Key References:

  • Art. 9
  • Recitals 7, 10, 34-35, 51.

Sensitive personal data

Special categories of data (also known as, sensitive personal data) are by their nature sensitive therefore the GDPR has embedded additional safeguards including specific requirements for its processing. Member states can derogate from the Regulation and lay down specific provisions on processing special categories of data. See Recital 51.

Art. 9(1) Personal data that reveals the following information is special categories of data:

  • racial or ethnic origin,
  • political opinions,
  • religious or philosophical beliefs, or
  • trade union membership,
  • genetic data, biometric data for the purpose of uniquely identifying a natural person,
  • data concerning health or
  • data concerning a natural person’s sex life or sexual orientation.

Art. 9(2) exemptions to process sensitive personal data:

  • a) explicit consent of data subject
  • b) processing required under employment or social security law
  • c) processing required to protect vital interests of data subject or a third party
  • d) processing carried out legitimately within ambit of membership in an association, nonprofit etc.
  • e) processing of data manifestly made public by data subject
  • f) processing necessary for legal claims and courts
  • g) processing has substantial public interest (based on member states’ law)
  • h) processing for medical or social care (based on member states’ law)
  • i) processing for public health
  • j) processing for archiving or scientific or research purposes (based on member states’ law).

Note: Processing personal data requires a lawful basis under Art. 6(1)(a)-(f). Processing sensitive personal data must also meet the exemptions listed under Art.9(2)(a)-(j).

Art. 10 – Data relating to criminal convictions and offenses

  • Data on criminal offenses or convictions is not considered sensitive or special category of data under Art. 9.
  • However, under Art. 10, data relating to criminal convictions or offenses can only be processed either under official capacity, or when processing is authorized by Member state laws.
  • e.g. UK ICO provides a checklist for processing criminal data by non-officials that includes: a) identifying eligibility to process criminal data laid down under the UK Data Protection Act 2018, Schedule 1, b) identifying Art. 6 lawful basis to process criminal data, c) satisfying the documentations requirements, and so forth.