Sensitive personal data

“Sensitive personal data” is an unofficial term used to describe several categories of personal data that, according to the General Data Protection Regulation (GDPR), require special protection due to the significant risks to the fundamental rights and freedoms that the processing of such data may create. These categories are formally referred to in the GDPR as “special categories of personal data”.

The GDPR prohibits the processing of special categories of personal data by default unless specific conditions are met. These conditions include explicit consent from an individual, public access to the data provided by an individual, usage in the fields of employment and social security, or processing justified by substantial public interest.

According to the GDPR, special categories of personal data include:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data used for uniquely identifying an individual
• Health data
• Data concerning an individual’s sex life or sexual orientation

Special categories of personal data largely overlap with “sensitive personal information” as defined by the California Privacy Rights Act (CPRA).

Together, the GDPR’s “special categories of personal data” and the CPRA’s “sensitive personal information” are often colloquially referred to as “sensitive personally identifiable information (SPII).”