{"id":12596,"date":"2026-06-08T18:03:20","date_gmt":"2026-06-08T16:03:20","guid":{"rendered":"https:\/\/www.gdprsummary.com\/?p=12596"},"modified":"2026-06-08T18:03:26","modified_gmt":"2026-06-08T16:03:26","slug":"gdpr-sensitive-personal-data","status":"publish","type":"post","link":"https:\/\/www.gdprsummary.com\/sv\/gdpr-sensitive-personal-data\/","title":{"rendered":"GDPR Sensitive Data: How to Handle Article 9 Data"},"content":{"rendered":"\n<p><strong>Some personal data is so sensitive that the GDPR gives it additional protection. This is known as special category data under Article 9 GDPR, often referred to in practice as sensitive personal data. The practical point is simple: if your organisation processes Article 9 data, normal GDPR compliance is not enough. You need both: (i) a legal basis under Article 6 GDPR; and (ii) a separate Article 9 condition that permits the processing. Without both, the starting point under GDPR is that the processing is prohibited.<\/strong><\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\"><\/ol>\n\n\n\n<p><strong>Reading time: 4 minutes<\/strong><\/p>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"h-what-is-sensitive-personal-data-under-gdpr\">What is sensitive personal data under GDPR?<\/h1>\n\n\n\n<p>Article 9 GDPR covers personal data revealing or concerning:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>racial or ethnic origin;<\/li>\n\n\n\n<li>political opinions;<\/li>\n\n\n\n<li>religious or philosophical beliefs;<\/li>\n\n\n\n<li>trade union membership;<\/li>\n\n\n\n<li>genetic data;<\/li>\n\n\n\n<li>biometric data used to uniquely identify a person;<\/li>\n\n\n\n<li>health data;<\/li>\n\n\n\n<li>a person\u2019s sex life; and<\/li>\n\n\n\n<li>sexual orientation.<\/li>\n<\/ul>\n\n\n\n<p>This is a closed category. Not all confidential, private or commercially sensitive information is Article 9 data.<\/p>\n\n\n\n<p>For example, a customer\u2019s address, email, user ID, device ID or payment reference may be personal data, but it is not automatically sensitive personal data under Article 9. It may still require strong protection, particularly if it creates risk for the individual, but the Article 9 rules apply only when the data falls within one of the special categories.<\/p>\n\n\n\n<p>Criminal offence data is also handled separately under GDPR. It is sensitive in practice, but it is not Article 9 data.<\/p>\n\n\n\n<p>Sensitive personal data is subject to more stringent requirements than non-sensitive personal data. These requirements must be met for your organisation to process the data lawfully. The processing requirements are different compared to those for non-sensitive personal data, and this article will go through what sensitive personal data is and how it differs from non-sensitive personal data (&#8217;<strong>personal data<\/strong>&#8217;).<\/p>\n\n\n\n<p>To fully understand the difference between personal data and sensitive personal data, it helps to establish what people mean when they are mentioned. <\/p>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"h-why-article-9-data-is-different\">Why Article 9 data is different<\/h1>\n\n\n\n<p>Sensitive personal data can create serious risks for individuals if it is misused, disclosed or combined with other data. It may expose a person\u2019s health, beliefs, identity, union membership or other highly personal circumstances.<\/p>\n\n\n\n<p>For businesses, this means that Article 9 data should be treated as a higher-risk data category from the start. It should not be discovered late in a product launch, HR process, compliance project or vendor integration.<\/p>\n\n\n\n<p>The key operational question is:<\/p>\n\n\n\n<p>Do we actually need to process this data, and if yes, what is our Article 9 route?<\/p>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"h-you-need-both-article-6-and-article-9\">You need both Article 6 and Article 9<\/h1>\n\n\n\n<p>A common mistake is to identify a normal GDPR legal basis and stop there. That is not enough.<\/p>\n\n\n\n<p>For sensitive personal data, the controller must identify:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>an Article 6 legal basis, such as legal obligation, contract, legitimate interests, public task or consent; and<\/li>\n\n\n\n<li>an Article 9 condition, such as explicit consent, employment law obligations, legal claims, substantial public interest, health or social care, public health, or research and statistics with appropriate safeguards.<\/li>\n<\/ul>\n\n\n\n<p>These are separate questions. A business may have a strong Article 6 basis but still lack a valid Article 9 condition.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"h-be-careful-with-consent\">Be careful with consent<\/h1>\n\n\n\n<p>Explicit consent is one of the Article 9 conditions, but it is not always the best or safest route.<\/p>\n\n\n\n<p>For consent to work, it must be freely given, specific, informed and explicit. It must also be possible to withdraw. In practice, this can make consent fragile in operational settings where the individual depends on the organisation, such as employment, education, healthcare or public services.<\/p>\n\n\n\n<p>If refusal creates pressure, disadvantage or uncertainty for the individual, consent may not be valid.<\/p>\n\n\n\n<p>This is why organisations should not treat consent as a quick fix for sensitive data. In many cases, another legal route may be more appropriate \u2014 or the processing should not take place at all.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"h-practical-examples-of-sensitive-data-risk\">Practical examples of sensitive data risk<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-health-data-in-hr-and-workplace-tools\">Health data in HR and workplace tools<\/h2>\n\n\n\n<p>Absence records, occupational health reports, disability adjustments and wellbeing surveys may all involve health data. Employers often need to process some health data, but the scope must be controlled.<\/p>\n\n\n\n<p>A good approach is to define exactly what is needed, who may access it, how long it is retained, and whether the business needs the underlying health data or only an operational conclusion.<\/p>\n\n\n\n<p>For example, a manager may need to know that an employee requires an adjustment. The manager will rarely need the full medical background.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-biometric-identification\">Biometric identification<\/h2>\n\n\n\n<p>Biometric data is Article 9 data when it is used to uniquely identify a person. This includes use cases such as facial recognition, fingerprint access systems and other biometric identity checks.<\/p>\n\n\n\n<p>The compliance risk is high because biometric data is persistent and difficult to change. If a password is compromised, it can be reset. A face or fingerprint cannot.<\/p>\n\n\n\n<p>Before using biometric identification, organisations should ask whether the same purpose can be achieved with a less intrusive method.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-biometric-attendance-in-school\">Biometric attendance in school<\/h2>\n\n\n\n<p>A school in <a href=\"https:\/\/www.imy.se\/globalassets\/dokument\/beslut\/beslut-ansiktsigenkanning-for-narvarokontroll-av-elever-dnr-di-2019-2221.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Sweden<\/a> <a href=\"https:\/\/www.imy.se\/globalassets\/dokument\/beslut\/facial-recognition-used-to-monitor-the-attendance-of-students.pdf\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a>gained attention when it used facial recognition to keep attendance. It used cameras and biometric technology to identify students when entering a classroom. Manual attendance took around 10 min. The cameras took attendance automatically when the students walked through the door. The school argued that the technology gave back those ten minutes. Sensitive data can be processed based on the parent&#8217;s consent.<sup data-fn=\"b93c43a7-1406-4a85-b116-f12cbb3366a7\" class=\"fn\"><a href=\"#b93c43a7-1406-4a85-b116-f12cbb3366a7\" id=\"b93c43a7-1406-4a85-b116-f12cbb3366a7-link\">1<\/a><\/sup> Participation in the project was optional.<\/p>\n\n\n\n<p>The Swedish Data Protection Authority, IMY, argued that the consent was not lawful due to the dependent position between the students and the school. Furthermore, IMY stated that no other circumstance in Article 9 of the GDPR, applied to the processing. IMY fined the school, and the decision was later appealed and finally decided in the court of appeals in favor of IMY&#8217;s decision.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-camera-surveillance-in-school\">Camera surveillance in school<\/h2>\n\n\n\n<p>Another notable case regarding camera surveillance was also brought to light. IMY received complaints regarding comprehensive camera <a href=\"https:\/\/edpb.europa.eu\/news\/national-news\/2023\/camera-surveillance-during-daytime-justified-swedish-school-prevent-fires_en\">surveillance in a school<\/a>, and that no information had been provided to guardians or students. Approximately 50 fixed cameras monitored large parts of the school with 24\/7 image recording. The reason for use was several consecutive fires on school property. The school had tried different, less intrusive measures beforehand. The school used Article 6.1(c) of the GDPR as a legal basis since the school was legally obligated to protect the students. 6.1(c) of the GDPR are to be used in accordance with either Union Law or National Law. This is also stated in the Swedish Data Protection Act, Chapter 2, Section 1. Leal obligation cannot be used if the obligation is too broad as it risks giving the controller too much freedom of activity.<sup data-fn=\"04fcd0d2-460e-440f-8bd9-5c76682e7c3b\" class=\"fn\"><a href=\"#04fcd0d2-460e-440f-8bd9-5c76682e7c3b\" id=\"04fcd0d2-460e-440f-8bd9-5c76682e7c3b-link\">2<\/a><\/sup> Because fires are serious and can pose a serious threat to health and life, IMY concluded that the use of camera surveillance was justified in this case.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-customer-data-that-reveals-sensitive-characteristics\">Customer data that reveals sensitive characteristics<\/h2>\n\n\n\n<p>A business may not directly ask for sensitive data but may still process it. Product choices, user behaviour, community memberships, search history or support messages can reveal health, religion, political opinions or sexual orientation.<\/p>\n\n\n\n<p>This is especially relevant for digital products, platforms, analytics, profiling, community tools and personalisation.<\/p>\n\n\n\n<p>The risk is not only what the database field is called. The risk is what the data reveals.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"h-pseudonymisation-helps-but-does-not-remove-gdpr-risk\">Pseudonymisation helps, but does not remove GDPR risk<\/h1>\n\n\n\n<p>Pseudonymisation can reduce risk and is often a useful safeguard. It means that personal data is processed in a way that it cannot be attributed to a specific person without additional information.<\/p>\n\n\n\n<p>However, pseudonymised data is still personal data if re-identification is possible.<\/p>\n\n\n\n<p>This matters for sensitive data projects. Replacing names with IDs may reduce exposure, but it does not automatically remove Article 9 obligations. The organisation still needs to assess the data category, purpose, legal basis, Article 9 condition, access controls and retention.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"h-operational-checklist-before-processing-article-9-data\">Operational checklist before processing Article 9 data<\/h1>\n\n\n\n<p>Before processing sensitive personal data, your organisation should be able to answer the following questions:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>What exact sensitive data are we processing?<\/li>\n\n\n\n<li>Why is it necessary?<\/li>\n\n\n\n<li>What Article 6 legal basis applies?<\/li>\n\n\n\n<li>What Article 9 condition applies?<\/li>\n\n\n\n<li>Are there any national law requirements?<\/li>\n\n\n\n<li>Can we achieve the same purpose with less sensitive data?<\/li>\n\n\n\n<li>Who needs access?<\/li>\n\n\n\n<li>How long will the data be retained?<\/li>\n\n\n\n<li>What safeguards are in place?<\/li>\n\n\n\n<li>Have we documented the assessment?<\/li>\n<\/ol>\n\n\n\n<p>For higher-risk processing, a data protection impact assessment may also be required.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"h-the-business-takeaway\">The business takeaway<\/h1>\n\n\n\n<p>Sensitive personal data should be identified early, not cleaned up late.<\/p>\n\n\n\n<p>The right approach is not to block all Article 9 processing. Many organisations have legitimate reasons to process sensitive data, especially in HR, health, safety, compliance, research, insurance, platform moderation and regulated services.<\/p>\n\n\n\n<p>The point is to make the legal basis, Article 9 condition and safeguards operationally clear before the processing starts.<\/p>\n\n\n\n<p>If your business is launching a product, implementing a vendor tool or reviewing a process that may involve sensitive personal data, we can help you assess the risk, structure the documentation and define a practical compliance route.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Some personal data is so sensitive that the GDPR gives it additional protection. This is known as special category data under Article 9 GDPR, often referred to in practice as sensitive personal data. The practical point is simple: if your organisation processes Article 9 data, normal GDPR compliance is not enough. You need both: (i) [&hellip;]<\/p>\n","protected":false},"author":14,"featured_media":13792,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rop_custom_images_group":[],"rop_custom_messages_group":[],"rop_publish_now":"initial","rop_publish_now_accounts":{"twitter_1330440887906734082_1330440887906734082":""},"rop_publish_now_history":[],"rop_publish_now_status":"pending","footnotes":"[{\"content\":\"Article 9 of the GDPR.\",\"id\":\"b93c43a7-1406-4a85-b116-f12cbb3366a7\"},{\"content\":\"SOU 2017:39 p.114 f. Article 29 WP 6\/2014, EP 217, p.20 f.\",\"id\":\"04fcd0d2-460e-440f-8bd9-5c76682e7c3b\"}]"},"categories":[10],"tags":[41673,41672,41674,41675,41670,41671],"class_list":{"0":"post-12596","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-fundamentals","8":"tag-art-6","9":"tag-art-9","10":"tag-gdpr","11":"tag-health-data","12":"tag-sensitive-personal-data","13":"tag-special-categories-data"},"pp_statuses_selecting_workflow":false,"pp_workflow_action":"current","pp_status_selection":"publish","yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v24.6 (Yoast SEO v27.6) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>GDPR Sensitive Data: How to Handle Article 9 Data - GDPR Summary<\/title>\n<meta name=\"description\" content=\"GDPR sensitive data requires both a legal basis and a condition. Learn what is special category data and how to reduce compliance risk.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.gdprsummary.com\/sv\/gdpr-sensitive-personal-data\/\" \/>\n<meta property=\"og:locale\" content=\"sv_SE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"GDPR Sensitive Data: How to Handle Article 9 Data\" \/>\n<meta property=\"og:description\" content=\"GDPR sensitive data requires both a legal basis and a condition. Learn what is special category data and how to reduce compliance risk.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.gdprsummary.com\/sv\/gdpr-sensitive-personal-data\/\" \/>\n<meta property=\"og:site_name\" content=\"GDPR Summary\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/sharpcookieadvisors\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-08T16:03:20+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-08T16:03:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.gdprsummary.com\/wp-content\/uploads\/2024\/02\/sensitive-data-.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1085\" \/>\n\t<meta property=\"og:image:height\" content=\"1450\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Sharp Cookie Advisors\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/sharpcookieadv\" \/>\n<meta name=\"twitter:label1\" content=\"Skriven av\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sharp Cookie Advisors\" \/>\n\t<meta name=\"twitter:label2\" content=\"Ber\u00e4knad l\u00e4stid\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minuter\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/gdpr-sensitive-personal-data\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/gdpr-sensitive-personal-data\\\/\"},\"author\":{\"name\":\"Sharp Cookie Advisors\",\"@id\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/#\\\/schema\\\/person\\\/a3906974fb207b5bc5451cf1a30e72b9\"},\"headline\":\"GDPR Sensitive Data: How to Handle Article 9 Data\",\"datePublished\":\"2026-06-08T16:03:20+00:00\",\"dateModified\":\"2026-06-08T16:03:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/gdpr-sensitive-personal-data\\\/\"},\"wordCount\":1461,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/gdpr-sensitive-personal-data\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.gdprsummary.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/sensitive-data-.png\",\"keywords\":[\"art 6\",\"art 9\",\"GDPR\",\"health data\",\"sensitive personal data\",\"special categories data\"],\"articleSection\":[\"Fundamentals\"],\"inLanguage\":\"sv-SE\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/gdpr-sensitive-personal-data\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/gdpr-sensitive-personal-data\\\/\",\"url\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/gdpr-sensitive-personal-data\\\/\",\"name\":\"GDPR Sensitive Data: How to Handle Article 9 Data - GDPR Summary\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/gdpr-sensitive-personal-data\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/gdpr-sensitive-personal-data\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.gdprsummary.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/sensitive-data-.png\",\"datePublished\":\"2026-06-08T16:03:20+00:00\",\"dateModified\":\"2026-06-08T16:03:26+00:00\",\"description\":\"GDPR sensitive data requires both a legal basis and a condition. Learn what is special category data and how to reduce compliance risk.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/gdpr-sensitive-personal-data\\\/#breadcrumb\"},\"inLanguage\":\"sv-SE\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/gdpr-sensitive-personal-data\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"sv-SE\",\"@id\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/gdpr-sensitive-personal-data\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.gdprsummary.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/sensitive-data-.png\",\"contentUrl\":\"https:\\\/\\\/www.gdprsummary.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/sensitive-data-.png\",\"width\":1085,\"height\":1450,\"caption\":\"sensitive data\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/gdpr-sensitive-personal-data\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"GDPR Sensitive Data: How to Handle Article 9 Data\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/#website\",\"url\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/\",\"name\":\"GDPR Summary\",\"description\":\"Sammanfattningen av vad du beh\u00f6ver veta om GDPR\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"sv-SE\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/#organization\",\"name\":\"GDPR Summary\",\"url\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"sv-SE\",\"@id\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.gdprsummary.com\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/square-bluebg.png\",\"contentUrl\":\"https:\\\/\\\/www.gdprsummary.com\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/square-bluebg.png\",\"width\":152,\"height\":152,\"caption\":\"GDPR Summary\"},\"image\":{\"@id\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/#\\\/schema\\\/person\\\/a3906974fb207b5bc5451cf1a30e72b9\",\"name\":\"Sharp Cookie Advisors\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"sv-SE\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/b23ea1ac836442df0820c19d45be92e26dd56aa2e0fae3fe35965aca587ad688?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/b23ea1ac836442df0820c19d45be92e26dd56aa2e0fae3fe35965aca587ad688?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/b23ea1ac836442df0820c19d45be92e26dd56aa2e0fae3fe35965aca587ad688?s=96&d=mm&r=g\",\"caption\":\"Sharp Cookie Advisors\"},\"description\":\"We are a business law firm with focus on tech and growth in the digital market (internet, software, digital media, cloud and mobile applications). Clients turn to us for strategic legal counselling regarding data driven business models, digital product development, outsourcing, transactions and data protection issues.\",\"sameAs\":[\"https:\\\/\\\/www.sharpcookie.se\",\"https:\\\/\\\/www.facebook.com\\\/sharpcookieadvisors\",\"https:\\\/\\\/www.instagram.com\\\/sharpcookieadvisors\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/sharp-cookie-advisors\\\/\",\"https:\\\/\\\/x.com\\\/https:\\\/\\\/twitter.com\\\/sharpcookieadv\"],\"url\":\"https:\\\/\\\/www.gdprsummary.com\\\/sv\\\/author\\\/gdpr-infosharpcookie-se\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"GDPR Sensitive Data: How to Handle Article 9 Data - GDPR Summary","description":"GDPR sensitive data requires both a legal basis and a condition. Learn what is special category data and how to reduce compliance risk.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.gdprsummary.com\/sv\/gdpr-sensitive-personal-data\/","og_locale":"sv_SE","og_type":"article","og_title":"GDPR Sensitive Data: How to Handle Article 9 Data","og_description":"GDPR sensitive data requires both a legal basis and a condition. Learn what is special category data and how to reduce compliance risk.","og_url":"https:\/\/www.gdprsummary.com\/sv\/gdpr-sensitive-personal-data\/","og_site_name":"GDPR Summary","article_author":"https:\/\/www.facebook.com\/sharpcookieadvisors","article_published_time":"2026-06-08T16:03:20+00:00","article_modified_time":"2026-06-08T16:03:26+00:00","og_image":[{"width":1085,"height":1450,"url":"https:\/\/www.gdprsummary.com\/wp-content\/uploads\/2024\/02\/sensitive-data-.png","type":"image\/png"}],"author":"Sharp Cookie Advisors","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/sharpcookieadv","twitter_misc":{"Skriven av":"Sharp Cookie Advisors","Ber\u00e4knad l\u00e4stid":"7 minuter"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.gdprsummary.com\/sv\/gdpr-sensitive-personal-data\/#article","isPartOf":{"@id":"https:\/\/www.gdprsummary.com\/sv\/gdpr-sensitive-personal-data\/"},"author":{"name":"Sharp Cookie Advisors","@id":"https:\/\/www.gdprsummary.com\/sv\/#\/schema\/person\/a3906974fb207b5bc5451cf1a30e72b9"},"headline":"GDPR Sensitive Data: How to Handle Article 9 Data","datePublished":"2026-06-08T16:03:20+00:00","dateModified":"2026-06-08T16:03:26+00:00","mainEntityOfPage":{"@id":"https:\/\/www.gdprsummary.com\/sv\/gdpr-sensitive-personal-data\/"},"wordCount":1461,"commentCount":0,"publisher":{"@id":"https:\/\/www.gdprsummary.com\/sv\/#organization"},"image":{"@id":"https:\/\/www.gdprsummary.com\/sv\/gdpr-sensitive-personal-data\/#primaryimage"},"thumbnailUrl":"https:\/\/www.gdprsummary.com\/wp-content\/uploads\/2024\/02\/sensitive-data-.png","keywords":["art 6","art 9","GDPR","health data","sensitive personal data","special categories data"],"articleSection":["Fundamentals"],"inLanguage":"sv-SE","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.gdprsummary.com\/sv\/gdpr-sensitive-personal-data\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.gdprsummary.com\/sv\/gdpr-sensitive-personal-data\/","url":"https:\/\/www.gdprsummary.com\/sv\/gdpr-sensitive-personal-data\/","name":"GDPR Sensitive Data: How to Handle Article 9 Data - GDPR Summary","isPartOf":{"@id":"https:\/\/www.gdprsummary.com\/sv\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.gdprsummary.com\/sv\/gdpr-sensitive-personal-data\/#primaryimage"},"image":{"@id":"https:\/\/www.gdprsummary.com\/sv\/gdpr-sensitive-personal-data\/#primaryimage"},"thumbnailUrl":"https:\/\/www.gdprsummary.com\/wp-content\/uploads\/2024\/02\/sensitive-data-.png","datePublished":"2026-06-08T16:03:20+00:00","dateModified":"2026-06-08T16:03:26+00:00","description":"GDPR sensitive data requires both a legal basis and a condition. Learn what is special category data and how to reduce compliance risk.","breadcrumb":{"@id":"https:\/\/www.gdprsummary.com\/sv\/gdpr-sensitive-personal-data\/#breadcrumb"},"inLanguage":"sv-SE","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.gdprsummary.com\/sv\/gdpr-sensitive-personal-data\/"]}]},{"@type":"ImageObject","inLanguage":"sv-SE","@id":"https:\/\/www.gdprsummary.com\/sv\/gdpr-sensitive-personal-data\/#primaryimage","url":"https:\/\/www.gdprsummary.com\/wp-content\/uploads\/2024\/02\/sensitive-data-.png","contentUrl":"https:\/\/www.gdprsummary.com\/wp-content\/uploads\/2024\/02\/sensitive-data-.png","width":1085,"height":1450,"caption":"sensitive data"},{"@type":"BreadcrumbList","@id":"https:\/\/www.gdprsummary.com\/sv\/gdpr-sensitive-personal-data\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.gdprsummary.com\/sv\/"},{"@type":"ListItem","position":2,"name":"GDPR Sensitive Data: How to Handle Article 9 Data"}]},{"@type":"WebSite","@id":"https:\/\/www.gdprsummary.com\/sv\/#website","url":"https:\/\/www.gdprsummary.com\/sv\/","name":"GDPR Summary","description":"Sammanfattningen av vad du beh\u00f6ver veta om GDPR","publisher":{"@id":"https:\/\/www.gdprsummary.com\/sv\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.gdprsummary.com\/sv\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"sv-SE"},{"@type":"Organization","@id":"https:\/\/www.gdprsummary.com\/sv\/#organization","name":"GDPR Summary","url":"https:\/\/www.gdprsummary.com\/sv\/","logo":{"@type":"ImageObject","inLanguage":"sv-SE","@id":"https:\/\/www.gdprsummary.com\/sv\/#\/schema\/logo\/image\/","url":"https:\/\/www.gdprsummary.com\/wp-content\/uploads\/2019\/09\/square-bluebg.png","contentUrl":"https:\/\/www.gdprsummary.com\/wp-content\/uploads\/2019\/09\/square-bluebg.png","width":152,"height":152,"caption":"GDPR Summary"},"image":{"@id":"https:\/\/www.gdprsummary.com\/sv\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.gdprsummary.com\/sv\/#\/schema\/person\/a3906974fb207b5bc5451cf1a30e72b9","name":"Sharp Cookie Advisors","image":{"@type":"ImageObject","inLanguage":"sv-SE","@id":"https:\/\/secure.gravatar.com\/avatar\/b23ea1ac836442df0820c19d45be92e26dd56aa2e0fae3fe35965aca587ad688?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/b23ea1ac836442df0820c19d45be92e26dd56aa2e0fae3fe35965aca587ad688?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/b23ea1ac836442df0820c19d45be92e26dd56aa2e0fae3fe35965aca587ad688?s=96&d=mm&r=g","caption":"Sharp Cookie Advisors"},"description":"We are a business law firm with focus on tech and growth in the digital market (internet, software, digital media, cloud and mobile applications). Clients turn to us for strategic legal counselling regarding data driven business models, digital product development, outsourcing, transactions and data protection issues.","sameAs":["https:\/\/www.sharpcookie.se","https:\/\/www.facebook.com\/sharpcookieadvisors","https:\/\/www.instagram.com\/sharpcookieadvisors","https:\/\/www.linkedin.com\/company\/sharp-cookie-advisors\/","https:\/\/x.com\/https:\/\/twitter.com\/sharpcookieadv"],"url":"https:\/\/www.gdprsummary.com\/sv\/author\/gdpr-infosharpcookie-se\/"}]}},"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.gdprsummary.com\/sv\/wp-json\/wp\/v2\/posts\/12596","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.gdprsummary.com\/sv\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gdprsummary.com\/sv\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gdprsummary.com\/sv\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gdprsummary.com\/sv\/wp-json\/wp\/v2\/comments?post=12596"}],"version-history":[{"count":64,"href":"https:\/\/www.gdprsummary.com\/sv\/wp-json\/wp\/v2\/posts\/12596\/revisions"}],"predecessor-version":[{"id":13794,"href":"https:\/\/www.gdprsummary.com\/sv\/wp-json\/wp\/v2\/posts\/12596\/revisions\/13794"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.gdprsummary.com\/sv\/wp-json\/wp\/v2\/media\/13792"}],"wp:attachment":[{"href":"https:\/\/www.gdprsummary.com\/sv\/wp-json\/wp\/v2\/media?parent=12596"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gdprsummary.com\/sv\/wp-json\/wp\/v2\/categories?post=12596"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gdprsummary.com\/sv\/wp-json\/wp\/v2\/tags?post=12596"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}