The General Data Protection Regulation (GDPR) is one of the world’s most stringent data protection laws. It provides a legal framework for collection and processing of the personal data of EU individuals.
The GDPR distinguishes between “special categories of personal data” (also referred to as “sensitive”) and other personal data and imposes stricter requirements on collection and processing of sensitive data. Understanding these differences will help your company comply with the requirements and avoid heavy penalties.
In this article, we’ll explain what personal data is considered “sensitive” according to the GDPR. We’ll also examine how a web analytics solution like Matomo can help you maintain compliance.
What is sensitive personal data?
The following categories of data are treated as sensitive:
- Personal data revealing:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic and biometric data;
- Data concerning a person’s:
- Health; or
- Sex life or sexual orientation.
- Personal data revealing:
Sensitive vs. non-sensitive personal data: What’s the difference?
While both categories include information about an individual, sensitive data is seen as more private, or requiring a greater protection.
Sensitive data often carries a higher degree of risk and harm to the data subject, if the data is exposed. For example, a data breach exposing health records could lead to discrimination for the individuals involved. An insurance company could use the information to increase premiums or deny coverage.
In contrast, personal data like name or gender is considered less sensitive because it doesn’t carry the same degree of harm as sensitive data.
Unauthorised access to someone’s name alone is less likely to harm them or infringe on their fundamental rights and freedoms than an unauthorised access to their health records or biometric data. Note that financial information (e.g. credit card details) does not fall into the special categories of data.
Legality of processing
Under the GDPR, both sensitive and nonsensitive personal data are protected. However, the rules and conditions for processing sensitive data are more stringent.
Article 6 deals with processing of non-sensitive data and it states that processing is lawful if one of the six lawful bases for processing applies.
In contrast, Art. 9 of the GDPR states that processing of sensitive data is prohibited as a rule, but provides ten exceptions.
It is important to note that the lawful bases in Art. 6 are not the same as exceptions in Art. 9. For example, while performance of a contract or legitimate interest of the controller are a lawful basis for processing non-sensitive personal data, they are not included as an exception in Art. 9. What follows is that controllers are not permitted to process sensitive data on the basis of contract or legitimate interest.
The exceptions where processing of sensitive personal data is permitted (subject to additional requirements) are:
- Explicit consent: The individual has given explicit consent to processing their sensitive personal data for specified purpose(s), except where an EU member state prohibits such consent. See below for more information about explicit consent.
- Employment, social security or social protection: Processing sensitive data is necessary to perform tasks under employment, social security or social protection law.
- Vital interests: Processing sensitive data is necessary to protect the interests of a data subject or if the individual is physically or legally incapable of consenting.
- Non-for-profit bodies: Foundations, associations or nonprofits with a political, philosophical, religious or trade union aim may process the sensitive data of their members or those they are in regular contact with, in connection with their purposes (and no disclosure of the data is permitted outside the organisation, without the data subject’s consent).
- Made public: In some cases, it may be permissible to process the sensitive data of a data subject if the individual has already made it public and accessible.
- Legal claims: Processing sensitive data is necessary to establish, exercise or defend legal claims, including legal or in court proceedings.
- Public interest: Processing is necessary for reasons of substantial public interest, like preventing unlawful acts or protecting the public.
- Health or social care: Processing special category data is necessary for: preventative or occupational medicine, providing health and social care, medical diagnosis or managing healthcare systems.
- Public health: It is permissible to process sensitive data for public health reasons, like protecting against cross-border threats to health or ensuring the safety of medicinal products or medical devices.
- Archiving, research and statistics: You may process sensitive data if it’s done for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
In addition, you must adhere to all data handling requirements set by the GDPR.
Important: Note that for any data sent that you are processing, you always need to identify a lawful basis under Art. 6. In addition, if the data sent contains sensitive data, you must comply with Art. 9.
Explicit consent
While consent is a valid lawful basis for processing non-sensitive personal data, controllers are permitted to process sensitive data only with an “explicit consent” of the data subject.
The GDPR does not define “explicit” consent, but it is accepted that it must meet all Art. 7 conditions for consent, at a higher threshold. To be “explicit” a consent requires a clear statement (oral or written) of the data subject. Consent inferred from the data subject’s actions does not meet the threshold.
The controller must retain records of the explicit consent and provide appropriate consent withdrawal method to allow the data subject to exercise their rights.
Examples of compliant and non-compliant sensitive data processing
Here are examples of when you can and can’t process sensitive data:
- When you can process sensitive data: A doctor logs sensitive data about a patient, including their name, symptoms and medicine prescribed. The hospital can process this data to provide appropriate medical care to their patients. An IoT device and software manufacturer processes their customers’ health data based on explicit consent of each customer.
- When you can’t process sensitive data: One example is when you don’t have explicit consent from a data subject. Another is when there’s no lawful basis for processing it or you are collecting personal data you simply do not need. For example, you don’t need your customer’s ethnic origin to fulfil an online order.
Other implications of processing sensitive data
If you process sensitive data, especially on a large scale, GDPR imposes additional requirements, such as having Data Privacy Impact Assessments, appointing Data Protection Officers and EU Representatives, if you are a controller based outside the EU.
Penalties for GDPR non-compliance
Mishandling sensitive data (or processing it when you’re not allowed to) can result in huge penalties. There are two tiers of GDPR fines:
- €10 million or 2% of a company’s annual revenue for less severe infringements
- €20 million or 4% of a company’s annual revenue for more severe infringements
In the first half of 2023 alone, fines imposed in the EU due to GDPR violations exceeded €1.6 billion, up from €73 million in 2019.
Examples of high-profile violations in the last few years include:
- Amazon: The Luxembourg National Commission fined the retail giant with a massive $887 million fine in 2021 for not processing personal data per the GDPR.
- Google: The National Data Protection Commission (CNIL) fined Google €50 million for not getting proper consent to display personalised ads.
- H&M: The Hamburg Commissioner for Data Protection and Freedom of Information hit the multinational clothing company with a €35.3 million fine in 2020 for unlawfully gathering and storing employees’ data in its service centre.
One of the criteria that affects the severity of a fine is “data category” — the type of personal data being processed. Companies need to take extra precautions with sensitive data, or they risk receiving more severe penalties.
What’s more, GDPR violations can negatively affect your brand’s reputation and cause you to lose business opportunities from consumers concerned about your data practices. 76% of consumers indicated they wouldn’t buy from companies they don’t trust with their personal data.
Organisations should lay out their data practices in simple terms and make this information easily accessible so customers know how their data is being handled.
Get started with GDPR-compliant web analytics
The GDPR offers a framework for securing and protecting personal data. But it also distinguishes between sensitive and non-sensitive data. Understanding these differences and applying the lawful basis for processing this data type will help ensure compliance.
Looking for a GDPR-compliant web analytics solution?
At Matomo, we take data privacy seriously.
Our platform ensures 100% data ownership, putting you in complete control of your data. Unlike other web analytics solutions, your data remains solely yours and isn’t sold or auctioned off to advertisers.
Additionally, with Matomo, you can be confident in the accuracy of the insights you receive, as we provide reliable, unsampled data.
Matomo also fully complies with GDPR and other data privacy laws like CCPA, LGPD and more.
Start your 21-day free trial today; no credit card required.
Disclaimer
We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to GDPR. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns.
Try Matomo for Free
21 day free trial. No credit card required.