Legal Basis for Processing Sensitive Personal Data
The General Data Protection Regulation (GDPR) prohibits the processing of sensitive personal data unless you have a legal basis under Article 9(2) of the regulation. In this article, we’ll explain these legal bases, so you can identify the appropriate ones for processing sensitive personal data.
If you need a refresher on what constitutes sensitive personal data, check out our article on the subject.
Dual Legal Basis
Previously, we’ve discussed how you must have a legal basis under Article 6(1) of the GDPR to process non-sensitive personal data. When it comes to sensitive personal data, you need an additional legal basis under Article 9(2).
In other words, you must first establish a legal basis under Article 6(1) and then find a corresponding legal basis under Article 9(2) for processing sensitive personal data.
Example
To illustrate the concept of dual legal basis, let’s consider a hospital processing a patient’s health data:
- The hospital processes the patient’s data to fulfil a public authority task assigned by the state, using Article 6(1)(e) as its legal basis.
- To process sensitive health data specifically, the hospital relies on Article 9(2)(h), which allows processing for health and medical care purposes - you will more on this in this article.
Below, we’ll outline the legal bases in Article 9(2) with examples to clarify their use.
List of the Legal Bases for Processing Sensitive Personal Data
In the rest of this article, you'll find an overview of all the legal bases for processing sensitive personal data, along with examples:
- Explicit Consent – Article 9(2)(a)
- Employment Obligations – Article 9(2)(b)
- Vital Interests – Article 9(2)(c)
- Non-Profit Organisations – Article 9(2)(d)
- Publicly Disclosed Data – Article 9(2)(e)
- Legal Claims – Article 9(2)(f)
- Substantial Public Interest – Article 9(2)(g)
- Health and Social Care – Article 9(2)(h)
- Public Health – Article 9(2)(i)
- Archiving and Research – Article 9(2)(j)
It’s important that you review the legal bases relevant to your situation in the GDPR. You can find a link to the full text here.
Explicit Consent
Article 9(2)(a)
Sensitive personal data can be processed when explicit consent is obtained. Unlike standard consent of article 6(1)(a), explicit consent requires a clear, unambiguous, and documented consent from the individual. This may take the form of a written statement or a deliberate, specific action. It's worth emphasising that explicit consent is distinct from regular consent, which suffices for non-sensitive personal data.
Example
A company wants to implement a fingerprint-based access system for employees, which involves processing sensitive biometric data. However, employees still have the option to use their old access cards, making the use of biometric data voluntary. In this scenario, the company relies on explicit consent as the legal basis for processing.
Dual Legal Basis:
- Article 6(1)(a): Consent
- Article 9(2)(a): Explicit Consent
Employment Obligations
Article 9(2)(b)
Sensitive personal data can be processed if it is necessary to fulfil obligations under employment, health, or social law. This legal basis requires the processing to be grounded in legislation, such as statutory requirements, or frameworks like a collective agreement.
Example
An employer might need to process information about employees’ sick leave to ensure they receive the correct pay during illness, as required by law or a collective agreement. Similarly, processing data about an employee’s disability could be necessary to make reasonable workplace adjustments, enabling them to perform their role under suitable conditions.
Dual Legal Basis:
- Article 6(1)(c): Legal Obligation
- Article 9(2)(b): Employment Obligations
Vital Interests
Article 9(2)(c)
You can process sensitive personal data if it is necessary to protect an individual’s vital interests when no other legal basis applies, and the individual is unable to give consent. This provision is typically used in emergency situations where the processing is essential to protect someone’s life or health.
To ensure this basis isn’t used arbitrarily, the processing must be strictly necessary and proportional to the purpose. This means data can only be processed to the extent absolutely required to protect the person’s vital interests.
Example
An employee loses consciousness at work, prompting their employer to call emergency services. The emergency responders request medical information, such as allergies or medications. In this case, processing the employee's sensitive data is necessary to protect their life.
Dual Legal Basis:
- Article 6(1)(d): Vital Interests
- Article 9(2)(c): Vital Interests
Non-Profit Organisations
Article 9(2)(d)
Non-profit organisations, such as associations, foundations, or similar entities with political, philosophical, religious, or trade union purposes, may process sensitive personal data if it is necessary for the organisation’s objectives.
This basis applies only when the data concerns the organisation’s members, former members, or individuals with regular contact with the organisation. Additionally, the data must not be disclosed to third parties without the individual’s consent.
Example
A trade union processes data on its members’ union affiliations to represent them during salary negotiations. The processing is part of the union’s activities and only involves members or former members.
Dual Legal Basis:
- Article 6(1)(f): Legitimate Interest
- Article 9(2)(d): Non-Profit Organisations
Publicly Disclosed Data
Article 9(2)(e)
You can process sensitive personal data if the individual has themselves made the data publicly available, for example, through a personal website, social media, or similar platforms. However, the processing must align with what the individual could reasonably expect based on their own disclosure, in line with the GDPR’s principle of purpose limitation.
Example
An artist publicly shares on their personal website that they have been diagnosed with a chronic illness, which inspired their latest artwork. A health organisation working on the same illness uses this information in a report to raise awareness about the condition. The organisation uses the data because it is already publicly available and ensures that the processing respects the artist’s original purpose for sharing it.
Dual Legal Basis:
- Article 6(1)(f): Legitimate Interest
- Article 9(2)(e): Publicly Disclosed Data
Legal Claims
Article 9(2)(f)
You can process sensitive personal data if it is necessary to establish, exercise, or defend a legal claim. This includes processing data for legal disputes, both within and outside of court proceedings, where documentation or action is required to protect or advance a claim.
Example
A food company processes health data of consumers who became ill after consuming one of its products. The data is used to document the extent of the harm and to assess the company’s liability as part of a legal case brought against it. This processing is necessary to defend the company’s legal claims and properly handle the case.
Dual Legal Basis:
- Article 6(1)(f): Legitimate Interest
- Article 9(2)(f): Legal Claims
Substantial Public Interest
Article 9(2)(g)
Sensitive personal data can be processed if it is necessary for reasons of substantial public interest, as defined in law. The processing must be proportional and serve the specific purpose outlined in the relevant legislation.
Example
A public authority organises a hearing on labour market legislation and invites representatives from various trade unions and religious groups to participate. To ensure accurate registration and representation, the authority records the participants’ affiliations with their respective organisations. This processing is essential to facilitate dialogue and promote inclusion in the legislative process.
Dual Legal Basis:
- Article 6(1)(e): Public Authority Tasks
- Article 9(2)(g): Substantial Public Interest
Health and Social Care
Article 9(2)(h)
Sensitive personal data can be processed if it is necessary for purposes such as preventive medicine, occupational medicine, assessing an employee’s work capacity, medical diagnosis, providing health or social care, or managing health and social care services. The processing must comply with relevant legislation or form part of a contract with a healthcare professional. Additionally, the data must be handled by professionals bound by confidentiality.
Example
A medical clinic processes sensitive personal data about patients' health as part of its work diagnosing and treating patients. This includes maintaining medical records and prescribing medication. The processing is carried out under health legislation by healthcare professionals who are subject to confidentiality obligations.
Dual Legal Basis:
- Article 6(1)(e): Public Authority Tasks
- Article 9(2)(h): Health and Social Care
Public Health
Article 9(2)(i)
Sensitive personal data can be processed if it is necessary for reasons of public interest in the area of public health. This includes activities such as preventing and protecting against health threats, or ensuring high standards in healthcare services, medical products, and equipment. The processing must have a basis in legislation.
Example
A public health authority processes data on citizens’ health and vaccination statuses to monitor and control the spread of a contagious disease. This processing is essential to protect public health during an epidemic.
Dual Legal Basis:
- Article 6(1)(e): Public Authority Tasks
- Article 9(2)(i): Public Health
Archiving and Research
Article 9(2)(j)
Sensitive personal data can be processed for archiving purposes in the public interest, scientific or historical research, or statistical purposes. The purpose must be clearly defined, necessary to meet a significant societal need, and based on legislation. Processing must also include appropriate safeguards to protect the rights and privacy of the individuals concerned, such as data minimisation or pseudonymisation.
Example
A university collects and processes health data from a large group of participants as part of a research project studying the long-term effects of a specific medical treatment. The data is used exclusively for scientific purposes, and participants' identities are protected through pseudonymisation.
Dual Legal Basis:
- Article 6(1)(e): Public Authority Tasks
- Article 9(2)(j): Archiving and Research
Summary
This article has outlined the various legal bases you can rely on to process sensitive personal data, as well as the concept of dual legal basis.
It is intended as a guide to help you identify the appropriate legal basis for your data processing activities. For more detailed information, we recommend reviewing the full text of Article 9 in the GDPR to ensure you understand the exact wording and requirements for each legal basis.
.jpg)
.jpeg)
.jpg)
.jpg)
.jpg)
-1.png)
.jpeg)
.jpg)
