SITTIG LAW

+49 40 808 125 550
SITTIG LAW Law Firm Blog

GDPR sensitive personal data

Special categories of personal data according to Art. 9 and 10 GDPR – such as health or criminal records data – are subject to a strict prohibition on processing. Processing is only permissible under narrow exceptions. For extensive operations, a Data Protection Impact Assessment (DPIA, Art. 35 GDPR) is mandatory. Errors lead to significant disadvantages for data subjects, fines, and possible criminal consequences.
Read more
Read more
Contact us now
Table of Contents

The most important facts at a glance

  • Article 9 GDPR protects special categories of personal data through a general prohibition on processing – processing is only permissible if one of the ten exceptions clearly applies.
  • Article 10 GDPR This supplements the protection for criminal record data: Convictions, offenses, and disqualification measures may only be processed under official supervision or a legal basis.
  • Data Protection Impact Assessment (DPIA) According to Art. 35 GDPR, it is often mandatory for the processing of special categories of data – and in practice is too often forgotten or carried out superficially.

Why sensitive data carries special weight

The GDPR treats certain categories of data with particular strictness—and for good reason. Whether it's health data in an employee file, a customer's religious beliefs, or an applicant's criminal record: if processed improperly, this information can lead to significant discrimination or other serious disadvantages for the individuals concerned.

For companies, this means: anyone processing sensitive data is operating in a legally demanding area. Mistakes have not only financial consequences in terms of fines, but can also have criminal relevance. An aspect that is regularly underestimated in practice. We advise companies precisely at this intersection of data protection law and criminal law.

Art. 9 GDPR: The Prohibition on Processing and its Exceptions

What data categories are collected?

Article 9(1) of the GDPR lists eight particularly sensitive categories of data exhaustively:

  • Race and ethnic origin
  • Political opinions
  • Religious or ideological beliefs
  • Union membership
  • Genetic data
  • Biometric Data for unambiguous identification
  • Health data
  • Data on sexual life or sexual orientation

The basic processing ban

The basic principle of Article 9 GDPR is clear: the processing of these data categories is forbidden. The ban applies to all forms of processing – collection, storage, use, transmission, modification, and deletion. It is sufficient for one processing step to take place.

This prohibition applies unless one of the grounds for exemption under Art. 9(2) GDPR applies.

Exceptions, Article 9(2) GDPR

  • lit. a – Express consent: The data subject has given explicit consent to the processing for one or more specific purposes. Consent must be freely given, informed, unambiguous, and specific. Tacit consent or simply the absence of an objection is not sufficient.
  • lit. b – Labor and social law obligations: Processing is necessary for the fulfillment of obligations and the exercise of specific rights in the field of labor and social law and is permitted by Union law, national law, or a collective agreement.
  • lit. c – Vital Interests: Processing is necessary for the purposes of the legitimate interests pursued by a controller or by a third party, provided that the interests or the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child, are not overriding.
  • lit. d – Legitimized activities of foundations, associations, or other organizations: Applies to organizations with political, philosophical, religious, or trade union aims – and only within the scope of their legitimate activities towards members and former members.
  • lit. e – Publication by the data subject: If the affected person has obviously made the data public themselves.
  • lit. f – Legal Claims: Processing is necessary for the establishment, exercise, or defense of legal claims or in actions of courts in the exercise of their judicial functions. Relevant in practice, for example, in the processing of health data in labor law dispute proceedings.
  • lit. g – Significant public interest: Processing is necessary for reasons of public interest based on Union law or national law.
  • lit. h – Health care and occupational medicine: The processing is necessary for healthcare or occupational medicine purposes, for the assessment of work capacity, or for medical treatment and care.
  • lit. i – Public interest in public health: Concerns the fight against serious cross-border health threats and is not directly relevant to most private sector companies.
  • lit. j – Archival purposes, scientific and historical research: The processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes. This requires a national law as a legal basis.

Art. 10 GDPR: Criminal Data

Scope and Content

Art. 10 GDPR contains a standalone regulation for a category of data that stands systematically next to the special categories of Art. 9 GDPR: criminal convictions and offenses, as well as related custodial or security measures.

Are included:

  • Convictions due to criminal offenses
  • Offenses themselves
  • Safeguarding measures (e.g., probation, professional ban, driving ban)

The processing of personal data concerning criminal convictions and offences under Article 10 GDPR is only permitted if there is a specific legal basis. Possible legal bases may arise, for example, from § 26 BDSG during processing for the detection of criminal offenses or if required for the performance of the employment relationship or for Art. 6 GDPR result.

Relevance for Businesses

For private companies, the question regarding Article 10 GDPR primarily arises in the following scenarios:

Background checks during hiring: Many employers require a police clearance certificate as part of the application process or obtain information about criminal records through other means.

Internal investigations When a company investigates an internal suspicion of criminal behavior by an employee – such as fraud, embezzlement, or corruption – it processes data relevant to criminal law. This internal investigation is subject to Article 10 GDPR. It requires a clear legal basis, a defined procedure, and proportionate measures.

Credit checks related to criminal offenses Credit bureaus may store and transmit data on criminal offenses (e.g., fraud offenses). The use of such data by companies is subject to Article 10 of the GDPR.

Compliance screening: In the area of anti-money laundering or sanctions compliance, companies check business partners for criminal records. This also touches on Article 10 GDPR and requires a viable legal basis.

The Data Protection Impact Assessment (DPIA), Art. 35 of the GDPR

What is a DSFA and when is it mandatory?

The data protection impact assessment is a structured procedure for identifying, evaluating, and minimizing risks that data processing entails for the rights and freedoms of data subjects. Article 35 GDPR obliges the controller to carry out a DPIA if processing is „likely to result in a high risk to the rights and freedoms of natural persons.“.

Art. 35(3) GDPR names three groups of cases in which a DPIA is always required

  1. Systematic and comprehensive assessment of personal aspects through automated processing, including profiling, on the basis of which decisions with significant effects are made
  2. Extensive processing of special categories according to Art. 9 GDPR or data on criminal convictions according to Art. 10 GDPR
  3. Systematic, widespread surveillance of publicly accessible areas

Content and Procedure of a Data Protection Impact Assessment

A proper DPIA according to Art. 35 GDPR must include the following elements:

Systematic description of the planned processing operations: What is being processed? What data categories? For what purpose? With what means and technologies? Who has access?

2. Assessment of Necessity and Proportionality: Is the processing necessary for the pursued purpose? Are there less intrusive means? Is the interference with the rights of data subjects proportionate to the pursued objective?

3. Assessment of the risks to the rights and freedoms of data subjects: What specific risks exist – data loss, misuse, discrimination, identity theft? What is the probability of them occurring? How severe are the consequences?

4. Planned Remedial Actions: What measures are planned? How will risks be reduced to an acceptable level? Are the measures proportionate and effective?

5. Statement of the Data Protection Officer: If a data protection officer has been appointed, they must be involved in the data protection impact assessment (DPIA) as per Article 35 GDPR.

Common mistakes in data protection impact assessments in practice

  • Missing DSFA despite obligation: Many companies do not conduct data protection impact assessments (DPIAs) even though the requirements of Article 35 GDPR are met – often due to a lack of knowledge or because they shy away from the effort.
  • Superficial risk analysis: The DSFA is treated as a formality and does not contain a concrete assessment of the actual risks of processing. General formulations are not sufficient.
  • Outdated DSFA: The DPIA is not a one-time process. It must be reviewed and updated when the processing situation changes significantly – new technologies, new purposes, new recipients.
  • No data protection officer involved: Once a DSB is ordered, its inclusion is not an option, but a requirement.

The most important data categories in detail

Health data – the most common problematic case

Health data is the most frequently processed category of sensitive data in practice. Art. 4 No. 15 GDPR defines it broadly: It covers all personal data relating to the physical or mental health status of a natural person. This includes diagnoses, medical reports, sick notes, disabilities, need for care, test results, vaccination status, and health insurance data.

Biometric Data – Growing Relevance Through Digitalization

Art. 4 No. 14 GDPR defines biometric data as data relating to the physical, physiological, or behavioral characteristics of a natural person, obtained by specific technical means. Crucially, not all biometric information falls under Art. 9 GDPR. The norm only applies if the data is used to unique identification to be processed by a person.

Practical tips for companies

1. Inventory: What sensitive data do you process at all?
Many companies are unaware that they process data according to Art. 9 or Art. 10 GDPR. The first step is a systematic analysis of all processing activities within the scope of the record of processing activities according to Art. 30 GDPR.

2. Document the legal basis for each processing operation
For every processing of sensitive data, one of the grounds under Article 9 GDPR (or Article 10 GDPR in conjunction with a legal provision) must apply. This basis must be documented in writing.

3. Perform DSFA early, not retrospectively
The DPIA must be carried out before processing begins, not afterward. Anyone who only starts the DPIA when a problem arises has already violated Art. 35 GDPR.

4. Limit access rights to „need to know“
Sensitive data may only be accessible to those who need it for their specific task. Extensive access rights without a legitimate reason are a typical and easily avoidable violation.

5. Use encryption and pseudonymization
For sensitive data, encryption at rest and in transit, as well as pseudonymization, are among the minimum requirements for technical and organizational measures (TOMs) according to Article 32 GDPR.

6. Involve the Data Protection Officer
Whether internal or external: Anyone who has a DPO must include that person in the DSFA. Anyone who does not yet have a DPO should check whether there is an obligation to appoint one under Article 37 of the GDPR—this is often the case when there is extensive processing of sensitive data.

7. Train employees regularly
Data privacy violations often arise from human error. Regular training, especially for employees who work with sensitive data, is essential and serves as an important mitigating argument to supervisory authorities in case of a dispute.

Recommendation for action

Articles 9 and 10 of the GDPR form the core of the special protection of sensitive data in European data protection law. The general prohibition of processing special categories of data, the narrow exceptions, and the strict requirements for technical and organizational protective measures make this area a compliance priority for any company processing such data.

The data protection impact assessment under Article 35 of the GDPR is not a bureaucratic hurdle, but a genuine risk management tool. Those who conduct it early on, thoroughly, and with expert support not only protect the rights of data subjects but also shield their own company from significant liability risks.

Particularly important here is looking beyond mere data protection: violations involving sensitive data – especially those under Article 10 GDPR – can have criminal consequences that go far beyond GDPR fines.

As a law firm specializing in IT law, data protection law, and criminal law, we are available to provide you with comprehensive advice. Please contact us.

Frequently asked questions
Article 9 GDPR protects eight categories of particularly sensitive personal data from discrimination (health, biometrics, religion, etc.) through a general prohibition on processing, with exceptions. Article 10 GDPR specifically governs criminal conviction data – offenses, convictions, and related security measures – and permits their comprehensive processing only under the supervision of official authority or on the basis of Union or Member State law.
Whenever processing is likely to result in a high risk to the rights and freedoms of data subjects (Art. 35 GDPR). It is mandatory in three groups of cases: with automated profiling with significant decision-making consequences, with extensive processing of special categories of data according to Art. 9 or 10 GDPR, and with systematic monitoring of public areas.
Yes. According to prevailing opinion, the mere information that a person is ill is already considered health data – even without a diagnosis. Even the frequency of days of absence can, under certain circumstances, allow conclusions to be drawn about health conditions.
Not mandatory, but frequent. Article 35 GDPR requires a DPIA for „extensive“ processing. The extent, context, and purpose of processing are decisive.
In principle, yes, but with increased requirements: a data processing agreement according to Art. 28 GDPR, appropriate technical and organizational measures (especially encryption), and for providers outside the EEA, suitable transfer mechanisms (standard contractual clauses) as well as a transfer impact assessment.
In practice, the most common issues are: missing data protection impact assessments despite being mandatory, superficial risk analyses without concrete consideration of processing risks, outdated data protection impact assessments after significant changes to processing, and lack of involvement of the Data Protection Officer.
Consent under Article 6 of the GDPR is a general legal basis for processing personal data. For special categories of data, it is not sufficient on its own; an explicit consent under Article 9 of the GDPR is required in addition, which sets stricter requirements for content and form. Furthermore, member states can legally restrict the effectiveness of consent in certain contexts (e.g., in employment relationships).

Further contributions

SITTIG LAW
Hamburg location
Head office
Martinistrasse 11
20251 Hamburg
Phone: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559
Kassel location
Branch office
Motzstrasse 1
34117 Kassel
Phone: +49 (0) 561 510 053 80
Fax: +49 (0) 561 510 053 99
Frankfurt location
Branch office
Oeder Weg 11
60318 Frankfurt am Main
Phone: +49 (0) 69 710 471 070
Fax: +49 (0) 69 710 471 079
Law firm
Criminal defense
Further skills
SITTIG LAW
Lawyer.
Specialist lawyer for criminal law.
Specialist lawyer for IT law.

[email protected]
Hamburg location
Head office
Martinistr. 11
20251 Hamburg
Tel: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559

Contact form