What is sensitive personal data under GDPR?

Sensitive personal data under GDPR refers to special categories of personal data such as health data, biometric data, political opinions and other information subject to enhanced protection and strict processing conditions.

When may sensitive personal data be processed?

As a general rule, processing is prohibited, but our GDPR lawyers assist organisations in identifying applicable exceptions, such as valid consent or statutory obligations, and ensuring all additional requirements are met.

How can organisations reduce risks when handling sensitive personal data?

We support organisations by implementing appropriate technical and organisational measures, ensuring data minimisation, and establishing clear internal routines to achieve compliant and secure processing under GDPR.

Sensitive personal data under GDPR

What is classed as sensitive personal data under GDPR?

Sensitive personal data is a specific category of personal data subject to strict safeguards. These special categories of personal data include, for example, information about an individual’s health, ethnic origin, political opinions and biometric data.

Processing sensitive personal data is considered so high risk that, as a rule, it is prohibited unless a relevant exception applies, and any such processing is subject to additional requirements. These data categories are addressed in a dedicated GDPR article. Morling Consulting provides legal expertise to help companies and organisations comply with GDPR and ensure the correct handling of special categories of personal data.

Two professionals beside a signpost with checkmark, lock and document icons, illustrating GDPR guidance for handling sensitive personal data and compliance decisions.

Common mistakes when handling special categories of personal data

Despite good intentions, many organisations make errors when handling sensitive personal data. Common pitfalls include:

Poor documentation – failing to document the processing of sensitive personal data and lacking records of processing activities (GDPR).
Insufficient safeguards – relying only on basic IT controls and not implementing encryption, access controls or logging.
Unclear consent – obtaining consent that does not meet GDPR requirements of being freely given, specific and withdrawable.
Collecting more data than necessary – gathering sensitive data beyond what is required for the stated purpose, contrary to the GDPR data minimisation principle.
No or inadequate training – staff are not trained on how to handle sensitive personal data, increasing the risk of mistakes and incidents.

Knowing and avoiding these errors is critical to GDPR compliance and to minimising the risk of data breaches and administrative fines. With the right support and advice, organisations can ensure secure and lawful handling of sensitive personal data.

special categories of personal data

What does GDPR say about sensitive personal data under GDPR?

Under GDPR, certain data are classified as sensitive and are referred to as “special categories of personal data”. Processing is lawful only if an exception in GDPR or other legislation applies. These categories include data revealing:

racial or ethnic origin,
political opinions,
religious or philosophical beliefs,
trade union membership,
genetic data,
biometric data for the purpose of uniquely identifying a natural person,
health, or
a person’s sex life or sexual orientation.

Sensitive personal data is not limited to data that directly discloses one of the above. It also includes data that indirectly allows conclusions to be drawn, for example that a person is a member of a specific political party (political opinions) or holds trade union membership (GDPR).

To process sensitive personal data under GDPR you must first establish a lawful basis, such as consent from the data subject where appropriate. In addition, organisations must implement appropriate safeguards to reduce the risk of harm to individuals, for example due to a personal data breach or unauthorised access. This aligns with the GDPR sensitive personal data definition and clarifies what is sensitive personal data (GDPR).

Puzzle-piece shield with a padlock piece, symbolising protection of sensitive personal data, GDPR information security and privacy-by-design controls.

How organisations should handle special categories of personal data

Processing sensitive personal data requires particular care and strict adherence to GDPR. Key actions include:

Risk assessment – Identify which sensitive personal data is processed and how it is protected.
Technical and organisational measures (GDPR) – Implement controls such as encryption, access restriction and regular security reviews.
Data minimisation – Collect only what is necessary for the purpose and limit retention periods.
Clear internal policies – Ensure staff understand how sensitive personal data may be processed and provide training on applicable rules.
Incident management – Establish procedures to identify, report and manage personal data incidents promptly.

Morling Consulting helps organisations ensure the correct processing of sensitive personal data under GDPR and avoid legal risks. We provide tailored solutions to strengthen data protection and ensure compliance with applicable law.

Our GDPR lawyers can review your data protection routines and show how to improve your GDPR compliance. Contact us to discuss GDPR.

Sensitive personal data has special protection under GDPR. These are the special categories of personal data, namely: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a person, health data, and data concerning a person’s sex life or sexual orientation.

Personal data can be divided into categories. Common identifiers include national ID numbers, names and email addresses, often linked to, for example, purchase history or card details. Special categories of personal data, by contrast, include sensitive data such as health data and biometric data.

As a general rule, sensitive personal data must not be processed. Only where an exception applies—such as valid consent—may it be processed for the specific purpose for which consent was given.

By applying technical and organisational measures (GDPR). These may include encryption, restricted access and internal data protection procedures. In addition, follow GDPR’s core principles—such as the GDPR data minimisation principle—to reduce processing risks.

Breaches of GDPR can result in fines and damages payable to affected individuals, as well as reputational harm.

Healthcare, financial services and recruitment regularly process sensitive personal data and must ensure processing complies with GDPR, supported by robust records of processing activities (GDPR).

Contact

Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields