Not all personal data is sensitive.
But when it is, the GDPR goes to great lengths to ensure it is processed with the utmost attention.
In this article, we’ll explain which personal data counts as “sensitive” and see what data controllers should know to lawfully process it.
What is Sensitive Personal Data?
Article 9 of the GDPR defines sensitive data as «data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, […] genetic data, biometric data […], data concerning health or data concerning a natural person’s sex life or sexual orientation»
What are the Rules for Processing Sensitive Personal Data?
In principle, the GDPR prohibits the processing of sensitive personal data.
There are, however, several exceptions to this general prohibition. All of them are listed in Article 9(2) GDPR.
Exceptions include situations in which:
- Data subjects gave their explicit consent;
- Processing is necessary for fulfilling the obligations and/or exercising specific rights of the controller or of the data subject in the field of employment, social security, and social protection law;
- Processing is necessary to protect the vital interests of the data subject or of another natural person, and the data subject is physically or legally unable to give consent;
- The data controller is a foundation, association, or any other not-for-profit body with a political, philosophical, religious, or trade union aim, and the processing concerns only personal data relating to their current or former members;
- The personal data being processed has been explicitly made public by the data subject;
- Processing is necessary to establish, exercise, or defend legal claims;
- Processing is necessary for substantial public interest reasons;
- Processing is necessary for the purposes of preventive or occupational medicine.
- Processing is necessary for public health reasons;
- Processing is necessary for archiving purposes in the public interest, scientific or historical research, or statistical purposes
A contractual relationship with the data subject, by itself, is not a legitimate ground for processing sensitive personal data.
Let’s now look in detail at what these exceptions entail.
Article 9(2)(a): Explicit consent of the Data Subject
You can process sensitive personal data if you’ve obtained the data subject’s consent.
For consent to be valid, it must be free, informed, specific, and unambiguous, as required by Article 4(11).
When it comes to sensitive data, consent must also be explicit.
EU or Member State law may prohibit the use of consent as a valid ground for processing certain types of sensitive personal data. In these cases, data controllers must rely on other legal bases.
Article 9(2)(b): Employment, social security, and social protection law
Processing sensitive data might be necessary for carrying out obligations or rights of the controller or the data subject in the field of employment or social security.
For example, as an employer, you might be required to process health information so your employees can get their sick leave.
In these cases, data controllers can process sensitive data if the processing is authorized by:
- EU law
- Member State law, or
- A collective agreement under Member State law.
Article 9(2)(c): Vital Interests of the Data Subject
Data controllers are allowed to process sensitive personal data when the processing is necessary to protect the vital interests of the data subject or of another natural person.
Article 9(2)(c) clarifies that the data controller may only rely on this ground if the data subject was physically or legally unable to consent.
The implication is that, if circumstances allow for it, controllers should try to obtain consent first instead of immediately invoking the “vital interests” exception.
This sentiment is echoed by Recital 46, GDPR, which states, «Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis.»
Article 9(2)(d): the Data Controller is a Foundation, Association, or any Other Not-For-Profit Body
The GDPR authorizes the processing of sensitive personal data when the data controller is a foundation, association, or any other not-for-profit body with a political, philosophical, religious, or trade union aim.
The rationale for this exception is easy to see: those bodies deal with sensitive data by default. The mere fact of joining one might reveal personal data! (For example, if you join a religious association, it’s pretty obvious what your religion is: how could the association function without processing this information?)
However, nonprofits have to abide by certain limits when processing sensitive data.
Article 9(2)(d) clarifies that they can only process the personal data of current or former members or persons who have regular contact with the organization. Without the data subject’s consent, personal data cannot be disclosed outside the organization.
Article 9(2)(e): Personal Data Manifestly Made Public by the Data Subject
Sensitive personal data can be lawfully processed if it is manifestly made public by the data subject.
The GDPR doesn’t explain what should count as “manifestly made public.” The Handbook on European Data Protection Law states that this notion should be strictly construed. The exception should be valid only if the data subjects deliberately divulged their personal information.
A mere presence in a public space is not enough.
Article 9(2)(f): Legal Claims
The GDPR permits data controllers to process sensitive personal data that is «necessary for the establishment, exercise or defence of legal claims.» The exclusion applies both to court proceedings and to administrative or out-of-court procedures.
Article 9(2)(f) also allows Courts acting in their judicial capacity to process sensitive personal data if it’s necessary to resolve a legal dispute.
Article 9(2)(g): Substantial Public Interest
As with non-sensitive personal data, reasons of public interest constitute a legitimate ground for processing personal data.
However, for data controllers to rely on this legal basis:
- Either EU or Member State law must have clearly identified the public interest (said otherwise, it’s up to Parliaments, not to data controllers, to establish whether there’s a substantial public interest at play);
- The law must be proportionate and safeguard the rights of the data subject;
- The processing must be necessary for the pursuit of such public interest.
Electronic health file systems are an example of processing activity carried out based on substantial public interest.
Article 9(2)(h): Preventive or occupational medicine
Data controllers can process sensitive personal data in several medical-related cases, such as:
- When it’s necessary for the purposes of preventive or occupational medicine,
- When it’s necessary to assess the working capacity of the employee,
- When it’s required for a medical diagnosis,
- When it’s necessary to provide health or social care or treatment or manage health or social care systems and services.
In all these cases, the processing must be authorized by EU or Member state law, or there must be a contract between a health professional and the data subject.
Article 9(2)(i): reasons of public interest in the area of public health
Processing sensitive personal data is permitted when necessary for public health reasons, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or medical devices.
The processing must be explicitly authorized by EU or Member State law, and such regulations should consider the data subject’s rights and freedoms.
Article 9(2)(j): Archiving, research, and statistical purposes
If EU or Member State law mandates it, sensitive personal data can be processed for archiving, research, and statistical purposes.
Processing Sensitive Personal Data: A Final Note
Sensitive personal data should be handled with care.
The GDPR allows data controllers to process sensitive personal data in several cases (see Article 9 of the Regulation). However, data controllers should keep in mind that the Member States can introduce further limitations and process sensitive personal data with the utmost attention.