• personal data revealing racial or ethnic origin
• personal data revealing political opinions
• personal data revealing religious or philosophical beliefs
• personal data revealing trade union membership
• genetic data and
• biometric data (where used for identification purposes)
• data concerning health
• data concerning a person’s sex life
• data concerning a person’s sexual orientation

In the context of the HRR it is especially important for researchers to remember that health-related research projects will include ‘special category’ personal data that are more sensitive by nature and need to:

1. be based on one or more (opens in a new window)(opens in a new window)legal basis (bases) (as per GDPR Article 6) 
2. in order to lawfully process(opens in a new window)(opens in a new window)special category data, you must identify in addition to a lawful basis under Article 6 of the GDPR a separate condition for processing under Article 9.These do not have to be linked. There are 10 conditions for processing special category data in Article 9 (a)-(j)
3. have safeguards in place to protect an individual's fundamental rights; HRR makes explicit consent one of the safeguards

The HRR require that the processing of personal health data for research purposes needs to be based, as a default, on explicit consent as a safeguard. This is in addition to other (opens in a new window)suitable and specific measures that need to be in place as well. Health research projects of substantial public interest, where explicit consent is not feasible to obtain, need to apply to the Health Research Consent Declaration Committee (opens in a new window)(HRCDC) .

• Have absolute clarity on who is responsible for the personal data. This can be one organisation alone, or more than one organisation jointly. Any collaborative research, where more than one organisation can make decisions on 'how' and 'why' personal data are processed, should put joint controller agreements in place, which clearly define each party’s roles and responsibilities in terms of data protection obligations.  
• Have a governance committee in place that is responsible for the processing of personal data being in line with legal requirements.
• Know who the personal data will be shared with, now and going forward and put data sharing agreements in place accordingly. Individuals whose personal data are used in the project need to be informed about this from the outset. 
• Be aware of any e.g. outsourcing of certain processing operations to experts external to your organisation you intend to do. If you use such processors, you are required by law to manage the (opens in a new window)Controller-Processor Relationship and put an agreement in place.
• Put appropriate and stringent security measures in place to safeguard the confidentiality, integrity and security of the personal data you process.
• Map your project's dataflows and consider the lifecycle of the personal data you process from the point the data enter your organisation to the point of safe deletion. 
• Make sure you design informative (opens in a new window)privacy notices and Patient Information Leaflets (PILs) and provide them to the individuals you wish to collect personal data from in advance of commencing the collection. This is very important so that they can make informed decisions regarding their choice to participate or not. 
• Don't forget that there are restrictions on transferring personal data outside the EEA and that any such(opens in a new window) transfers to a third country require appropriate provisions to be put in place before they can happen.
• Remember that it is very likely you will have to do a Data Privacy Impact Assessment (DPIA). A DPIA needs to be undertaken before the project plan is finalised and sufficient time should be allowed for the process.