Iubenda logo
Start generating

Documentation

Table of Contents

Examples of sensitive data

Many of the laws on data privacy mention special categories of personal data, which should be more carefully handled if you’re collecting or processing users’ data. This typically refers to “sensitive data”.

As you may need to apply extra layers of security when it comes to sensitive data, it’s important to know what is exactly considered sensitive personal information, and what it’s not.

In this post, we’ll give you examples of sensitive data and show you what you may need to do to process it in accordance with data privacy laws.

Examples of sensitive data

What are sensitive data?

Sensitive data are typically defined as personal information whose processing could potentially lead to the user’s discrimination. They include information such as race or ethnic origin, sexual orientation, religious beliefs, but also information about the user’s health, for instance.

International laws on data privacy may have different views on sensitive data.
Anyway, there is also a common ground: all the laws agree that you should collect and process sensitive data only if they are really necessary to your activity. If you do need to collect sensitive information, then you should store it securely and with the utmost care.

Examples of sensitive data

As we mentioned, what is considered sensitive data may differ from law to law. Anyway, we can find some examples of sensitive data in Article 9 of GDPR, that can apply more broadly.

According to GDPR, sensitive data can be:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data: biometrics are human measurements that can lead to a person’s identification. They include things like fingerprints, face recognition, DNA, etc.;
  • data concerning health;
  • data concerning a natural person’s sex life or sexual orientation.

Can I process sensitive data?

In general, the collection and processing of sensitive data is allowed but with additional requirements such as higher levels of security, transparency, and accountability. With that said, various laws may have specific requirements – we’ll take a look at the main ones below.

  • GDPR: under the GDPR, you may only process sensitive data if the user has given explicit and informed consent or if the data is of vital importance in matters of public interest, social security, health, ect. If you collect and process personal data, and particularly if it’s a large scale processing, you need to appoint a Data Protection Officer (DPO) and to carry out a Data Protection Impact Assessment (DPIA).
  • CCPA & CalOPPA: even though for the CCPA the category of sensitive data falls under the category of regular personal data, you may need to ask the user to opt-in when sensitive information is at stake, especially when there are minors involved.
  • LGPD: as the GDPR, the Brazilian LGPD allows the processing of personal data only if users have given their consent or if consent exceptions apply.

So, here’s what you may need to do to process sensitive information:

  1. Make sure that you absolutely need the data. A key principle of data privacy laws in data minimization – i.e. limiting your processing to only the data you truly need for your purposes. If you’ve determined that you do really need to process this data, then continue to point 2.
  2. Make sure that you’re able to provide the higher levels of security legally required to process this data.
  3. Ensure that you have a proper legal basis to process the data. Under the GDPR this may mean fully informing the user, getting explicit consent from the person, and assigning a DPO – under other laws, it may mean other things.
  4. See which laws apply to you and make sure you’re following the rules.

💡 Not sure what laws apply to you? Take this quiz!

How iubenda can help

Processing sensitive data? Here’s how iubenda’s solutions can greatly help:

  • Our Privacy and Cookie Generator makes it easy to add legally required disclosures and add information related to your assigned Data Protection Officer and much more.
  • Our internal Privacy Management Solution also helps you to keep track of your processing activities and the purposes and legal bases attached to them, as legally required.
  • Assigning a Data Protection Officer? Use this free Data Protection Officer (DPO) Appointment Letter (GDPR Template)

Everything you need to know about
compliance in one course!

In our free Intro to Online Compliance email course you’ll learn:

  • Online Compliance basics
  • Which laws apply to you
  • How to comply

This easy-to-understand course is suitable
for all knowledge levels.

Sign up for the 7-part series below.

No strings attached. Unsubscribe anytime.
We won’t send you any emails other than the course, unless you later sign up for more.
For further details, review our Privacy Policy.