What is sensitive data in GDPR?

Sensitive personal data is a special category of personal data that requires greater security and special processing requirements. Article 9(1) of GDPR prohibits processing special categories of personal data unless certain criteria are met, as stated in Article 9(2).

Sensitive data include data revealing

  • Racial or ethnic origin
  • Religious or political beliefs
  • Trade union membership
  • Genetic or biometric data
  • Mental health or sexual health
  • Sexual orientation

As the nature of sensitive personal data is critical, processing sensitive personal data requires additional security requirements under the GDPR.