GDPR › Personal data

Sensitive Personal Data | Legal Basis

It is forbidden to process sensitive personal data unless you have a legal basis in Article 9(2) of the GDPR. This guide will help you find your legal basis for processing sensitive personal data..

Legal Basis for Processing Sensitive Personal Data

The General Data Protection Regulation (GDPR) prohibits the processing of sensitive personal data unless you have a legal basis under Article 9(2) of the regulation. In this article, we’ll explain these legal bases, so you can identify the appropriate ones for processing sensitive personal data.

If you need a refresher on what constitutes sensitive personal data, check out our article on the subject.

Double Materiality

Previously, we’ve discussed how you must have a legal basis under Article 6(1) of the GDPR to process non-sensitive personal data. When it comes to sensitive personal data, you need an additional legal basis under Article 9(2).

In other words, you must first establish a legal basis under Article 6(1) and then find a corresponding legal basis under Article 9(2) for processing sensitive personal data.

Example

To illustrate the concept of double materiality, let’s consider a hospital processing a patient’s health data:

The hospital processes the patient’s data to fulfil a public authority task assigned by the state, using Article 6(1)(e) as its legal basis.
To process sensitive health data specifically, the hospital relies on Article 9(2)(h), which allows processing for health and medical care purposes - you will more on this in this article.

Below, we’ll outline the legal bases in Article 9(2) with examples to clarify their use.

List of the Legal Bases for Processing Sensitive Personal Data

In the rest of this article, you'll find an overview of all the legal bases for processing sensitive personal data, along with examples:

Explicit Consent – Article 9(2)(a)
Employment Obligations – Article 9(2)(b)
Vital Interests – Article 9(2)(c)
Non-Profit Organisations – Article 9(2)(d)
Publicly Disclosed Data – Article 9(2)(e)
Legal Claims – Article 9(2)(f)
Substantial Public Interest – Article 9(2)(g)
Health and Social Care – Article 9(2)(h)
Public Health – Article 9(2)(i)
Archiving and Research – Article 9(2)(j)

It’s important that you review the legal bases relevant to your situation in the GDPR. You can find a link to the full text here.

Explicit Consent

Article 9(2)(a)

Sensitive personal data can be processed when explicit consent is obtained. Unlike standard consent of article 6(1)(a), explicit consent requires a clear, unambiguous, and documented consent from the individual. This may take the form of a written statement or a deliberate, specific action. It's worth emphasising that explicit consent is distinct from regular consent, which suffices for non-sensitive personal data.

Example

A company wants to implement a fingerprint-based access system for employees, which involves processing sensitive biometric data. However, employees still have the option to use their old access cards, making the use of biometric data voluntary. In this scenario, the company relies on explicit consent as the legal basis for processing.

Dual Legal Basis:

Article 6(1)(a): Consent
Article 9(2)(a): Explicit Consent

Employment Obligations

Article 9(2)(b)

Sensitive personal data can be processed if it is necessary to fulfil obligations under employment, health, or social law. This legal basis requires the processing to be grounded in legislation, such as statutory requirements, or frameworks like a collective agreement.

Example

An employer might need to process information about employees’ sick leave to ensure they receive the correct pay during illness, as required by law or a collective agreement. Similarly, processing data about an employee’s disability could be necessary to make reasonable workplace adjustments, enabling them to perform their role under suitable conditions.

Dual Legal Basis:

Article 6(1)(c): Legal Obligation
Article 9(2)(b): Employment Obligations

Vital Interests

Article 9(2)(c)

You can process sensitive personal data if it is necessary to protect an individual’s vital interests when no other legal basis applies, and the individual is unable to give consent. This provision is typically used in emergency situations where the processing is essential to protect someone’s life or health.

To ensure this basis isn’t used arbitrarily, the processing must be strictly necessary and proportional to the purpose. This means data can only be processed to the extent absolutely required to protect the person’s vital interests.

Example

An employee loses consciousness at work, prompting their employer to call emergency services. The emergency responders request medical information, such as allergies or medications. In this case, processing the employee's sensitive data is necessary to protect their life.

Dual Legal Basis:

Article 6(1)(d): Vital Interests
Article 9(2)(c): Vital Interests

Non-Profit Organisations

Article 9(2)(d)

Non-profit organisations, such as associations, foundations, or similar entities with political, philosophical, religious, or trade union purposes, may process sensitive personal data if it is necessary for the organisation’s objectives.

This basis applies only when the data concerns the organisation’s members, former members, or individuals with regular contact with the organisation. Additionally, the data must not be disclosed to third parties without the individual’s consent.

Example

A trade union processes data on its members’ union affiliations to represent them during salary negotiations. The processing is part of the union’s activities and only involves members or former members.

Dual Legal Basis:

Article 6(1)(f): Legitimate Interest
Article 9(2)(d): Non-Profit Organisations

Publicly Disclosed Data

Article 9(2)(e)

You can process sensitive personal data if the individual has themselves made the data publicly available, for example, through a personal website, social media, or similar platforms. However, the processing must align with what the individual could reasonably expect based on their own disclosure, in line with the GDPR’s principle of purpose limitation.

Example

An artist publicly shares on their personal website that they have been diagnosed with a chronic illness, which inspired their latest artwork. A health organisation working on the same illness uses this information in a report to raise awareness about the condition. The organisation uses the data because it is already publicly available and ensures that the processing respects the artist’s original purpose for sharing it.

Dual Legal Basis:

Article 6(1)(f): Legitimate Interest
Article 9(2)(e): Publicly Disclosed Data

Legal Claims

Article 9(2)(f)

You can process sensitive personal data if it is necessary to establish, exercise, or defend a legal claim. This includes processing data for legal disputes, both within and outside of court proceedings, where documentation or action is required to protect or advance a claim.

Example

A food company processes health data of consumers who became ill after consuming one of its products. The data is used to document the extent of the harm and to assess the company’s liability as part of a legal case brought against it. This processing is necessary to defend the company’s legal claims and properly handle the case.

Dual Legal Basis:

Article 6(1)(f): Legitimate Interest
Article 9(2)(f): Legal Claims

Substantial Public Interest

Article 9(2)(g)

Sensitive personal data can be processed if it is necessary for reasons of substantial public interest, as defined in law. The processing must be proportional and serve the specific purpose outlined in the relevant legislation.

Example

A public authority organises a hearing on labour market legislation and invites representatives from various trade unions and religious groups to participate. To ensure accurate registration and representation, the authority records the participants’ affiliations with their respective organisations. This processing is essential to facilitate dialogue and promote inclusion in the legislative process.

Dual Legal Basis:

Article 6(1)(e): Public Authority Tasks
Article 9(2)(g): Substantial Public Interest

Health and Social Care

Article 9(2)(h)

Sensitive personal data can be processed if it is necessary for purposes such as preventive medicine, occupational medicine, assessing an employee’s work capacity, medical diagnosis, providing health or social care, or managing health and social care services. The processing must comply with relevant legislation or form part of a contract with a healthcare professional. Additionally, the data must be handled by professionals bound by confidentiality.

Example

A medical clinic processes sensitive personal data about patients' health as part of its work diagnosing and treating patients. This includes maintaining medical records and prescribing medication. The processing is carried out under health legislation by healthcare professionals who are subject to confidentiality obligations.

Dual Legal Basis:

Article 6(1)(e): Public Authority Tasks
Article 9(2)(h): Health and Social Care

Public Health

Article 9(2)(i)

Sensitive personal data can be processed if it is necessary for reasons of public interest in the area of public health. This includes activities such as preventing and protecting against health threats, or ensuring high standards in healthcare services, medical products, and equipment. The processing must have a basis in legislation.

Example

A public health authority processes data on citizens’ health and vaccination statuses to monitor and control the spread of a contagious disease. This processing is essential to protect public health during an epidemic.

Dual Legal Basis:

Article 6(1)(e): Public Authority Tasks
Article 9(2)(i): Public Health

Archiving and Research

Article 9(2)(j)

Sensitive personal data can be processed for archiving purposes in the public interest, scientific or historical research, or statistical purposes. The purpose must be clearly defined, necessary to meet a significant societal need, and based on legislation. Processing must also include appropriate safeguards to protect the rights and privacy of the individuals concerned, such as data minimisation or pseudonymisation.

Example

A university collects and processes health data from a large group of participants as part of a research project studying the long-term effects of a specific medical treatment. The data is used exclusively for scientific purposes, and participants' identities are protected through pseudonymisation.

Dual Legal Basis:

Article 6(1)(e): Public Authority Tasks
Article 9(2)(j): Archiving and Research

Summary

This article has outlined the various legal bases you can rely on to process sensitive personal data, as well as the concept of double materiality.

It is intended as a guide to help you identify the appropriate legal basis for your data processing activities. For more detailed information, we recommend reviewing the full text of Article 9 in the GDPR to ensure you understand the exact wording and requirements for each legal basis.

Frequently Asked Questions About Sensitive Personal Data Legal Basis

What is sensitive personal data under GDPR?

Sensitive personal data, also called special categories of data under GDPR Article 9, includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification, health data, and data concerning sexual life or orientation. These categories receive extra protection due to their sensitive nature.

What legal basis is needed to process sensitive personal data?

Processing sensitive data requires meeting two conditions: first, a legal basis under GDPR Article 6(1), and second, an additional condition from Article 9(2). The Article 9(2) conditions include explicit consent, employment law obligations, vital interests, legitimate activities of certain bodies, publicly available data, legal claims, substantial public interest, health purposes, public health, or archiving purposes.

What is explicit consent for sensitive data processing?

Explicit consent requires a clear, affirmative action from the individual specifically agreeing to the processing of their sensitive data. Unlike regular consent, it must be express and unambiguous, typically requiring a specific opt-in for the sensitive data processing rather than being bundled with other consents.

Can I process health data under GDPR?

Yes, but only with both an Article 6 legal basis and an Article 9(2) condition such as explicit consent, necessity for healthcare provision, public health purposes, or employment law obligations. Health data includes any information relating to physical or mental health, medical records, or healthcare service provision.

What are the employment law conditions for processing sensitive data?

Under Article 9(2)(b), sensitive data can be processed when necessary for employment, social security, and social protection law purposes. This covers situations like processing health data for sick leave management, trade union membership for payroll deductions, or disability information for workplace accommodations.

Learn about non-sensitive data legal bases

How do I conduct a risk assessment for sensitive data processing?

A risk assessment for sensitive data should evaluate the nature and sensitivity of the data, the purposes of processing, potential harm to individuals if the data is compromised, the volume of data and number of individuals affected, security measures in place, and whether a DPIA is required. Given the higher risk, assessments should be thorough and well-documented.

What additional security measures are needed for sensitive data?

Sensitive data requires enhanced security measures including encryption at rest and in transit, strict access controls, audit logging, regular security testing, staff training on handling sensitive data, data minimisation, and pseudonymisation where possible. The measures should be proportionate to the risk level.

Is biometric data always considered sensitive?

Biometric data is classified as sensitive personal data under GDPR only when it is processed for the purpose of uniquely identifying a person. For example, fingerprint data used for building access control is sensitive, but a photograph used for a staff directory may not be, depending on whether it is processed through biometric identification technology.

Can I process sensitive data based on legitimate interest?

No, legitimate interest alone is not sufficient for processing sensitive personal data. While legitimate interest can serve as the Article 6 legal basis, you still need an additional condition from Article 9(2). The available conditions for sensitive data are more restrictive and do not include a general legitimate interest option.

What happens if I process sensitive data without proper authorisation?

Unauthorised processing of sensitive personal data is a serious GDPR violation subject to the highest tier of fines, up to 20 million euros or 4% of global annual turnover. It can also result in enforcement actions, compensation claims from affected individuals, and significant reputational harm.