Sensitive personal data encompasses special categories of personal data that reveal particularly private aspects of an individual's life, such as health information, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership and sexual orientation. Under the GDPR, processing these categories is prohibited unless a specific legal exception applies, such as explicit consent or a vital interest of the data subject.
Organisations that process sensitive personal data must implement heightened security measures and conduct Data Protection Impact Assessments where the processing is likely to result in high risk. Proper handling of sensitive data is frequently scrutinised during audits and regulatory inspections, making it essential to maintain detailed records of processing activities and lawful bases.