests, ensuring that sensitive data is handled appropriately and in individuals' best interests. The other options do not fulfill the specific conditions required for the processing of sensitive personal data. General consent lacks the explicit nature required, public interest alone without necessity or consent does not cover the breadth required by GDPR, and