GDPR Learning Hub

Menu
  • Buy GDPR-courses
  • Learn about the GDPR
  • Download free checklists
  • Take free quizzes
  • Buy GDPR Templates

Information about Personal Data

Privacy-sensitive personal data

There are four groups of privacy-sensitive personal data, but only two of them have special provisions in the GDPR. When processing these categories of personal data, the rules are stricter. 

Four groups of privacy-sensitive personal data

The four groups of privacy-sensitive personal data are the following:

  1. Sensitive personal data (Article 9 of the GDPR);
  2. Criminal convictions and offences (Article 10 of the GDPR); 
  3. Personal identity number; and
  4. Subjectively privacy-sensitive data.

Can companies process sensitive personal data according to GDPR?

Sensitive personal data is one of the groups of privacy-sensitive personal data. In addition, sensitive personal data have special provisions in the GDPR, where they are referred to as “special categories of personal data”. The processing of these special categories of personal data is prohibited under the general rule of Article 9 of the GDPR, but there are some exceptions. 

The following are the special categories of personal data:

  1. Racial or ethnic origin; 
  2. Political opinions; 
  3. Religious or philosophical beliefs;
  4. Trade union membership; 
  5. Genetic data; 
  6. Biometric data to uniquely identify a natural person; 
  7. Health data; and
  8. Sex life or sexual orientation.

Express consent

If a company obtains explicit consent to process sensitive personal data of an individual, it may be permitted under Article 9(2)(a) of the GDPR.

Employers usually process health data

Employers usually need to process data about employees’ health, such as sick leave, which constitutes sensitive personal data. Please note that, for example, a pay slip containing information about sick leave should therefore not be sent via unencrypted email, as it is not secure enough. The legal basis for this kind of processing is usually a legal obligation under labour law, under the exception in Article 9(2)(b). 

Personal data on criminal convictions and offences

Although personal data relating to breaches of the law do not constitute sensitive personal data within the meaning of Article 9 of the GDPR, this type of personal data enjoys a higher level of protection than other personal data.

What is covered by personal data about violations of the law?

  • Offences committed, 
  • Suspicion of crime, 
  • Judgments in criminal cases, 
  • Coercive measures under criminal law (such as pre-trial detention or travel bans);
theme_placeholder

Can companies store personal data about violations of the law for the purpose of making legal claims?

Yes, a company may, in certain cases, process personal data about violations of the law in order to make legal claims. For example, if a bank suspects that a customer is involved in money laundering. The legal basis in such cases is a legal obligation, as the bank has a legal obligation under law to investigate and possibly make a notification if the suspicion persists.

Data protection authorities may decide on general and individual exceptions

The GDPR has given national data protection authorities the power to grant general exemptions for private parties to process personal data about breaches of law. For example, in Sweden, the national data protection authority has granted exemptions to the activities of lawyers and whistleblowers holding a leading position or an important position. In addition, an individual private operator may obtain an exemption following an application to carry out such processing. 

Personal identity number is privacy-sensitive personal data

There is no special provision in the GDPR concerning the rules regarding the processing of personal identity numbers. On the other hand, they are particularly worthy of protection in most EU Member States. However, personal identity numbers do not constitute sensitive personal data within the meaning of Article 9 of the GDPR.

The rules may differ widely from one Member State to another

In Sweden, personal identity numbers are public information that everyone can get hold of, which is not common in other countries. In Finland, it is instead personal data that only authorities who need it in their work and the person to whom the personal identity number belongs can obtain. 

Subjective privacy-sensitive data

There is a lot of personal data that can be subjectively privacy-sensitive data. In other words, personal data that the individual experiences constitutes a privacy breach if it is processed by someone else. For example, location information (GPS) or bank account information. There are rules regarding the processing of such personal data, even though there is no specific provision in the GDPR that regulates this. 

When a company is required to notify a personal data breach to the national data protection authority, the company shall, among other things, provide information about if the breach involving any such type of personal data. In addition, it may be necessary to carry out an impact assessment before commencing the processing of subjectively privacy-sensitive data.

Learn more about Personal Data

The life cycle of personal data

There are three key steps in the life cycle of personal data, which are important for businesses to understand in order to comply with the GDPR. The first step is for the company to have access to the personal data. The second step concerns the processing of personal data by the company after collection. In the final stage, which concerns the termination of the processing, the company needs to ensure that the personal data ceases to be processed correctly. There are many rules to follow within each step of the life cycle of personal data.

Want to learn more?

Read more
Scroll to Top