Javascript is required

Protection of sensitive data

Protection of sensitive data
Paul-Emmanuel Bidault
Paul-Emmanuel Bidault
27 December 2023·5 minutes read time

Special protection for sensitive data

As early as 1974, civil society became aware that certain data needed greater protection. In particular, this concerns data that is sensitive from the point of view of fundamental rights and freedoms, such as that which affects the privacy of individuals, human identity, or which presents a high risk to individuals if it is misused. These are known as sensitive data.

Other types of data are also subject to special protection: national insurance numbers, data relating to criminal convictions, offences, security measures, etc.

The processing of such data therefore requires compliance with a strict legal framework.

Definition of sensitive data (Article 9.1 of the GDPR): the prohibition principle

So-called sensitive or special data is prohibited in principle by the GDPR because it concerns the intimacy of private life. Sensitive data includes

  • racial or ethnic origin
  • political opinions
  • Philosophical or religious beliefs
  • Trade union membership
  • Health (physical or mental)
  • Sex life or sexual orientation
  • Genetic data
  • Biometric data for the purpose of identifying an individual

NB: A clear distinction must be made between sensitive data within the meaning of the GDPR (such as that described below) and data of a certain sensitivity: banking data, financial data, data covered by an industrial secret. Sensitive data is not subject to specific processing rules.

Exceptions to the prohibition principle

There are a few exceptions to the prohibition principle:

  • Data provided by the data subject with his/her explicit consent,
  • Data necessary for the performance of obligations under employment and social law,
  • Data required to safeguard the vital interests of the individual,
  • Data processed for the management of members of a non-profit organisation (political, philosophical, religious, trade union),
  • Data made public by the data subject,
  • Data required for the establishment, exercise or defence of legal claims,
  • Data required for reasons of substantial public interest,
  • Data required for medical purposes (preventive medicine, diagnosis, management of health services, etc.),
  • Data required for reasons of public interest in the field of public health,
  • Data required for archival purposes in the public interest or for scientific or historical research,
  • Data for statistical purposes, subject to guarantees.

You can refer to article 9 of the GDPR (9.2 in particular), as well as to the principle of lawfulness of processing, for further clarification, because in the documentation to be provided to the data protection authority, there is a need to justify the sensitive nature of the data and the lawfulness of the processing.

For example, for a dating site: the site will need to obtain the person's explicit consent to lift the ban on processing linked to sexual orientation.

In the case of sensitive data, the rule of explicit consent applies in addition to being free, specific, informed, unambiguous and easily revocable. The term explicit refers to the way in which consent is expressed by the data subject. It implies that the person concerned must formulate a declaration of express consent.

Some examples are provided for the data controller:

A consent box that is not pre-ticked A written declaration signed by the person concerned Sending verification by email to the person consenting to the processing of this sensitive data.

The case of data relating to criminal convictions and offences

Although data relating to criminal convictions and offences does not qualify as sensitive data, it is nevertheless highly protected. The aim is to prevent the possibility of private criminal records.

It may only be processed by :

  • Courts, public authorities and legal entities managing a public service,
  • Auxiliaries to the law, in the exercise of their statutory duties (such as lawyers and bailiffs),
  • Natural or legal persons defending their interests as victims or defendants,
  • Copyright collection and distribution societies and copyright defence organisations.

The national identification number

Although it is not considered sensitive within the meaning of Article 9 of the GDPR, the national identification numberor any other identifier of general application enjoys special protection under the GDPR, as stated in Article 87.

This number can include the following information about an individual :

  • Gender
  • Year of birth
  • Month of birth
  • Entity ID code, city of birth
  • Special character (ie. key).

The national identification number is typically protected by each Member State

For example in France there is le décret "cadre NIR" .

Only a few organisations are authorised to process the national identification number (or national insurance number) by a decree issued by the Council of State. This applies, for example, to social security bodies, healthcare professionals, public or private employers (for payroll management and calculating contributions), and the French national employment agency for the payment of social security contributions for jobseekers.

Special cases: processing operations not subject to this restriction

There are some special cases, which are exclusively processing for the purposes of public statistics, scientific research or historical research. There are also certain processing operations whose purpose is to provide users with an e-government teleservice, and certain processing operations involving the national identification number may also be carried out subject to authorisation from the data protection authority.

Subscribe to our newsletter

We will send you a few emails to keep you informed of our news and what's new in our solution

* You will always be able to unsubscribe on each newsletter. Learn more.