Sensitive Personal Data – Special Category Under The GDPR

There are certain types of data that the General Data Protection Regulation (GDPR) considers to be sensitive personal data and therefore classifies them under the special category of personal data. 

What are special categories of personal data?


The GDPR distinctly specifies which data is considered sensitive and fall under the special category of data:

• data related to racial or ethnic origin,
political opinions,
religious or philosophical beliefs,
trade union membership,
genetic data,
biometric data for the purpose of uniquely identifying a natural person,
• data concerning health,
• data concerning an individual’s sex life or sexual orientation

The processing of the abovementioned types of data is prohibited by the GDPR. Of course, there are certain exemptions that we will discuss later on.

Exemptions to the prohibition of processing sensitive personal data

There are certain exceptions to the prohibition of the processing of special category data.

Where it is allowed by Union or Member State law and performed under special safeguards to protect personal data and other fundamental rights:

• in the field of employment law,
social protection law (including pensions)
health security reasons,
• protection of vital interest of data subject
public health and the management of health-care services
• in the context of a legal claim
archiving, research, and statistics (if permissible by law)
public interest

Further elaborated in Recital 52: “Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring, and alert purposes, the prevention or control of communicable diseases and other serious threats to health.”

As specified in Article 9 you can still process sensitive personal information if:

Exceptions to the prohibition of processing sensitive personal data and special category of data GDPR

1. Explicit consent

Processing of sensitive personal data is possible if the data subject has given explicit consent to the processing of those data. An individual can give explicit consent for one or more specified purposes, except where the European Union or Member State decides that the prohibition can not be lifted by the data subject.

2. Employment, social security, and social protection

If the processing of sensitive data is authorized by law, and necessary for exercising the data controller or data subject’s rights. Or if it is necessary for carrying out the obligations related to employment, social security and social protection law. In all cases, adequate safeguards for the protection of fundamental rights and interests of the data subject have to be present.

3. Vital interests

Sensitive data may be processed, if it is crucial to protect the vital interests of the data subject or of another individual, and the data subject is physically or legally incapable of giving consent.

4. Not-for-profit bodies

If the processing is carried with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim. On the condition that the processing relates only to the members, former members, or individuals who have regular contact with it regarding its purposes. The non-profit body has to make sure that the personal data is not disclosed outside that body without the proper consent of the data subjects.

5. Made public by the data subject

It is permissible to process sensitive personal data of a data subject if the data subject has already made the data public and accessible

6. Legal claims or judicial acts

Data processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity. Whether in court proceedings or in an administrative or out-of-court procedure.

7. Public interest

The processing of sensitive data is allowed if there is a considerable public interest at stake. However, the processing should be permitted by law, and proportionate to the goal that is pursued. Processing should also be conducted with respect to the right to data protection and provide safeguard measures to the fundamental rights and the interests of the data subject;

8. Health or social care

Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of:

• the working capacity of the employee,
medical diagnosis,
• the provision of health and social care
• provision of health treatment
• management of health
management of social care systems and services

This processing has to be permitted by Union or Member State law or pursuant to contract with a health professional. Additional safeguards to protect sensitive data has to be provided.

The GDPR also states that the Member States can add further specific conditions and limitations for genetic, biometric or health data.

Recital 53 deals with the processing of sensitive data in the healthcare and social sector.

9. Public health

The processing of sensitive data is aimed at the prevention or control of contagious diseases and other health threats. This kind of processing is aimed at cross-border threats to health and ensuring high standards of safety of health care, medicinal products or medical devices.

Processing in the name of public health has to be based on the EU or Member State law with appropriate measures and safeguards to protect the rights and freedoms of the data subject, in particular, professional secrecy.

10. Archiving, research, and statistics

Processing is done for:
archiving purposes in the public interest,
scientific or historical research
statistical purposes

The processing is done in accordance with Article 89(1) and based on the law, which is proportionate to the goal that wants to be achieved, and with specific measures to safeguard the fundamental rights and the interests of the data subject.

follow us on linkedin

What is the difference between personal data and sensitive personal data?

Not every piece of information is considered to be personal data, and the GDPR offers a definition of what qualifies as personal data.

Personal data is information that relates to an identified or identifiable natural person.

This means that personal data allows identification of a data subject directly or indirectly, by name, an identification number, location data, an online identifier or physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The term is used broadly and can include less specific information, such as IP address.

The difference between personal data and sensitive personal data is that processing sensitive personal data requires additional protection granted by the GDPR, since processing those types of data can involve severe and unacceptable risks for fundamental human rights and freedoms.

Also, for you as a controller or processor, different sets of rules are applied when processing special categories of data.

Article 9 of the GDPR, explains that the processing of sensitive personal data is prohibited, with certain exemptions.

At the same time, the Member States can also introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data, or data concerning health.

Example of a special category of data

When going through the list of what is considered to be sensitive personal data, there are new terms being introduced and therefore need further clarification:

Example of biometric data

facial recognition
• fingerprints
voice recognition
• iris scanning
• palmprint verification
retina recognition

Additionally, according to the Recital 51, photographs are considered biometric data only when they are processed with a specific means that allow the unique identification of a data subject, despite the fact that photography can reveal someone’s racial identity or other sensitive information.

Example of health data

• information gathered during the check-in or registration into a health facility or during the application for a medical treatment
• patient medical history
• information on any disability, illness, medical diagnosis, medical treatment, medical opinions
• results of health tests, medical examination
fitness tracker data
• appointment details
• medical invoices from which you can find out details about individuals’ health

Example of genetic data

chromosomal analysis
• deoxyribonucleic acid (DNA) analysis
• ribonucleic acid (RNA) analysis

Example of a special category of sensitive personal data

Requirements for processing personal data

There are certain principles, preconditions, and steps that need to be taken before processing any type of personal data, and this is applicable when processing a special category of personal data outlined in Article 5 of the GDPR:

• personal data must be processed lawfully, fairly and transparently
• data must be collected for a specific purpose
• processing must be adequate, limited and relevant (data minimization principle)
• data must be as accurate and kept up to date
• data should be kept in a form which permits identification of data subjects for no longer than is necessary (storage limitation, anonymization, pseudonymization)
• Implement adequate technical and organizational data protection measures 

Steps to take when processing a special category of data

1. When processing sensitive personal data, the first thing is making sure that there no other way to achieve the desired goal that would be less intrusive on personal data of the individual.

2. For processing to be lawful, you must be compliant with GDPR Article 6 -Lawfulness of processing. Identify what a lawful basis for personal data processing in your particular case is. Make sure your processing is done according to the principles and requirements outlined in Article 5.

3. Check Article 9 of the GDPR and identify which of the 10 possible exceptions for processing sensitive personal data applies to your case. If you can not find an appropriate exception for your case, then you will not be able to process sensitive data.

4. However, if you identified the proper exception, there are few of them that require further support in EU law or Member State law. If you want to make sure everything is compliant, contact your supervisory authority and make sure you get acquainted with the regulation and law governing the area of your interest to meet additional conditions.

Take this into consideration if processing data related to: employment, social security, and social protection; sensitive data in the public interest; data regarding health, social care or public health; and archiving research, and statistics.

5. The next step will be assessing if you need to complete a data protection impact assessment (DPIA) for any type of processing which is likely to be high risk. Conducting a DPIA is an important aspect of the General Data Protection Regulation (GDPR) accountability obligations of an organization.

What is a DPIA and how to conduct it? [Video & Infographics]

6. Document the entire process, update your privacy notice, including all relevant information regarding the processing of special category data.

7. Processing special categories of data may entail other obligations, like appointing a DPO, conducting a DPIA, compliance with Article 22 regarding automated individual decision-making, including profiling, and the implementation of suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests. Make sure you are acquainted with all your obligations.

The processing of special category data, can affect your other obligations in particular the need for documentation, DPIA, DPO and EU representatives.

8. Check with your supervisory authority to find out if there are any additional limitations regarding the processing of genetic data, biometric data or data concerning health.

GDPR fines related to the processing of sensitive personal data

1.Doorstep Dispensaree Pharmacy- €320,000

The first fine issued by the ICO (if we exclude Marriot and British Airlines which are not finalized), was issued to a Pharmaceutical Company (€320,000 or £275,000).

The fine was issued on the fact that the pharmacy had insufficient technical and organizational measures to ensure the security of a special category of data.

GDPR fine: €320,000 fine to London-based Pharmacy

2. Rhineland-Palatinate Hospital – €105,000

Several GDPR breaches occurred during the admittance of the patient that resulted in issuing the wrong invoice to the patient and revealed more serious privacy issues the hospital was struggling with.

GDPR fine: €105,000 Fine to a Hospital