- The processing of special categories of personal data shall be allowed only where strictly necessary for the performance of the controller’s tasks.
- If special categories of personal data are processed, appropriate safeguards for the legally protected interests of the data subject shall be implemented. Appropriate safeguards may be in particular
- specific requirements for data security or data protection monitoring;
- special time limits within which data must be reviewed for relevance and erasure;
- measures to increase awareness of staff involved in processing operations;
- restrictions on access to personal data within the controller;
- separate processing of such data;
- the pseudonymization of personal data;
- the encryption of personal data; or
- specific codes of conduct to ensure lawful processing in case of transfer or processing for other purposes.