Am I processing sensitive personal data?

In our latest post in our Article’s series, we look at Article 9 – Processing of special categories of personal data (sometimes this is referred to as sensitive personal data).

The GDPR Article 9 states:

“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”

There are some exclusions, but do not collect any of the personal data listed above unless you absolutely need to and you can show legitimate reasons for doing so.


If you process personal data unlawfully, under the GDPR, it is likely that this will be taken into account in any fine that may be imposed on your organisation. This is highlighted in Article 89 2 “When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following: … (g) the categories of personal data affected by the infringement;”

There are a number of situations you may be able to process special category data, including but not limited to where:

You have explicit consent

If the data subject (the individual) has given you explicit consent (see our Conditions for Consent article for more details) to process their special category data.

Consent from the individual can however be overridden by local or EU laws if the relevant authority has ruled that consent cannot be given in your case.

The data is in the public domain

If the data subject has but the data in the public domain you may be able to process this data but use this exception with caution.

There is a legal requirement

You may be able to process special if it is necessary to for a legal defence or you are a court acting in judicial capacity.

You are a non-profit

In some cases if you are a non-profit and the data refers to existing or former members you may be able to process special categories of data. For instance political or religious bodies will likely know political information and religious information, respectively, about their members.

The data is Health related

Health data is very sensitive in nature and covers a broad range of potentially sensitive data. There are situations where processing heath data is permissible:

• Assessing an employee’s capacity to work
• Medical diagnosis and treatment
• Social care provisioning

The GDPR has expanded on the Data Protection Directive by providing a formal legal justification for regulatory uses of healthcare data in the health and pharmaceutical sectors, and by providing for the sharing of health data with providers of social care. This will require obligations of confidentiality to be in place by way of additional safeguards.

It is in the vital interests of the individual

In some cases it may be acceptable to process special category data where it’s clearly in the interests of the individual. This may be especially true if the individual is somehow physically or legally incapable of giving consent.

It is in the public interest

There may be insistences where it’s in the substantial public interest to process special category data, subject to member state and EU law.


Processing of special category data is a complex area especially when data could be considered special depending on context. For example, if you collect data about employee’s partners (husbands, wife’s etc.) you may inadvertently be creating sensitive data about employee’s sexual orientation.

A Data Processing Impact Assessment (DPIA) could be a useful starting point to assess whether the data you are processing is likely to result in a high risk to the rights and freedoms of individuals.

Once you understand your risks you can take appropriate action to ensure you have the correct mitigation.

Prior Consultation

After a DPIA, if you are still unsure about the status of any personal data, direct or implied, you should seek a ruling from the ICO otherwise known as prior consultation.


Only collect special category data if you absolutely need to and ensure you have the correct legal basis for doing so.

If in doubt complete a DPIA, understand your risks and put in place appropriate mitigation against any risks.

Only keep special category data for as long as you need you, once it no longer needed securely remove it form your systems in an auditable way.

If you would like to know more about how GDPR Auditing can help your organisation with the GDPR or have any suggestions of future posts for this series please email us at or the author

© GDPR Auditing 2017.

The information provided in this post is for general information only and is not intended to provide legal advice.