Some personal data is so sensitive that the GDPR gives it additional protection. This is known as special category data under Article 9 GDPR, often referred to in practice as sensitive personal data. The practical point is simple: if your organisation processes Article 9 data, normal GDPR compliance is not enough. You need both: (i) a legal basis under Article 6 GDPR; and (ii) a separate Article 9 condition that permits the processing. Without both, the starting point under GDPR is that the processing is prohibited.
Reading time: 4 minutes
What is sensitive personal data under GDPR?
Article 9 GDPR covers personal data revealing or concerning:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data used to uniquely identify a person;
- health data;
- a person’s sex life; and
- sexual orientation.
This is a closed category. Not all confidential, private or commercially sensitive information is Article 9 data.
For example, a customer’s address, email, user ID, device ID or payment reference may be personal data, but it is not automatically sensitive personal data under Article 9. It may still require strong protection, particularly if it creates risk for the individual, but the Article 9 rules apply only when the data falls within one of the special categories.
Schrems II – Expert Legal Advise
Act with confidence today. Our experts are here to help you manage the Schrems II requirements. Measured and practical solutions. Support through the entire process. Transfer impact assessment. Dealing with supervisory authority. Enforcement action. Defending legal claims. Track record with leading European startup, mid-size companies and listed global enterprises.
Get a quote today from the business law firm Sharp Cookie Advisors
Criminal offence data is also handled separately under GDPR. It is sensitive in practice, but it is not Article 9 data.
Sensitive personal data is subject to more stringent requirements than non-sensitive personal data. These requirements must be met for your organisation to process the data lawfully. The processing requirements are different compared to those for non-sensitive personal data, and this article will go through what sensitive personal data is and how it differs from non-sensitive personal data (‘personal data‘).
To fully understand the difference between personal data and sensitive personal data, it helps to establish what people mean when they are mentioned.
Why Article 9 data is different
Sensitive personal data can create serious risks for individuals if it is misused, disclosed or combined with other data. It may expose a person’s health, beliefs, identity, union membership or other highly personal circumstances.
For businesses, this means that Article 9 data should be treated as a higher-risk data category from the start. It should not be discovered late in a product launch, HR process, compliance project or vendor integration.
The key operational question is:
Do we actually need to process this data, and if yes, what is our Article 9 route?
You need both Article 6 and Article 9
A common mistake is to identify a normal GDPR legal basis and stop there. That is not enough.
For sensitive personal data, the controller must identify:
- an Article 6 legal basis, such as legal obligation, contract, legitimate interests, public task or consent; and
- an Article 9 condition, such as explicit consent, employment law obligations, legal claims, substantial public interest, health or social care, public health, or research and statistics with appropriate safeguards.
These are separate questions. A business may have a strong Article 6 basis but still lack a valid Article 9 condition.
Be careful with consent
Explicit consent is one of the Article 9 conditions, but it is not always the best or safest route.
For consent to work, it must be freely given, specific, informed and explicit. It must also be possible to withdraw. In practice, this can make consent fragile in operational settings where the individual depends on the organisation, such as employment, education, healthcare or public services.
If refusal creates pressure, disadvantage or uncertainty for the individual, consent may not be valid.
This is why organisations should not treat consent as a quick fix for sensitive data. In many cases, another legal route may be more appropriate — or the processing should not take place at all.
Practical examples of sensitive data risk
Health data in HR and workplace tools
Absence records, occupational health reports, disability adjustments and wellbeing surveys may all involve health data. Employers often need to process some health data, but the scope must be controlled.
A good approach is to define exactly what is needed, who may access it, how long it is retained, and whether the business needs the underlying health data or only an operational conclusion.
For example, a manager may need to know that an employee requires an adjustment. The manager will rarely need the full medical background.
Biometric identification
Biometric data is Article 9 data when it is used to uniquely identify a person. This includes use cases such as facial recognition, fingerprint access systems and other biometric identity checks.
The compliance risk is high because biometric data is persistent and difficult to change. If a password is compromised, it can be reset. A face or fingerprint cannot.
Before using biometric identification, organisations should ask whether the same purpose can be achieved with a less intrusive method.
Biometric attendance in school
A school in Sweden gained attention when it used facial recognition to keep attendance. It used cameras and biometric technology to identify students when entering a classroom. Manual attendance took around 10 min. The cameras took attendance automatically when the students walked through the door. The school argued that the technology gave back those ten minutes. Sensitive data can be processed based on the parent’s consent.1 Participation in the project was optional.
The Swedish Data Protection Authority, IMY, argued that the consent was not lawful due to the dependent position between the students and the school. Furthermore, IMY stated that no other circumstance in Article 9 of the GDPR, applied to the processing. IMY fined the school, and the decision was later appealed and finally decided in the court of appeals in favor of IMY’s decision.
Camera surveillance in school
Another notable case regarding camera surveillance was also brought to light. IMY received complaints regarding comprehensive camera surveillance in a school, and that no information had been provided to guardians or students. Approximately 50 fixed cameras monitored large parts of the school with 24/7 image recording. The reason for use was several consecutive fires on school property. The school had tried different, less intrusive measures beforehand. The school used Article 6.1(c) of the GDPR as a legal basis since the school was legally obligated to protect the students. 6.1(c) of the GDPR are to be used in accordance with either Union Law or National Law. This is also stated in the Swedish Data Protection Act, Chapter 2, Section 1. Leal obligation cannot be used if the obligation is too broad as it risks giving the controller too much freedom of activity.2 Because fires are serious and can pose a serious threat to health and life, IMY concluded that the use of camera surveillance was justified in this case.
Customer data that reveals sensitive characteristics
A business may not directly ask for sensitive data but may still process it. Product choices, user behaviour, community memberships, search history or support messages can reveal health, religion, political opinions or sexual orientation.
This is especially relevant for digital products, platforms, analytics, profiling, community tools and personalisation.
The risk is not only what the database field is called. The risk is what the data reveals.
Pseudonymisation helps, but does not remove GDPR risk
Pseudonymisation can reduce risk and is often a useful safeguard. It means that personal data is processed in a way that it cannot be attributed to a specific person without additional information.
However, pseudonymised data is still personal data if re-identification is possible.
This matters for sensitive data projects. Replacing names with IDs may reduce exposure, but it does not automatically remove Article 9 obligations. The organisation still needs to assess the data category, purpose, legal basis, Article 9 condition, access controls and retention.
Operational checklist before processing Article 9 data
Before processing sensitive personal data, your organisation should be able to answer the following questions:
- What exact sensitive data are we processing?
- Why is it necessary?
- What Article 6 legal basis applies?
- What Article 9 condition applies?
- Are there any national law requirements?
- Can we achieve the same purpose with less sensitive data?
- Who needs access?
- How long will the data be retained?
- What safeguards are in place?
- Have we documented the assessment?
For higher-risk processing, a data protection impact assessment may also be required.
The business takeaway
Sensitive personal data should be identified early, not cleaned up late.
The right approach is not to block all Article 9 processing. Many organisations have legitimate reasons to process sensitive data, especially in HR, health, safety, compliance, research, insurance, platform moderation and regulated services.
The point is to make the legal basis, Article 9 condition and safeguards operationally clear before the processing starts.
If your business is launching a product, implementing a vendor tool or reviewing a process that may involve sensitive personal data, we can help you assess the risk, structure the documentation and define a practical compliance route.