Although gender identity does not constitute sensitive data under the GDPR, its legal protection is nevertheless very robustly designed. Companies that choose to disregard it may face claims for damages and fines.
With Pride Month celebrated around the world this month, it is timely to reflect on the protection of gender identity under data protection law. The GDPR defines information requiring special protection as so-called sensitive data and imposes particularly strict rules on its processing. However, anyone hoping that gender identity falls under this category will be disappointed. Only personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data processed to uniquely identify a natural person, health data, and data concerning a natural person's sex life or sexual orientation are protected as sensitive data by the GDPR.
That being said, a robust legal protection of gender identity can still be constructed using the tools of the GDPR: To this end, it is first necessary to distinguish between gender identity on the one hand and biological sex on the other. While gender identity is chosen by the data subject and can therefore only be reliably collected from that person, biological sex is not a matter of self-identification. These two categories of data must be examined separately in order to meaningfully assess the permissibility of their processing.
Processing of data on biological sex is usually prohibited
When it comes to processing data on biological sex, there is usually no legitimate purpose at hand. For example, the collection of data on biological sex in a company's customer database lacks any purpose. The collection of data on gender identity, on the other hand, is relevant, for example, to address a person correctly. The key aspect of gender identity is that it can be chosen by the person concerned and can therefore be changed at any time. Thus, if a company ignores the data subject and processes a different gender identity than the one specified by the data subject itself, it violates the principle of data accuracy under the GDPR.
The practical challenge is that most currently implemented business processes, as well as the vast majority of available standard software, do not distinguish between gender identity and biological sex. This lack of distinction could in itself constitute a GDPR violation. This is because the inadequate identification of the specific category of data collected and the resulting lack of clarity within the company about the legal framework for processing this data may violate both the principle of data accuracy and the principle of fair processing under the GDPR.
Lack of options regarding gender
Companies that collect data on gender identity under the category "gender" often disregard the fact that there are also persons whose gender identity is neither female nor male and that it must therefore also be possible to specify a gender identity other than these two. In particular, software used for addressing customers typically only has the functionality to address customers as Mr. or Ms., which does not correspond to the essence of gender identity in its modern sense.
Under the GDPR, companies that fail to implement the necessary distinction between gender identity and biological sex in their processes and IT systems therefore risk incurring a fine. The same applies to companies that disregard a request from a data subject to correct their gender identity. For these violations, this fine can reach up to 20 million euros or up to 4% of the global group turnover. In addition, the data subject could claim non-material damages by filing a lawsuit with the court if they have suffered a corresponding emotional or psychological impairment as a result of the disregard for their gender identity or the confusion of gender identity and biological sex.
Businesses would do well to take Pride Month as an opportunity to take a critical look at which of the data still processed as "gender" refers to biological sex and which refers to gender identity. At least in the area of customer data processing, the review will likely reveal that the company only really has a legitimate purpose for processing gender identity. Therefore, this category of data should be consistently designated as gender identity and the input of gender identities other than just "female" or "male" should be allowed.
Inclusion as an added value for business
Such changes to business processes and IT systems can demand considerable time and effort. However, both from a legal and ethical perspective, it must be pointed out that it is in the nature of discrimination that persons belonging to minorities require special consideration. Also, the added business value of diversity and inclusion outweighs any extra expense from an economic perspective. If an enterprise wants to act in a legally compliant and ethically correct manner as well as be equally attractive to all persons regardless of their gender identity, it must urgently face up to this challenge.
#WeAreNotNeutral
By Lukas Feiler, Partner IP Tech, Adrian Brandauer, Associate IP Tech, and Ariane Mueller, Law Clerk IT Tech, Baker McKenzie