GDPR: What Is Sensitive Personal Data? - IT Governance Europe (2024)

TheGDPR (General Data Protection Regulation)distinguishes between ‘personal data’ and ‘sensitive personal data’.

In this blog, we look at how they differ, and what you need to know if you want to process sensitive data.

What is ‘personal data’ under the GDPR?

The Regulation defines ‘personal data’ as:

Any information relating to an identified or identifiable natural person (‘data subject’).

In other words, any information that’s clearly about aparticular person. Depending on the circ*mstances, this could include anything from someone’s name to their physical appearance.

We’ve explained more about personal data and the importance of context ina previous blog.

What constitutes ‘sensitive personal data’?

In its most basic definition, sensitive data is a specific set of “special categories”:

Genetic data
Political opinions
Racial or ethnic origin
Data concerning health
Trade union membership
Religious or philosophical beliefs
Data concerning sex life or sexual orientation
Biometric data (where processed to uniquely identify someone)

Article 9 of the GDPR prohibits special category data from being processed unless you can rely on an exemption.

When can you process sensitive data?

As with non-sensitive personal data, like names and addresses, you may only process sensitive data if you can rely on a lawful basis (under Article 6) for doing so:

Consent
Public task
Vital interests
Legal obligation
Legitimate interests
Contractual obligation

This blog explains these six lawful bases in more detail.

What are the lawful bases under Article 9?

Organisations may only process sensitive information if an exemption listed under Article 9 applies.

We’ve listed them below, grouping them by relevance to the Article 6 lawful bases where possible.

Consent

The data subject has given their explicit consent for the processing.

Public task

Processing is necessary for a “substantial” public interest.
Processing is necessary to complete tasks in the public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare, or medicinal products or devices.
Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Vital interests

Processing is necessary to protect an individual’s vital interests.

Legal obligation

Processing is necessary to carry out your obligations, or exercise the data subject’s rights, in employment, social security and/or social protection law.
Processing is necessary to establish, exercise or defend legal claims.
Processing is necessary for a court to act in its judicial capacity.

Other

The data subject “manifestly” made the data public.
The processing forms part of your legitimate activities, and you’re a non-profit body with a political, philosophical, religious or trade-union aim.
Processing is necessary for the purposes of preventive or occupational medicine, or a medical diagnosis.
Processing is necessary to assess an employee’s working capacity.
Processing is necessary to provide health or social care systems and services.

Note that individual member states can introduce further conditions or limitations for processing sensitive data – the above list only reflects the requirements of the EU GDPR.

Finding this blog useful? Subscribe to our free weekly
newsletter – the Security Spotlight – to get future blogs
and other useful resources straight to your inbox.

Subscribe now

Should I use consent?

A common misconception about the GDPR is that all organisations need to seek consent to process personal data.As the list above shows,consent is only oneoption.

What’s more, thestrict rules regardingthe way you obtain and maintain consentmeanit’sgenerally the least preferable option.

The rules are there for good reason: if you can’t rely on any other grounds, like legal or contractual obligation, that suggests the processing isn’t strictly necessary. As the GDPR aims to give greater control to individuals over their data, this means they can opt out of processing at any time.

Furthermore, you can rarely change lawful basis after you’ve started processing the data. So, get it right first time to avoid enforcement action and business disruption.

This blog explains in more detail when to seek consent and its drawbacks.

How can I secure sensitive data?

You should store sensitive personal data separately from other personal data. If it’s held in paper format, preferably keep it in a locked drawer or filing cabinet.

Digitally, as with personal data generally, you should only keep sensitive data on laptops or portable devices if the file has been encrypted and/or pseudonymised.

Pseudonymisation means you process the data in a way that doesn’t identify specific people, but those individuals can be re-identified by combining that data with other information that’s stored separately and securely – likely involving encryption.

Encryption, a common form of cryptography, encodes your data by using a secret value or ‘key’, ensuring that only authorised users and applications (holding the decryption key) can access the information.

You can use pseudonymisation and encryption simultaneously or separately.

How can I prove I’m meeting the GDPR requirements?

TheEuroprivacy™/®certification schemeoffers a practical way to demonstrate your GDPR compliance. This data protection seal allows you to stamp your data processing activities as ‘GDPR compliant’.

The Europrivacy scheme also provides a detailed framework of appropriate security measures – both technical and organisational – you can use to protect PII (personally identifiable information).

This interview with senior privacy consultant and trainer Alice Turley explains the scheme in more detail.

Want to learn more about the key GDPR requirements?

Our free green paper General Data Protection Regulation (GDPR) – A compliance guide explains the core GDPR elements subject to the higher-tier fines: the greater of €20 million or 4% of global annual turnover.

This free guide covers:

Who must comply with the GDPR;
The benefits of achieving compliance;
The Regulation’s core principles and rights;
How to lawfully transfer personal data outside the EU; and
Tips on how to write your privacy notice.

Download now

We first published a version of this blog in February 2018.

FAQs

GDPR: What Is Sensitive Personal Data? - IT Governance Europe? ›

Any information relating to an identified or identifiable natural person ('data subject'). In other words, any information that's clearly about a particular person. Depending on the circ*mstances, this could include anything from someone's name to their physical appearance.

Read On ›

What is sensitive data according to EU GDPR? ›

personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; trade-union membership; genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person's sex life or sexual orientation.

Discover More Details ›

What is considered personal data under the EU GDPR? ›

GDPR Personal Data

The term is defined in Art. 4 (1). Personal data are any information which are related to an identified or identifiable natural person.

What is sensitive data in information governance? ›

Sensitive data includes personal data but has a wider scope, which encompasses data that if disclosed could cause harm or adverse consequences for the individual concerned. Common examples of sensitive data include financial account information, health records, and trade union memberships.

See Details ›

What is sensitive data in the EU commission? ›

Sensitive personal data is protected under EU law and can only be processed by organisations if specific safeguards are in place. What personal data is considered sensitive? Data relating to religion, politics, health, etc. is considered sensitive under the EU's data protection law and gets special protection.

Find Out More ›

What is not classed as sensitive data? ›

Examples of non-sensitive data would include gender, date of birth, place of birth and postcode. Although this type of data isn't sensitive, it can be combined with other forms of data to identify an individual.

Tell Me More ›

What is the difference between sensitive personal data and personal data? ›

Personal information is any information which may identify a specific person, either directly, or indirectly. Sensitive information is a special category of personal information which is inherently more vulnerable to misuse. If breached, it could result in serious financial harm, identity theft, or fraud.

Show Me More ›

What is not personal data under GDPR? ›

Examples of data not considered personal data

a company registration number; an email address such as info@company.com ; anonymised data.

Explore More ›

What are the 7 main principles of GDPR? ›

Lawfulness, fairness, and transparency; ▪ Purpose limitation; ▪ Data minimisation; ▪ Accuracy; ▪ Storage limitation; ▪ Integrity and confidentiality; and ▪ Accountability. These principles are found right at the outset of the GDPR, and inform and permeate all other provisions of that legislation.

What data is not covered by GDPR? ›

The GDPR does not apply if: the data subject is dead. the data subject is a legal person. the processing is done by a person acting for purposes which are outside his trade, business, or profession.

Show Me More ›

What data is classified as sensitive? ›

Sensitive information encompasses any data that, if compromised, could lead to harm, loss, or unauthorized access. This includes personally identifiable information (PII), financial data, intellectual property, health records, and other confidential information.

Read The Full Story ›

What are the special categories of personal data under GDPR? ›

Special categories of personal data

Personal data revealing racial or ethnic origin. Political opinions. Religious or philosophical beliefs. Trade union membership.

See Details ›

Is an email address personal data under GDPR? ›

A name and a corporate email address clearly relates to a particular individual and is therefore personal data.

Get More Info Here ›

What is EU sensitive classified information? ›

EU classified information is categorised in four levels, which are defined by the severity of the impact of disclosure: TRÈS SECRET UE/EU TOP SECRET: the unauthorised disclosure of this information could cause exceptionally grave prejudice to the essential interests of the EU or one or more of the member states.

Which of the following are included in European Union sensitive data? ›

Sensitive data is data concerning “one's health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, biometric data, or data concerning a natural person's sex life.” Explicit consent must be used for collection or use of sensitive data.

What is sensitive data for GDPR employees? ›

Under GDPR, employers can process employees' data, including a wide range of employees' personal data, such as sensitive personal information like health data, race, ethnic origin, and sexual orientation, making employees, customers, and vendors data subjects under this regulation.

View Details ›

What are the EU GDPR categories of data? ›

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex ...