Iubenda logo
Start generating


Table of Contents

What is sensitive data?

What exactly is sensitive data? How are they different from regular personal data? How could the processing of sensitive data affect your business?

In this post, we’ll answer all these questions and show you what you may need to do to collect and process sensitive personal information.

What is sensitive data

Definition of sensitive data

The majority of legislations on data privacy mention special categories of personal data, which should be more carefully handled by the processor.

Sensitive data relates to the user’s racial or ethnic origin, religious belief, political opinion, health or sexual life data; or data that allows the unequivocal and persistent identification of the user, such as genetic or biometric data (for a more in-depth definition of sensitive information, you can read Article 9 of the GDPR).

They differ from regular personal data because they could potentially lead to the user’s discrimination, if shared.

Can I process sensitive data?

The collection and processing of sensitive data is generally allowed. However, you may need to apply extra layers of security when it comes to it.

Let’s have a closer look at the main legislations and their specific requirements:


Under the GDPR, you may only process sensitive data if the user has given explicit and informed consent, meaning that they need to clearly understand what they’re consenting to.

The processing is also allowed if the data is of vital importance in matters of public interest, social security, health, ect.

If you collect and process personal data, and particularly if it’s a large scale processing, you need to appoint a Data Protection Officer (DPO) and to carry out a Data Protection Impact Assessment (DPIA).


Even though for the CCPA, the category of sensitive data falls under the category of regular personal data, you may need to ask the user to opt-in when sensitive information is at stake.

This is especially true when there are minors involved.


As the GDPR, the Brazilian LGPD allows the processing of personal data only if users have given their consent or if consent exceptions apply.

How does the processing of sensitive data affect my business?

If your business collects and processes sensitive data, you may need to take extra steps to make sure you’re storing them securely.

Here’s what you may need to do:

  1. Make sure that you absolutely need the data. A key principle of data privacy laws in data minimization – i.e. limiting your processing to only the data you truly need for your purposes. If you’ve determined that you do really need to process this data, then continue to point 2.
  2. Make sure that you’re able to provide the higher levels of security legally required to process this data.
  3. Ensure that you have a proper legal basis to process the data. Under the GDPR this may mean fully informing the user, getting explicit consent from the person, and assigning a DPO – under other laws, it may mean other things.

See which laws apply to you and make sure you’re following the rules.

How iubenda can help

Here’s how iubenda’s solutions can greatly help when you’re processing sensitive data:

  • Our Privacy and Cookie Generator makes it easy to add legally required disclosures and add information related to your assigned Data Protection Officer and much more.
  • Our internal Privacy Management Solution also helps you to keep track of your processing activities and the purposes and legal bases attached to them, as legally required.
  • Assigning a Data Protection Officer? Use this free Data Protection Officer (DPO) Appointment Letter (GDPR Template)

Create your privacy policy with iubenda

Start generating

About us


The solution to generate your Privacy Policy. Customizable from 1700+ clauses, available in 9 languages and self-updating