On 16 December 2022, Resolution 255/2022, expanding the definition of sensitive data under the Personal Data Protection Act to include genetic, ethnic and biometric data and outlining the cybersecurity measures to be implemented for processing such data, enters into force following its publication in the official Gazette. The Resolution notes that changes were made due to technological innovation and the growing use of biometric data in the digital economy. In particular, genetic data is defined as "data related to the inherited or acquired genetic characteristics of a human person that provide information about their physiology or health" and, if used, could be potentially discriminatory to the data subject. The entities collecting and processing sensitive data, including genetic data, have to implement preventive, detective and responsive security measures to ensure the resilience of their systems and establish procedures restricting access, use and circulation of the data.
Original source