Back to all glossary articles

Sensitive data

Sensitive data is a special category of personal data under the GDPR.

The following types of information fall under this definition:

  • health data
  • racial or ethnic origin
  • religious beliefs
  • sexual orientation
  • trade-union memberships
  • political opinions
  • biometric data

As a Data controller , you must meet the following conditions in order to process sensitive data:

  • You must obtain user consent
  • The processing is necessary to protect the vital interests of the data subject when one is unable to give consent
  • The data subject has revealed the sensitive data publicly
  • It is necessary for claims or in a legal process
  • Processing the data for reasons of substantial public interest on the basis of EU or national law
  • You are processing the data for preventive or occupational medicine
  • The processing is required for public health reasons – preventing epidemics, etc.

For more details we recommend reading this article prepared by the European Commission.

What’s more, such data requires special protection from unauthorized access to ensure that the privacy and security of both individuals and companies is properly guarded. You can read about this here.

  • HIPAA-compliant analytics for healthcare systems: How hospital marketing teams can measure what matters

    Patients now research symptoms, compare providers, and book appointments entirely online before ever contacting a hospital. Healthcare marketers need to adapt to digital-first patient journeys, run campaigns for numerous service lines, manage hospital marketing analytics across multiple locations, and prove ROI to administrators. For nonprofit hospitals, the picture is broader still — donation tracking is…

  • Privacy by design in practice: How “just enough” data beats “just in case” collection

    While collecting more data “just in case” feels safer, according to Matt Gershoff, it’s also one of the biggest sources of unnecessary compliance risk, analytical noise, and wasted organizational resources in the analytics industry today. His approach of “just enough” data collection is more intentional, more aligned with privacy regulation, and often more analytically effective.

Other definitions

Recent posts from Piwik PRO blog