The GDPR: What is sensitive personal data?

The GDPR (General Data Protection Regulation) makes a distinction between ‘personal data’ and ‘sensitive personal data’.

In this blog, we look at the difference between those terms, and we begin by recapping the Regulation’s definition of personal data:

‘[P]ersonal data’ means any information relating to an identified or identifiable natural person (‘data subject’). 

In other words, any information that is clearly about a particular person. In certain circumstances, this could include anything from someone’s name to their physical appearance.

We’ve explained more about personal data and the circumstances where it applies to the GDPR in our earlier blog, so we’ll turn our focus now to sensitive personal data.

In its most basic definition, sensitive data is a specific set of “special categories” that must be treated with extra security. These categories are: 

  • Racial or ethnic origin; 
  • Political opinions; 
  • Religious or philosophical beliefs; 
  • Trade union membership; 
  • Genetic data; and 
  • Biometric data (where processed to uniquely identify someone). 

Discover more about the GDPR in our free green paper, EU General Data Protection Regulation – A Compliance Guide 

Sensitive personal data should be held separately from other personal data, preferably in a locked drawer or filing cabinet. 

As with personal data generally, it should only be kept on laptops or portable devices if the file has been encrypted and/or pseudonymised. 

Pseudonymisation masks data by replacing identifying information with artificial identifiers. Although it is central to protecting data – being mentioned 15 times in the GDPR – and can help protect the privacy and security of personal data, pseudonymisation has its limits, which is why the GDPR also mentions encryption. 

Encryption also obscures information by replacing identifiers with something else. But whereas pseudonymisation allows anyone with access to the data to view part of the data set, encryption allows only approved users to access the full data set. 

Pseudonymisation and encryption can be used simultaneously or separately. 

The rules of processing sensitive personal data

As you might expect, there are extra rules when processing sensitive personal data. Not only must you document a lawful basis for processing under Article 6 of the GDPR, you must also document a lawful basis under Article 9

Article 6 states that organisations must invoke one of the following lawful bases: 

  • A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employee contract. 
  • Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement. 
  • Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s). 
  • A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police. 
  • Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms. 
  • Consent: when the data subject agrees to the processing when presented with a clear explanation of the personal data that will be collected and what it will be used for. 

Article 9 states that organisations must only process sensitive personal data if the organisation: 

  • Requires the information to carry out tasks and exercise specific rights of the data subject in the field of employment and social security and social protection law. 
  • Has gained explicit consent, a more rigorous form of consent in which organisations provide additional information, and make it clearer how the data will be used. 
  • Requires the information to protect vital interests (as in Article 6). 
  • Has a legitimate interest for processing the information (as in Article 6). 
  • Is using information that is manifestly made public by the data subject 
  • Requires the information to establish, exercise or defend legal claims
  • Requires the information to complete a public task (as in Article 6). 
  • Is using the information for the purposes of preventive or occupational medicine, health of social care or to carry out a medical diagnosis/assessment of an employee’s working capacity. 
  • Requires the information to complete tasks in public interest in the area of health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare. 
  • Requires the information for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Should I use consent?

A common misconception about the GDPR is that all organisations need to seek consent to process personal data. As the list above shows, consent is only one option, and the strict rules regarding the way you obtain and maintain it mean it’s generally the least preferable option. 

There are also legal complications when you rely on consent. For example, say you needed someone’s personal data to fulfil a contract, but you used consent instead of the contractual obligation provision. 

If the individual withdraws consent, you are legally required to remove their records from your database. However, you can’t complete your contractual requirements without their information, forcing you into an impossible situation. 

Nuances like this are common throughout the GDPR, and any organisation that hasn’t taken the time to study its compliance requirements thoroughly is liable to be tripped up. This could lead to lasting damage, from enforcement action and regulatory fines to bad press and loss of customers. 

What else do you need to know?

You can find out more about the differences between personal data and sensitive personal data by taking our Certified GDPR Foundation Self-Paced Online Training Course.

This one-day course is the perfect introduction to the GDPR and the requirements you need to meet.

It’s ideal for managers who want to understand how the Regulation affects their organisation and employees who are responsible for GDPR compliance.

You’ll learn about the six data protection principles, the rights of data subjects, the ways in which you can protect personal data and the steps you must take if a breach occurs.

A version of this blog was originally published on 9 February 2018. 


  1. khach san dala da lat 20th May 2020
  2. president prag of the usa 5th August 2020
  3. LoginPublisher 13th January 2022
  4. Casey Doney 26th January 2022
    • Luke Irwin 24th February 2022

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.