Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subject request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

Sensitive personal data – special category under the GDPR

Sensitive Personal Data – Special Category Under The GDPR

There are certain types of data that the General Data Protection Regulation (GDPR) considers to be sensitive personal data and therefore classifies them under the special category of personal data. 

What are the special categories of personal data?

categories of sensitive personal data according to the GDPR

The GDPR distinctly specifies which data is considered sensitive and falls under the special category of data:

  • Data related to racial or ethnic origin,
  • Political opinions,
  • Religious or philosophical beliefs,
  • Trade union membership,
  • Genetic data,
  • Biometric data to uniquely identify a natural person,
  • Health data
  • Data concerning an individual’s sex life or sexual orientation

The GDPR prohibits the processing of the abovementioned types of data. Of course, there are certain exemptions to the rule.

Exemptions to the prohibition of processing sensitive personal data

There are certain exceptions to the prohibition of processing special category data.

Where it is allowed by Union or Member State law and performed under special safeguards to protect personal data and other fundamental rights, sensitive personal data can be processed in the field of:

  • Employment law
  • Social protection law (including pensions)
  • Health security reasons
  • Protection of vital interest of data subject
  • Public health and the management of healthcare services
  • in the context of a legal claim
  • Archiving, research, and statistics (if permissible by law)
  • Public interest

Recital 52 explains that the processing of special categories of personal data can be allowed when it is permissible by Union or Member State law if sensitive data is protected by suitable safeguards and other fundamental rights are protected.

Sensitive data can also be processed if it is in the public interest, in the field of employment law, social protection law, including pensions and for health security, monitoring, and alert purposes, the prevention or control of communicable diseases, and other serious threats to health.

When can you process sensitive personal data?

ten exemptions for processing sensitive personal data

1. Explicit consent

Processing sensitive personal data is possible if the data subject has given explicit consent to processing those data.

An individual can give explicit consent for one or more specified purposes, except where the European Union or Member State decides the data subject can not lift the prohibition.

[RELATED TOPIC: Explicit consent]

2. Employment, social security, and social protection

If the processing of sensitive data is authorized by law and necessary for exercising the data controller’s or data subject’s rights, or if it is necessary to carry out the obligations related to employment, social security, and social protection law.

In all cases, adequate safeguards for protecting the data subject’s fundamental rights and interests have to be present.

3. Vital interests

Sensitive data may be processed if it is crucial to protect the vital interests of the data subject or another individual and the data subject is physically or legally incapable of giving consent.

4. Not-for-profit bodies

If the processing is carried out with appropriate safeguards by a foundation, association, or any other not-for-profit body with a political, philosophical, religious, or trade union aim.

On the condition that the processing relates only to the members, former members, or individuals who have regular contact with it regarding its purposes.

The non-profit body has to ensure that the personal data is not disclosed outside that body without the proper consent of the data subjects.

5. Information made public by the data subject

It is permissible to process sensitive personal data of a data subject if the data subject has already made the data public and accessible

6. Legal claims or judicial acts

Data processing is necessary for the establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity. Whether in court proceedings or an administrative or out-of-court procedure.

7. Public interest

The processing of sensitive data is allowed if a considerable public interest is at stake. However, the processing should be legally permitted and proportionate to the goal pursued.

Processing should also be conducted with respect to the right to data protection and provide safeguard measures to the fundamental rights and the interests of the data subject;

8. Health or social care

Processing is necessary for preventive or occupational medicine for the assessment of:

  • The working capacity of the employee,
  • Medical diagnosis,
  • The provision of health and social care
  • Provision of health treatment
  • Management of health
  • Management of social care systems and services

This processing has to be permitted by Union or Member State law or under a contract with a health professional. Additional safeguards to protect sensitive data have to be provided.

The GDPR also states that the Member States can add specific conditions and limitations for genetic, biometric, or health data.

Recital 53 deals with processing sensitive data in the healthcare and social sectors.

9. Public health

The processing of sensitive data is aimed at preventing or controlling contagious diseases and other health threats.

This kind of processing is aimed at countering cross-border threats to health and ensuring high standards of safety for health care, medicinal products, or medical devices.

Processing in the name of public health has to be based on the EU or Member State law with appropriate measures and safeguards to protect the rights and freedoms of the data subject, in particular, professional secrecy.

10. Archiving, research, and statistics

Processing is done for:

  • Archiving purposes in the public interest,
  • Scientific or historical research
  • Statistical purposes

The processing is done under Article 89(1) and based on the law, which is proportionate to the goal that wants to be achieved and with specific measures to safeguard the fundamental rights and interests of the data subject.

What is the difference between personal data and sensitive personal data?

The difference between personal and sensitive personal data is that processing sensitive personal data requires additional protection granted by the GDPR since processing those types of data can involve severe and unacceptable risks to fundamental human rights and freedoms.

[RELATED TOPIC: What is Personal Data According to the GDPR]

Also, for you as a controller or processor, different sets of rules are applied when processing special categories of data.

At the same time, the Member States can also introduce further conditions, including limitations, about the processing of genetic data, biometric data, or data concerning health.

Example of a special category of data

When going through the list of what is considered to be sensitive personal data, new terms are being introduced and, need further clarification:

Example of biometric data

Are photographs sensitive personal data?

According to Recital 51, photographs are considered biometric data only when they are processed with specific means that allow the unique identification of a person in the photo, even though photography can reveal someone’s racial identity or other sensitive information.

Example of health data

  • information gathered during the check-in or registration into a health facility or during the application for a medical treatment
  •  patient medical history
  •  information on any disability, illness, medical diagnosis, medical treatment, medical opinions
  • results of health tests, medical examination
  • fitness tracker data
  • appointment details
  •  medical invoices from which you can find out details about individuals’ health

Example of genetic data

Example of a special category of sensitive personal data

Steps to take when processing sensitive personal data

1. Explore the alternatives

When processing sensitive personal data, the first thing is making sure that there is no other way to achieve the desired goal that would be less intrusive on the individual’s sensitive personal data.

2. Ensure the lawfulness of processing

For processing to be lawful, you must be compliant with GDPR Article 6 -Lawfulness of processing.

Identify the lawful basis for personal data processing in your case and ensure your processing is done according to the GDPR principles.

3. Identify the exemption

Check Article 9 and identify which of the ten possible exemptions for processing sensitive personal data apply to your case.

If you can not find an appropriate exception for your case, you cannot process sensitive data.

4. Identify additional conditions

If you identify the proper exemption, a few require further support in EU law or Member State law.

If you want to make sure processing is compliant, contact your supervisory authority and get acquainted with the regulations and laws governing the area of your interest to meet additional conditions.

Consider this if processing data related to employment, social security, and social protection; sensitive data in the public interest; data regarding health, social care, or public health; and archiving research and statistics.

5. Get familiar with your obligations

Processing special categories of data may entail other obligations, like appointing a DPO, conducting a DPIA, compliance with Article 22 regarding automated individual decision-making, including profiling, and implementing suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests.

Make sure you are acquainted with all your obligations. The processing of special category data can affect your other obligations, in particular, the need for documentation.

6. Conduct the DPIA

The next step will be assessing if you need to complete a data protection impact assessment (DPIA) for any type of processing that is likely to be high-risk.

Conducting a DPIA is an important aspect of an organization’s GDPR accountability obligations.

What is a DPIA and how to conduct it? [Video & Infographics]

7. Document everything

Document the entire process and update your privacy notice, including all relevant information regarding the processing of special category data.

8. Take additional steps

Check with your supervisory authority to find out if there are any additional limitations if you are processing genetic data, biometric data, or data concerning health.

Key Takeaways

In conclusion, the GDPR distinctly identifies sensitive personal data, encompassing various categories such as health, genetics, and biometrics.

While the Regulation generally prohibits processing such data, it allows for specific exemptions under defined circumstances.

These exceptions range from explicit consent and employment-related processing to cases involving vital interests, not-for-profit bodies, public information, legal claims, public interest, health or social care, public health, and archiving, research, and statistics.

It is crucial for organizations to carefully navigate these exemptions, ensuring compliance with legal requirements and safeguarding individuals’ fundamental rights.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top