What is Sensitive Data in GDPR?

The analysis of Article 9(1) GDPR demonstrates that "special categories of personal data"—commonly termed sensitive personal data—are subject to explicit processing prohibitions unless one of the exceptions under Article 9(2) applies (Voigt & Von dem Bussche, 2017). The principal findings identify the following as sensitive data under GDPR:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data for unique identification
• Data concerning health
• Data concerning a natural person's sex life or sexual orientation

Processing of these data types is fundamentally restricted. The results indicate that data controllers must ensure:

• Explicit consent is obtained (unless another exception applies)
• Processing is strictly limited to the purposes stated in Article 9(2)
• Additional security measures are implemented, including encryption and pseudonymization, to safeguard these data types. 

The discussion further highlights that the risk of harm in the event of unauthorized disclosure is markedly elevated for sensitive data. This risk underpins the GDPR’s requirement for "greater security and special processing requirements" (Voigt & Von dem Bussche, 2017). For instance, biometric and genetic data not only identify individuals but may also reveal familial relationships and predispositions, amplifying privacy risks (Kuner et al., 2020).

In summary, the GDPR’s approach to sensitive personal data is characterized by:

• Strict prohibitions on processing without a qualifying legal basis
• Mandatory security controls tailored to the critical nature of the data
• Special obligations for transparency and accountability by data controllers

Research shows that compliance failures involving sensitive personal data attract significantly higher enforcement penalties and reputational risks.