Sensitive Personal Data

Sensitive personal data (special categories of data) require extra protection under the GDPR. They include health data, political beliefs, sexual orientation and biometric data. Processing is prohibited by default unless a specific exemption applies.

Back to Dictionary

What is sensitive personal data?

Sensitive personal data (also called "special categories of personal data") are defined in GDPR Article 9. They are personal data that, by their nature, are particularly risky for the data subject's fundamental rights and freedoms.

Processing of sensitive personal data is prohibited by default (Article 9(1)). This is stricter than for ordinary personal data, where you simply need a valid legal basis. For sensitive data, you need both a legal basis and a specific exemption from the prohibition.

The nine categories

The GDPR defines the following as sensitive personal data:

Race and ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data (when used for unique identification)
Health data
Sex life
Sexual orientation

The list is exhaustive. Other types of information that may be perceived as "sensitive" in everyday language (such as salary or CPR numbers) are not sensitive in the GDPR sense. CPR numbers are regulated separately in the Danish Data Protection Act Section 11.

When may you process them?

Article 9(2) contains ten exemptions from the prohibition. The most relevant in practice are:

Explicit consent: The data subject has given explicit consent. Note that consent must be "explicit", not merely "informed" as for ordinary data.
Employment law and social security: Processing is necessary to comply with obligations in the field of employment, social security or social protection law.
Vital interests: Processing is necessary to protect the vital interests of the data subject or another person, and the data subject is physically or legally unable to give consent.
Health purposes: Processing is necessary for healthcare, medical diagnosis or social care.
Public interest: Processing is necessary for reasons of substantial public interest.

Remember that in addition to the exemption, you must also have a valid legal basis in Article 6. The two requirements apply in parallel.

Heightened security requirements

Processing sensitive personal data imposes heightened requirements on processing security. The more sensitive the data, the stronger the measures required:

Encryption of sensitive data, both in transit and at rest
Strict access control with the need-to-know principle
Logging of all access to sensitive data
Pseudonymisation where possible

Processing sensitive data on a large scale typically requires a data protection impact assessment (DPIA). Your DPO should be involved early.

Document your security measures in your record. In the event of a data breach involving sensitive data, the consequences for data subjects are typically more severe, and the likelihood of having to inform them directly is greater.

Frequently Asked Questions about Sensitive Personal Data

What is sensitive personal data?

Sensitive personal data are special categories of data that require extra protection. They include data on race, ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data and sexual orientation.

When may you process sensitive personal data?

Processing is prohibited by default. It is only permitted if one of the exemptions in Article 9(2) is met, such as explicit consent, necessity for employment law obligations, or the protection of vital interests.

Are CPR numbers sensitive personal data?

No. CPR numbers are not sensitive personal data in the GDPR sense. They are ordinary personal data but are subject to special rules in the Danish Data Protection Act Section 11 due to their unique identification capacity.

Do sensitive personal data always require a DPIA?

Not always, but processing sensitive data on a large scale will typically require a DPIA. The Danish Data Protection Agency has published a list of processing types that always require a DPIA, and large-scale processing of sensitive data is among them.