What is sensitive personal data under GDPR?

Sensitive personal data under GDPR refers to special categories of personal data such as health data, biometric data, political opinions and other information subject to enhanced protection and strict processing conditions.

When may sensitive personal data be processed?

As a general rule, processing is prohibited, but our GDPR lawyers assist organisations in identifying applicable exceptions, such as valid consent or statutory obligations, and ensuring all additional requirements are met.

How can organisations reduce risks when handling sensitive personal data?

We support organisations by implementing appropriate technical and organisational measures, ensuring data minimisation, and establishing clear internal routines to achieve compliant and secure processing under GDPR.

Sensitive personal data under GDPR

A GDPR lawyer assesses sensitive data, security measures and documentation requirements

CONTACT US

What is classed as sensitive personal data under GDPR?

Sensitive personal data is a specific category of personal data subject to strict safeguards. These special categories of personal data include, for example, information about an individual’s health, ethnic origin, political opinions and biometric data.

Processing sensitive personal data is considered so high risk that, as a rule, it is prohibited unless a relevant exception applies, and any such processing is subject to additional requirements. These data categories are addressed in a dedicated GDPR article. Morling Consulting provides legal expertise to help companies and organisations comply with GDPR and ensure the correct handling of special categories of personal data.

Approach for sensitive data

We identify which sensitive personal data is present in the business and where in your flows and systems it is processed, to define a clear scope.
We link the processing to the relevant exemption under GDPR and other applicable requirements in GDPR and related regulations, so the legal basis is clear and traceable.
We turn the observations into a workable plan with clear decision points on ownership, security, and documentation, based on risk and impact.
We produce and update what’s needed in practice—such as instructions, processes, registers, assessment materials, and routines that can be used day to day.
We establish ongoing control points for training, reviews, and incident handling, so the handling of special categories of personal data remains robust over time as the business changes.

Top-down view of a tidy workspace with a laptop, notebook, and two suited hands framing a blank sheet of paper to signal scope and clear objectives for legal counsel.

We identify which sensitive personal data is present in the business and where in your flows and systems it is processed, to define a clear scope.

Close-up of a whiteboard with simple arrows and neutral markers representing data flows, as legal counsel places a marker.

We link the processing to the relevant exemption under GDPR and other applicable requirements in GDPR and related regulations, so the legal basis is clear and traceable.

Calm meeting table with three neutral document stacks and a pen indicating prioritization; two gender-neutral legal counsel in the background with simplified, faceless features.

We turn the observations into a workable plan with clear decision points on ownership, security, and documentation, based on risk and impact.

Legal counsel reviewing a tabbed binder beside an open laptop and a checked box on a blank form, signaling implementation and documentation.

We produce and update what’s needed in practice—such as instructions, processes, registers, assessment materials, and routines that can be used day to day.

Legal counsel places a neutral token on a stack of folders with a blank calendar in the background, symbolising governance and recurring follow-up.

We establish ongoing control points for training, reviews, and incident handling, so the handling of special categories of personal data remains robust over time as the business changes.

Handle sensitive data right

Special category data requires stronger safeguards, clear access control and well-defined workflows. Ensure you control storage, the incident process and documentation showing why and how you process the data. Click through to build practical protection that works in operation.

Data retention

Personal data breach

Data Protection Officer

Privacy Counsel

Two professionals beside a signpost with checkmark, lock and document icons, illustrating GDPR guidance for handling sensitive personal data and compliance decisions.

Common mistakes when handling special categories of personal data

Despite good intentions, many organisations make errors when handling sensitive personal data. Common pitfalls include:

Poor documentation – failing to document the processing of sensitive personal data and lacking records of processing activities (GDPR).
Insufficient safeguards – relying only on basic IT controls and not implementing encryption, access controls or logging.
Unclear consent – obtaining consent that does not meet GDPR requirements of being freely given, specific and withdrawable.
Collecting more data than necessary – gathering sensitive data beyond what is required for the stated purpose, contrary to the GDPR data minimisation principle.
No or inadequate training – staff are not trained on how to handle sensitive personal data, increasing the risk of mistakes and incidents.

Knowing and avoiding these errors is critical to GDPR compliance and to minimising the risk of data breaches and administrative fines. With the right support and advice, organisations can ensure secure and lawful handling of sensitive personal data.

special categories of personal data

What does GDPR say about sensitive personal data under GDPR?

Under GDPR, certain data are classified as sensitive and are referred to as “special categories of personal data”. Processing is lawful only if an exception in GDPR or other legislation applies. These categories include data revealing:

racial or ethnic origin,
political opinions,
religious or philosophical beliefs,
trade union membership,
genetic data,
biometric data for the purpose of uniquely identifying a natural person,
health, or
a person’s sex life or sexual orientation.

Sensitive personal data is not limited to data that directly discloses one of the above. It also includes data that indirectly allows conclusions to be drawn, for example that a person is a member of a specific political party (political opinions) or holds trade union membership (GDPR).

To process sensitive personal data under GDPR you must first establish a lawful basis, such as consent from the data subject where appropriate. In addition, organisations must implement appropriate safeguards to reduce the risk of harm to individuals, for example due to a personal data breach or unauthorised access. This aligns with the GDPR sensitive personal data definition and clarifies what is sensitive personal data (GDPR).

Puzzle-piece shield with a padlock piece, symbolising protection of sensitive personal data, GDPR information security and privacy-by-design controls.

How organisations should handle special categories of personal data

Processing sensitive personal data requires particular care and strict adherence to GDPR. Key actions include:

Risk assessment – Identify which sensitive personal data is processed and how it is protected.
Technical and organisational measures (GDPR) – Implement controls such as encryption, access restriction and regular security reviews.
Data minimisation – Collect only what is necessary for the purpose and limit retention periods.
Clear internal policies – Ensure staff understand how sensitive personal data may be processed and provide training on applicable rules.
Incident management – Establish procedures to identify, report and manage personal data incidents promptly.

Morling Consulting helps organisations ensure the correct processing of sensitive personal data under GDPR and avoid legal risks. We provide tailored solutions to strengthen data protection and ensure compliance with applicable law.

Our GDPR lawyers can review your data protection routines and show how to improve your GDPR compliance. Contact us to discuss GDPR.

Sensitive personal data has special protection under GDPR. These are the special categories of personal data, namely: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a person, health data, and data concerning a person’s sex life or sexual orientation.

Personal data can be divided into categories. Common identifiers include national ID numbers, names and email addresses, often linked to, for example, purchase history or card details. Special categories of personal data, by contrast, include sensitive data such as health data and biometric data.

As a general rule, sensitive personal data must not be processed. Only where an exception applies—such as valid consent—may it be processed for the specific purpose for which consent was given.

By applying technical and organisational measures (GDPR). These may include encryption, restricted access and internal data protection procedures. In addition, follow GDPR’s core principles—such as the GDPR data minimisation principle—to reduce processing risks.

Breaches of GDPR can result in fines and damages payable to affected individuals, as well as reputational harm.

Healthcare, financial services and recruitment regularly process sensitive personal data and must ensure processing complies with GDPR, supported by robust records of processing activities (GDPR).

Contact

Felix Morling

Speak to a GDPR lawyer

Do you need support when processing sensitive personal data? Contact us to discuss

"*" indicates required fields