Your guide to sensitive data and GDPR

A guide to understanding what sensitive data is under the GDPR, and when it can be processed.

Your guide to sensitive data and GDPR
Your guide to sensitive data and GDPR
Clive Mackintosh
January 10, 2023

GDPR Rep is on a mission to help every business understand the GDPR, achieve and maintain GPDR representation.

Check our our guide to understanding what sensitive data is under the GDPR, and when it can be processed.                                                                                                                                                                    

Special category data is also commonly referred to as sensitive data. To be able to process this type of data an organisation must have a lawful basis for doing so as well as an additional condition for processing under Article 9 of the GDPR.

What is special category data?

The GDPR defines special category data as:

  • personal data relating to a person’s racial or ethnic origin
  • personal data about someone’s political opinions
  • personal data revealing religious or philosophical beliefs
  • personal data about a person’s trade union membership
  • genetic data held about a living person
  • biometric data processed for identification purposes
  • data concerning a person’s health
  • data concerning a person’s sex life
  • data concerning a person’s sexual orientation
GDPR Terms and definitions you need to know

When you can use special category data

You can only process special category data if you have a lawful basis under Article 6 of the GDPR.

You must be able to rely on one or more of the permitted lawful grounds whenever you process personal data. These are:

(a) Consent: This involves the individual giving their clear and unconditional consent for you to process their personal data for a specific purpose.

(b) Contract: This applies when you have a contractual relationship with the individual such as an Employer/ Employee and the processing is necessary to perform the contract or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: This applies when you are legally required, or authorised to process a person’s sensitive data and a failure to do so would put you in breach of that legal provision.

(d) Vital interests: Only applies when processing is necessary to protect someone’s life.

(e) Public task: The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. This usually only applies to public bodies and similar organisations.

(f) Legitimate interests: This applies when processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal information which overrides those legitimate interests. 

It is important to understand that you must choose one or more of these lawful grounds before you process any form of special category data. You must be sure to choose the correct one(s) that fit your processing purposes and requirements.

There is also a requirement to identify one of the special conditions for processing special category data under Article 9 of the GDPR. 

These are:

(a) Explicit consent of the individual

(b) For employment, social security and social protection (if authorised by law)

(c) Vital interests of the individual

(d) You are a Not-for-profit body

(e) The data has been made public by the individual

(f) For the purpose of bringing or defending legal claims or judicial acts

(g) For reasons of substantial public interest 

(h) As required by health or social care 

(i) Matters of public health 

(j) For archiving, research and statistical purposes.

If you will be processing large quantities of special category data, you should first carry out a data protection impact assessment. In doing so you will assess the risks of processing and what technical and organisational measures may need to be implemented within your organisation to ensure that this data will remain sufficiently secure in your systems, networks and databases.   

Inadvertently losing, disclosing or sharing this type of data will result in a heavy fine from a Supervising Authority. 

In a recent article we look at some of the most common data protection mistakes, which often result in an organisation finding itself in breach of the GDPR, read now or favourite for later - Common mistakes that could result in a GDPR breach.

GDPR Rep is on a mission to help every business achieve and maintain GPDR representation. If you are looking into how your organisation can fulfil its requirements why not schedule a no-commitment call with a GDPR representative expert today, or get a quote to understand how our value pricing makes compliance simple.

GDPR Representation get your quote
We use cookies on our site.
GDPREP.ORG would like to use performance and analytic cookies while you visit and browse our site to improve your experience. This means we may collect some of your data and you can read more about our use of cookies here. You can withdraw your consent at any time by emailing us at: View our Cookie Policy for more information.