The European Union’s General Data Protection Regulation (GDPR) sets rigorous standards for the protection of personal data. Among its key provisions is the definition and special treatment of “sensitive data.” This data, according to the GDPR, is that which reveals specific information about a person and requires additional protection due to its confidential nature. Let’s explore in detail what elements the GDPR considers sensitive data and why it is crucial to protect it properly.

What is sensitive data according to the GDPR?

Sensitive data, according to the GDPR, are specific categories of personal information that can reveal very intimate or private aspects of a person. This data is especially sensitive due to the risk it poses to the privacy and security of individuals if handled inappropriately or publicly displayed. Below are some of the explicit categories of sensitive data under the GDPR:

  1. Health Information

Data related to a person’s physical or mental health constitutes sensitive data. This includes any medical information, treatment records, diagnoses, medical histories, etc.

  1. Biological Data

This may encompass genetic or biometric data that can uniquely identify an individual. Genetic data can reveal information about ancestry, genetic predispositions, or specific physical characteristics. Biometric data includes unique physical traits such as fingerprints, facial or voice recognition.

  1. Personal Information

Certain types of personal information are also considered sensitive under the GDPR, especially when linked to legal or financial aspects. This includes details such as marital status, sexual orientation, religious or philosophical beliefs, and union membership.

  1. Data Related to Minors

The personal information of minors, especially when it relates to online services or activities that require parental consent, is also considered sensitive under the GDPR.

  1. Location Data

Data that reveals the precise location of a person in real time or historically is also classified as sensitive. This may include GPS coordinates, travel logs, or any other information that may identify an individual’s physical location.

Protection and Compliance

The GDPR imposes strict requirements on how organizations must handle this sensitive data:

  • Informed Consent: Organizations must obtain explicit and specific consent to process sensitive data, unless there is a valid alternative legal basis.
  • Security Measures: Appropriate security measures are required to protect this data against unauthorized access, loss or damage.
  • International Transfers: Transfers of sensitive data outside the EU are subject to specific restrictions to ensure an adequate level of protection.


Understanding what elements the GDPR considers sensitive data is essential for any organization that handles personal information. Properly protecting this data not only complies with legal regulations, but also builds trust and ensures the privacy of individuals.

Nymiz offers advanced anonymization solutions that help organizations comply with GDPR regulations when processing sensitive data. By effectively anonymizing this data, Nymiz ensures that critical personal information is not accessible or identifiable, thereby mitigating privacy risks and complying with legal requirements.

more insights