Sensitive Data Under GDPR: What It Is and How to Handle It
Learn what counts as sensitive data under GDPR, the legal requirements for processing it, and practical steps to protect special category data.
Sensitive data under GDPR receives the highest level of legal protection of any personal information. Organizations that collect or process these special categories of data face strict rules on lawful basis, consent, security, and documentation that go well beyond the standard requirements for ordinary personal data.
This article explains what qualifies as sensitive data under GDPR, what the law requires, and how to build compliant processing practices. It is educational content only and does not constitute legal advice. Consult a qualified attorney for your specific circumstances.
What Counts as Sensitive Data Under GDPR
Article 9(1) of the GDPR defines eight special categories of personal data. Processing any of these categories is prohibited by default unless a specific exception applies.
The special categories are:
- Racial or ethnic origin: Nationality, skin color, ethnicity, tribal affiliation
- Political opinions: Party membership, voting preferences, political activism
- Religious or philosophical beliefs: Faith, atheism, ethical worldview
- Trade union membership: Union affiliation, participation in collective bargaining
- Genetic data: DNA sequences, inherited characteristics, genetic test results
- Biometric data: Fingerprints, facial recognition templates, iris scans, voice prints (only when used for unique identification)
- Health data: Medical records, diagnoses, prescriptions, disability status, mental health information, fitness tracker data
- Sex life or sexual orientation: Sexual behavior, orientation, gender identity
Criminal conviction and offense data is handled separately under Article 10 with its own set of restrictions, but it is often grouped with sensitive data in practical compliance discussions.
When Ordinary Data Becomes Sensitive
Context matters. Data that appears ordinary on its own can become sensitive when combined with other information. For example:
- A user's location data is not inherently sensitive, but repeated visits to a cancer treatment center reveal health information
- A purchase history is routine commercial data, but buying religious texts or political literature can reveal beliefs
- An employee's calendar is basic scheduling data, but recurring entries for therapy appointments disclose health status
Organizations should evaluate not just individual data points but what those data points reveal when combined. If a reasonable inference about any of the eight categories is possible, treat the data as sensitive.
The Dual Legal Basis Requirement
Processing sensitive data under GDPR requires satisfying two separate legal tests simultaneously. This is stricter than the single lawful basis required for ordinary personal data.
Step One: Establish a Standard Lawful Basis (Article 6)
You must first identify one of the six standard lawful bases:
- Consent
- Performance of a contract
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
Step Two: Satisfy an Article 9(2) Exception
You must also meet one of the ten exceptions that lift the general prohibition on processing sensitive data:
| Exception | Typical Use Case | Key Conditions |
|---|---|---|
| Explicit consent | Health apps, genetic testing services | Must be freely given, specific, informed, unambiguous, and documented |
| Employment and social security | HR systems processing disability or union data | Must be authorized by EU or member state law with appropriate safeguards |
| Vital interests | Emergency medical treatment | Only when the data subject is physically or legally incapable of giving consent |
| Nonprofit processing | Churches, unions, political parties processing member data | Limited to members and former members, no external disclosure without consent |
| Data manifestly made public | Processing data a person has clearly chosen to make public | Must be genuinely public, not merely accessible |
| Legal claims | Litigation, regulatory proceedings | Processing must be necessary for establishing, exercising, or defending claims |
| Substantial public interest | Fraud prevention, equality monitoring | Must be proportionate, have a basis in law, and include safeguards |
| Healthcare purposes | Hospitals, insurers, occupational health | Must be subject to professional secrecy obligations |
| Public health | Epidemiology, pharmacovigilance | Must be based in EU or member state law with appropriate safeguards |
| Archiving, research, statistics | Academic research, historical archives | Must include technical and organizational safeguards for data minimization |
The most commonly used exception in commercial settings is explicit consent. Unlike standard GDPR consent, explicit consent for sensitive data must be a clear, affirmative statement specifically addressing the sensitive processing. Pre-checked boxes, silence, or bundled consent do not qualify.
How to Obtain Valid Explicit Consent for Sensitive Data
Because explicit consent is the most frequent commercial basis for processing sensitive data under GDPR, getting it right is critical.
Requirements for Valid Explicit Consent
- Separate from other consents: Do not bundle sensitive data consent with terms of service acceptance or marketing opt-ins
- Specific to the processing purpose: "We will use your health data to provide personalized fitness recommendations" is valid. "We will use your data to improve our services" is too vague.
- Clear affirmative action: Require the user to actively check a box, sign a statement, or type a confirmation. Do not rely on continued use of the service as implied consent.
- Documented and timestamped: Record exactly what was consented to, when, and how
- Withdrawable: Provide a mechanism to withdraw consent that is as easy as the mechanism used to give it
Example Consent Language
A fitness app collecting health data might use:
"I consent to [Company Name] processing my heart rate, workout history, and body measurements to provide personalized training recommendations. I understand I can withdraw this consent at any time through my account settings, and my data will be deleted within 30 days of withdrawal unless retention is required by law."
Common Consent Mistakes
- Burying sensitive data consent in a lengthy privacy policy that nobody reads
- Using a single checkbox to cover both sensitive and non-sensitive processing
- Making consent a precondition for accessing features that do not require sensitive data
- Failing to provide a clear withdrawal mechanism
- Not keeping records of when and how consent was obtained
Your privacy policy must clearly describe each category of sensitive data you process, the specific purpose for each, and the legal basis you rely on.
Security Safeguards for Sensitive Data
Article 32 of the GDPR requires "appropriate technical and organisational measures" for all personal data, but sensitive data demands a higher standard. Supervisory authorities and courts will evaluate your security measures against the elevated risk that sensitive data breaches pose to individuals.
Technical Controls
- Encryption at rest and in transit: Use AES-256 or equivalent for stored data and TLS 1.2+ for data in transit
- Access control: Implement role-based access with the principle of least privilege. Only employees who need sensitive data to perform their job should have access.
- Segregation: Store sensitive data in separate database tables or schemas with independent access controls. Do not commingle sensitive data with general-purpose datasets.
- Pseudonymization: Replace direct identifiers with tokens where possible. This reduces risk if a breach occurs.
- Audit logging: Log every access to sensitive data, including who accessed it, when, and for what purpose. Retain logs long enough to support incident investigation.
- Data masking: Use masked or synthetic data in development, testing, and analytics environments. Never copy production sensitive data to non-production systems.
Organizational Controls
- Data minimization: Collect only the sensitive data you genuinely need. If you can achieve the same purpose with non-sensitive data, do so.
- Retention limits: Set shorter retention periods for sensitive data than for ordinary data. Delete or anonymize when the purpose is fulfilled.
- Staff training: Train every employee with access to sensitive data on handling requirements, breach reporting, and their personal liability
- Vendor management: Require Data Processing Agreements (Article 28) with all processors handling sensitive data. Verify their security measures and conduct periodic audits.
- Incident response: Maintain a specific incident response plan for sensitive data breaches, with escalation procedures, notification templates, and designated responsible personnel
When a Data Protection Impact Assessment Is Required
Article 35 of the GDPR requires a Data Protection Impact Assessment (DPIA) before any processing that is "likely to result in a high risk" to individuals. Sensitive data processing frequently triggers this requirement.
Situations That Require a DPIA
The European Data Protection Board (EDPB) guidelines identify several criteria. Meeting two or more generally requires a DPIA:
- Processing sensitive data or data of a highly personal nature
- Processing data on a large scale
- Systematic monitoring of individuals
- Automated decision-making with legal or similarly significant effects
- Combining datasets from different sources
- Processing data of vulnerable individuals (children, employees, patients)
- Using new technologies
What a DPIA Must Include
Under Article 35(7), a DPIA must contain at minimum:
- A systematic description of the processing operations and their purposes
- An assessment of the necessity and proportionality of the processing
- An assessment of the risks to the rights and freedoms of data subjects
- The measures planned to address those risks, including safeguards and security measures
Practical DPIA Process
- Identify: Map all sensitive data flows, including collection points, storage locations, access paths, and deletion mechanisms
- Assess: Evaluate the likelihood and severity of potential harm if the data were breached, misused, or lost
- Mitigate: Document specific controls that reduce identified risks to an acceptable level
- Review: Set a review schedule (at minimum annually, or whenever processing changes materially)
- Consult: If residual risk remains high after mitigation, consult your supervisory authority under Article 36 before proceeding
Sensitive Data GDPR Compliance in Common Business Scenarios
Different industries encounter sensitive data in different ways. Here are practical considerations for common scenarios.
Healthcare and Wellness Apps
Health data is the most frequently processed category of sensitive data in commercial settings. Fitness trackers, mental health apps, telemedicine platforms, and wellness programs all handle Article 9 data.
- Obtain explicit consent separately for each type of health data processing
- Implement end-to-end encryption for health data in transit
- Comply with any additional member state health data laws (some EU countries have stricter requirements)
- Conduct a DPIA before launch
HR and Employment
Employers routinely process sensitive data including disability status, religious accommodation requests, trade union membership, and sometimes health data for occupational safety.
- Rely on the employment exception (Article 9(2)(b)) rather than consent, since the power imbalance between employer and employee can undermine the "freely given" requirement
- Restrict access to HR personnel with a documented need
- Segregate sensitive employee data from general HR records
E-commerce and Marketing
Most e-commerce businesses do not intentionally collect sensitive data, but they may inadvertently process it through:
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate Now- Product categories that reveal health conditions, religious practices, or political views
- Customer support interactions where users voluntarily disclose sensitive information
- Third-party advertising pixels that build profiles including sensitive inferences
Audit your analytics and advertising integrations to determine whether sensitive inferences are being generated. If they are, either stop the processing or establish a valid legal basis. A cookie policy that accurately describes your tracking practices is essential.
Research and Analytics
Academic and commercial research involving sensitive data must rely on the archiving, research, or statistics exception (Article 9(2)(j)) with appropriate safeguards, or on explicit consent.
- Anonymize data wherever possible so that it no longer constitutes personal data
- Use pseudonymization as an intermediate safeguard when full anonymization is not feasible
- Implement access controls that restrict researchers to the minimum data necessary for their study
Enforcement Actions and Real Penalties
Supervisory authorities have shown a willingness to impose significant fines for sensitive data violations.
- Italian DPA fined a healthcare company 800,000 EUR for inadequate technical measures protecting patient health data
- Polish DPA fined a school 4,400 EUR for processing children's biometric data (fingerprints for library access) without a valid legal basis
- French CNIL fined Clearview AI 20 million EUR for processing biometric data (facial recognition) without consent or a valid exception
- Meta received a 1.2 billion EUR fine from the Irish DPC for data transfers, which underscored the heightened scrutiny applied when sensitive data categories are involved
These cases demonstrate that supervisory authorities evaluate both the technical safeguards in place and whether a valid Article 9 exception was established before processing began.
Building a Sensitive Data GDPR Compliance Program
A structured approach ensures nothing is missed. Follow these steps in order.
Inventory sensitive data. Identify every system, database, spreadsheet, and third-party service that stores or processes data falling into any of the eight special categories. Include inferred sensitive data.
Map data flows. Document where sensitive data enters your organization, where it travels internally, which third parties receive it, and where it is ultimately deleted or archived.
Establish legal bases. For each processing activity involving sensitive data, document both the Article 6 lawful basis and the Article 9(2) exception you rely on. If you cannot identify a valid pair, stop the processing.
Update your privacy policy. Clearly disclose the categories of sensitive data you process, the purposes, the legal bases, retention periods, and individual rights. Use a privacy policy generator that supports GDPR special category disclosures to ensure completeness.
Implement consent mechanisms. Where explicit consent is your chosen basis, build consent flows that are separate, specific, documented, and withdrawable. Test withdrawal paths to confirm they function correctly.
Apply technical safeguards. Encrypt, segregate, minimize, log, and mask sensitive data as described in the security section above.
Conduct DPIAs. Complete assessments for all high-risk sensitive data processing. Document findings, mitigations, and review schedules.
Train staff. Ensure every employee who may encounter sensitive data understands the handling requirements, reporting obligations, and consequences of non-compliance.
Review and update. Set a recurring schedule (quarterly is recommended) to re-evaluate your sensitive data inventory, legal bases, and safeguards. Trigger ad-hoc reviews when you add new features, vendors, or data categories.
Frequently Asked Questions
What is sensitive data under GDPR?
Sensitive data under GDPR refers to special categories of personal data defined in Article 9. These categories are racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, health data, and data concerning sex life or sexual orientation.
Can you process sensitive data under GDPR without consent?
Yes, but only under specific Article 9(2) exceptions. These include processing necessary for employment or social security obligations, protecting vital interests when consent is impossible, processing by nonprofits with appropriate safeguards, data manifestly made public by the individual, legal claims, substantial public interest, healthcare purposes, and public health. Each exception has strict conditions attached.
What happens if you mishandle sensitive data under GDPR?
Mishandling sensitive data can result in fines of up to 20 million EUR or 4% of global annual turnover under Article 83(5) of the GDPR. Supervisory authorities may also order you to stop processing entirely, which can shut down core business functions. Additionally, affected individuals may seek compensation under Article 82.
Do I need a Data Protection Impact Assessment for sensitive data?
In most cases, yes. Article 35 of the GDPR requires a DPIA when processing is likely to result in a high risk to individuals. Processing sensitive data at scale, combining sensitive data with other datasets, or using sensitive data for automated decision-making all trigger the DPIA requirement. Even when not strictly required, conducting a DPIA is considered best practice.