Article 9 of the GDPR: Processing of sensitive data
Article 9 of the GDPR explained
Sensitive data concerns in particular:
- Racial or ethnic origin
- Political, religious or philosophical opinions
- Union membership
- Genetic or biometric data
- Health data
- Sex life or sexual orientation
The processing of this data is in principle prohibited, unless one of the exceptions provided applies (e.g. explicit consent, necessity for medical reasons, important public interest, etc.).
Why is this article important for your GDPR compliance?
Sensitive data can seriously expose data subjects in the event of misuse or breach. Article 9 therefore imposes additional guarantees. In the event of non-compliance, penalties can be heavy as this is a high level of risk.
How to comply with Article 9 of the GDPR?
- Clearly identify whether you are processing sensitive data (including indirectly).
- Check if an exception in section 9 applies to you.
- Obtain explicit consent when required.
- Implement enhanced security measures (e.g. encryption, anonymization, restricted access).
- Keep an up-to-date record of these treatments and be prepared to justify their legitimacy.
Examples of application of Article 9 of the GDPR
- A clinic processes the health data of its patients: it is authorized to do so for medical reasons under the responsibility of professionals.
- An employer cannot collect an employee's union membership without a legal basis or explicit consent.
- A menstrual tracking application collecting health data must obtain explicit consent from its users.
Related Resources
Accelerate your compliance in just a few clicks
With our all-in-one solution, you can accelerate and ensure compliance easily:
- Automate your compliance with our GDPR software
- Supported or outsourced by our DPO experts
- Raise awareness among your teams with our GDPR training e-learning
👉 Request a demo with an expert
⚡ Assess your situation in 15 minutes with our free, no-obligation GDPR self-diagnosis.
👉 GDPR: Self-assess now
