Skip to content

GDPR sensitive personal data explained: Definitions, requirements, and penalties

The GDPR sets strict standards for protecting the personal data of EU/EEA residents, including special requirements for processing sensitive personal data. Understanding these requirements helps organizations implement appropriate safeguards and maintain compliant data processing practices.
Resources / Blog / GDPR sensitive personal data explained: Definitions, requirements, and penalties
Published by Usercentrics
9 mins to read
Feb 27, 2025

The General Data Protection Regulation (GDPR) sets strict standards for how organizations must handle personal data collected from individuals in the European Union (EU) and European Economic Area (EEA). This comprehensive data protection regulation applies to all organizations that collect or process this data — regardless of where the organization is located — if they offer goods or services to EU/EEA residents or monitor their behavior.

Among its many requirements, the GDPR places specific legal obligations on how organizations may handle special categories of personal data or sensitive personal data. These data categories receive additional protections due to their potential impact on an individual’s rights and freedoms if they are misused.

In this article, we’ll look at what constitutes sensitive personal data under the GDPR, what additional protections it receives, and the steps organizations can take to achieve compliance with the GDPR’s requirements.

What is sensitive personal data under the GDPR?

Sensitive personal data includes specific categories of data that require heightened protection under the GDPR, because their misuse could significantly impact an individual’s fundamental rights and freedoms.

Under Art. 9 GDPR, sensitive personal data is:

  • data revealing an individual’s racial or ethnic origin
  • information related to a person’s political opinions or affiliations
  • data concerning a person’s religious or philosophical beliefs
  • information indicating whether a person is a member of a trade union
  • data that provides unique insights into a natural person’s inherent or acquired genetic characteristics
  • biometric data that can be used to uniquely identify a natural person, such as fingerprints or facial recognition data
  • information regarding an individual’s past, current, or future physical or mental health
  • data concerning a person’s sex life or sexual orientation

Recital 51 GDPR elaborates that the processing of photographs is not automatically considered processing of sensitive personal data. Photographs fall under the definition of biometric data only when processed through specific technical means that allow the unique identification or authentication of a natural person.

By default, the processing of sensitive personal data is prohibited under the GDPR. Organizations must meet specific conditions to lawfully handle such information.

This higher standard of protection reflects the potential risks associated with the misuse of sensitive personal data, which could lead to discrimination, privacy violations, or other forms of harm.

What is the difference between personal data and sensitive personal data?

Under the GDPR, personal data includes any information that can identify a natural person — known as a data subject under the regulation — either directly or indirectly. This may include details such as an individual’s name, phone number, email address, physical address, ID numbers, and even IP address and information collected via browser cookies.

While all personal data requires protection, sensitive personal data faces stricter processing requirements and heightened protection standards. Organizations must meet specific conditions before they can collect or process it.

The distinction lies in both the nature of the data and its potential impact if misused. Regular personal data helps identify an individual, while sensitive personal data can reveal intimate details about a person’s life, beliefs, health, financial status, or characteristics that could lead to discrimination or other serious consequences if compromised.

Conduct a free data privacy audit to learn which cookies and tracking technologies are collecting personal data from visitors.

Scan website

Conditions required for processing GDPR sensitive personal data

Under the GDPR, processing sensitive personal data is prohibited by default. However, Art. 9 GDPR outlines specific conditions under which processing is allowed.

Explicit consent given by the data subject, with the right to withdraw Required for legal obligations in employment or social protection Necessary to protect life when consent cannot be given Processed by nonprofits for members, without external disclosure Made publicly available by the data subject Required for legal proceedings or judicial actions Necessary for substantial public interest under the law Needed for medical care, diagnosis, or health system management Used for disease control or medical safety, with confidentiality safeguards Required for archiving, scientific research, or statistical purposes
  • Explicit consent: The data subject can provide explicit consent for specific purposes, unless EU or member state law prohibits consent. Data subjects must also have the right to withdraw consent at any time (Art. 7 GDPR).
  • Employment and social protection: Processing is required for employment, social security, and social protection obligations or rights under law or collective agreements.
  • Vital interests: If processing protects the vital interests of the data subject or another natural person who physically or legally cannot give consent.
  • Nonprofit activities: A foundation, association, or other nonprofit body with a political, philosophical, religious, or trade union aim can process sensitive data, but only in relation to members, former members, or individuals in regular contact with the organization. The data cannot be disclosed externally without consent.
  • Public data: Data may be processed if the data subject has made the personal data publicly available.
  • Legal claims: Processing is required for establishing, exercising, or defending legal claims, or when courts are acting in their judicial capacity.
  • Substantial public interest: Processing may be necessary for substantial public interest reasons, based on law that is proportionate and includes safeguards.
  • Healthcare: Processing may be required for medical purposes, including preventive or occupational medicine, medical diagnosis, providing health or social care treatment, or health or social care system management. The data must be handled by professionals bound by legal confidentiality obligations under EU or member state law, or by others subject to similar secrecy requirements.
  • Public health: Processing may be necessary for public health reasons, such as ensuring high standards of quality and the safety of health care, medicinal products, or medical devices.
  • Archiving and research: Processing may be required for public interest archiving, scientific or historical research, or statistical purposes.

The GDPR authorizes EU member states to implement additional rules or restrictions for processing genetic, biometric, or healthcare data. They may establish stricter standards or safeguards beyond the regulation’s requirements.

Art. 4 GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Although the GDPR does not separately define explicit consent, it does require a clear and unambiguous action from users to express their acceptance of data processing. In other words, users must take deliberate steps to consent to their personal data being collected. Pre-ticked boxes, inactivity, or implied consent through continued use of a service do not meet GDPR requirements for explicit consent.

Common examples of explicit consent mechanisms include:

  • ticking an opt-in checkbox, such as selecting “I Agree” in a cookie banner
  • confirming permission for marketing emails, particularly with a double opt-in process.
  • permitting location tracking for a map application by responding to a direct authorization request

Additional compliance requirements for processing sensitive personal data under the GDPR

Organizations processing personal data under the GDPR must follow several core obligations. These include maintaining records of processing activities, providing transparent information on data practices, and adhering to principles such as data minimization and purpose limitation. However, processing sensitive personal data requires additional safeguards due to the potential risks involved.

Data Protection Officer (DPO)

Organizations with core activities that involve large-scale processing of sensitive personal data must appoint a Data Protection Officer (DPO) under Art. 37 GDPR. The DPO may be an employee of the organization or an outside consultant.

Among other responsibilities, the DPO monitors GDPR compliance, advises on data protection obligations, and acts as a point of contact for regulatory authorities.

Data Protection Impact Assessment (DPIA)

Art. 35 GDPR requires a Data Protection Impact Assessment (DPIA) for processing operations that are likely to result in high risks to individuals’ rights and freedoms. A DPIA is particularly important when processing sensitive data on a large scale. This assessment helps organizations identify and minimize data protection risks before beginning processing activities.

Restrictions on automated processing and profiling

Art. 22 GDPR prohibits automated decision-making, including profiling, based on sensitive personal data unless one of the following applies:

  • the data subject has explicitly consented
  • the processing is necessary for reasons of substantial public interest under the law

If automated processing of sensitive personal data is permitted under these conditions, organizations must implement safeguards to protect individuals’ rights and freedoms.

Penalties for noncompliance with the GDPR

GDPR penalties are substantial. There are two tiers of fines based on the severity of the infringement or if it’s a repeat offense.

For severe infringements, organizations face fines up to:

  • EUR 20 million, or
  • four percent of total global annual turnover of the preceding financial year, whichever is higher

Less severe violations can result in fines up to:

  • EUR 10 million, or
  • two percent of global annual turnover of the preceding financial year, whichever is higher

While violations involving sensitive personal data are often categorized as severe, supervisory authorities will consider the specific circumstances of each case when determining penalties.

Practical steps for organizations to protect GDPR sensitive personal data

Organizations handling sensitive personal data must take proactive measures to meet GDPR requirements and protect data subjects’ rights.

Conduct data mapping

Organizations should identify and document all instances in which sensitive personal data is collected, processed, stored, or shared. This includes tracking data flows across internal systems and third-party services. A thorough data inventory helps organizations assess risks, implement appropriate safeguards, and respond to data subject requests efficiently.

Develop internal policies

Establish clear internal policies and procedures to guide employees through the proper handling of sensitive personal data. These policies should cover, among other things, data access controls, storage limitations, security protocols, and breach response procedures, as well as specific procedures for data collection, storage, processing, and deletion. Organizations should conduct regular training programs to help employees understand their responsibilities and recognize potential compliance risks.

The GDPR requires businesses to obtain explicit consent before processing sensitive personal data. Consent management platforms (CMPs) like Usercentrics CMP provide transparent mechanisms for users to grant or withdraw explicit consent, which enables organizations to be transparent about their data practices and maintain detailed records of consent choices.

Manage third-party relationships

Many businesses rely on third-party vendors to process sensitive personal data, so it’s essential that these partners meet GDPR standards. Organizations should implement comprehensive data processing agreements (DPAs) that define each party’s responsibilities, outline security requirements, and specify how data will be handled, stored, and deleted. Businesses should also conduct due diligence on vendors to confirm their compliance practices before engaging in data processing activities. 

Perform regular audits

Conducting periodic reviews of data processing activities helps businesses identify compliance gaps and address risks before they become violations. Review consent management practices, security controls, and third-party agreements on a regular basis to maintain GDPR compliance and respond effectively to regulatory scrutiny.

Get practical steps for managing sensitive personal data and meeting GDPR requirements

Get free checklist

Checklist for GDPR sensitive personal data handling compliance

Below is a non-exhaustive checklist to help your organization handle sensitive personal data in compliance with the GDPR. This checklist includes general data processing requirements as well as additional safeguards specific to sensitive personal data. 

Obtain explicit consent before processing sensitive data Make consent withdrawal simple and accessible Stop processing data if consent is withdrawn Implement strong security measures to protect sensitive data Document all processing activities with their purpose, legal basis, and retention periods Create clear privacy policies about data usage and users’ rights Review and update data protection policies often Train employees on GDPR requirements and data handling rules Set up data breach detection and reporting systems Conduct Data Protection Impact Assessments (DPIAs) for high-risk data processing activities Assess whether you need a Data Protection Officer Review third-party processor compliance regularly
Download checklist

For advice specific to your organization, we strongly recommend consulting a qualified legal professional or data privacy expert.

  • Obtain explicit consent before processing sensitive personal data. Do so using a transparent mechanism that helps data subjects understand exactly what they’re agreeing to.
  • Create straightforward processes for users to withdraw consent at any time, which should be as easy as giving consent. Stop data collection or processing immediately or as soon as possible if consent is withdrawn.
  • Implement robust security measures such as encryption, access controls, and anonymization to protect sensitive personal data from unauthorized access or breaches.
  • Keep comprehensive records of all data processing activities involving sensitive personal data. Document the purpose, legal basis, and retention periods.
  • Publish clear and accessible privacy policies that inform users how their sensitive data is collected, used, stored, and shared.
  • Update your data protection policies regularly to reflect changes in processing activities, regulations, or organizational practices.
  • Train employees on GDPR requirements and proper data handling procedures, emphasizing security protocols and compliance obligations.
  • Create clear protocols for detecting, reporting, and responding to data breaches. Include steps for notifying affected individuals and supervisory authorities when required.
  • Conduct data protection impact assessments (DPIAs) before starting new processing activities involving sensitive data.
  • Determine if your organization requires a Data Protection Officer based on the scale of sensitive personal data processing.
  • Verify that all external processors that handle sensitive data meet GDPR requirements through formal agreements and regular audits.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Frequently asked questions

What is considered sensitive personal data under the GDPR?

Under Art. 9 GDPR, sensitive personal data includes data that reveals an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, physical or mental health data, or details about a person’s sex life or sexual orientation. The GDPR prohibits the processing of sensitive personal data in most situations — unless certain specified conditions are met — due to its potential impact on an individual’s fundamental rights and freedoms.

How does sensitive personal data differ from regular personal data?

Regular personal data is that which can identify an individual by itself or combined with other data points, such as their name, email address, or IP address. Sensitive personal data contains more private or revealing details, such as health status or religious beliefs, and is subject to stricter processing rules due to the potential risks of harm if it’s misused.

What penalties can organizations face for noncompliance with GDPR sensitive personal data requirements?

Under the GDPR, severe violations can result in fines of up to EUR 20 million or four percent of the company’s total global annual turnover of the preceding financial year, whichever is higher. Less severe violations may lead to fines of up to EUR 10 million or two percent of global annual turnover of the preceding financial year, whichever is higher. While sensitive personal data violations typically fall into the severe category, authorities evaluate each case’s specific circumstances when determining penalties.

What is not considered personal data by GDPR?

Data that cannot be linked to an identifiable person is not considered personal data. This includes truly anonymized data, company registration numbers, aggregated statistical data that does not reference individuals, generic business email addresses, and information about deceased persons, except where national laws provide protections.

Can organizations process sensitive personal data without explicit consent?

Organizations can process sensitive personal data without explicit consent if one of the specific conditions outlined in Art. 9 GDPR is met. These include situations involving employment and social protection obligations, protecting vital interests when consent cannot be obtained, nonprofit processing related to their members, data made public by the data subject, legal claims, substantial public interest, healthcare purposes, public health reasons, and archiving and research purposes.

Article
Feb 27, 2025
A login option on a conference website the European Commission managed made it possible for personal data to be transferred to the United States without authorization or adequate security measures. We look at the complaint, how the violation happened, and how it was resolved.
Read more
Article
Feb 24, 2025
We explain the recent European legal rulings about Google Analytics and GDPR compliance, what Google is doing about it, and how companies can protect data.
Read more
Article
Feb 13, 2025
GDPR compliance can seem daunting, but it doesn’t have to be. Here are the essentials you need to know.
Read more