Sensitive data according to the GDPR
Organizations collect information from consumers every day. This information ranges from first and last names to bank account details and many of it is sensitive data that must be protected through security practices to prevent data breaches or identity theft.
What is meant by sensitive data? This term refers to a particular type of personal data concerning certain attributes of a particular individual that are deemed worthy of protection.
After the entry into force of Regulation (EU) No. 2016/679, or GDPR (General Data Protection Regulation), these data are considered special data, a subset of the broader class of personal data, i.e., information that identifies or makes identifiable, directly or indirectly, a natural person and that may provide information about his or her characteristics, habits, lifestyle, personal relationships, health status, economic situation, and so on.
In detail, special category data are those that reveal:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical convictions;
- Trade union membership;
- Information relating to a person’s sex life or sexual orientation.
Article 9 of the GDPR on sensitive data also includes:
- Genetic data: inherited or acquired, obtained by DNA and RNA analysis from a biological sample;
- Biometric data: such as facial image, by which a specific natural person can be identified;
- Health data: both physical and mental, past, present, or future, but also information on health care services.
Difference between personal data and sensitive data
The main difference between personal data and sensitive data concerns the private nature of information that can lead to discrimination, even unintentional discrimination.
Two examples of sensitive data
To better understand what information is part of the personal data group and what identifies special data, let’s take two simple examples:
- Every Sunday morning, John Doe goes to the coffee shop near his home and eats breakfast while reading the newspaper. This is not sensitive data, but personal data because it concerns John’s lifestyle;
- Every year John Doe renews the membership of the party he supports, attends meetings and rallies. His party membership falls into the category of special data because it is information that reveals John’s political beliefs.
Another example of special data is whether John Doe is celiac and vegan. The former datum relates to John’s health condition, while the latter relates to his beliefs.
How to process these data
Article 9 of the GPDR allows the processing of special data only if the data subject has given his or her explicit consent or has manifestly made his or her sensitive data public. However, special data may be processed even in the absence of the data subject’s consent if they fall under the exceptions listed in Article 9(2):
- Fulfilling obligations and exercising specific rights of the data controller or data subject in the field of labor and social security law and social protection;
- Protecting a vital interest of the data subject or another natural person where the data subject is physically or legally incapable of giving consent;
- When processing is carried out, within the scope of its legitimate activities and with appropriate safeguards, by a foundation, association, or other nonprofit body pursuing political, philosophical, religious, or trade union purposes, provided that the processing relates only to members, former members, or persons who have regular contact with the foundation, association, or body by reason of its purposes and that the personal data are not disclosed externally without the consent of the data subject;
- Establishing, exercising or defending a right in court or whenever the judicial authorities exercise their jurisdictional functions;
- In case of public interest and public health reasons;
- For the purposes of preventive or occupational medicine, assessment of the employee’s ability to work, diagnosis, health or social care or treatment, or management of health or social care systems and services;
- For the purposes of archiving in the public interest, scientific or historical research or for statistical purposes.
