Sensitive data: A GDPR sensitivity

Sensitive data cannot in principle be collected. However, there are exceptions to the rule that require special security.


According to the CNIL, sensitive data is any “Information concerning:

  • racial or ethnic origin,
  • political, philosophical or religious opinions,
  • trade union membership,
  • health or sex life.

In principle, sensitive data can only be collected and used with the individuals explicit consent.»

philosophical opinion GDPR

Nota bene: philosophical opinion-opinion is a sentiment, a judgement, whereas philosophy concerns all conceptions concerning the principles of beings and things, the role of man in the universe, God, history and, in general, all the great problems of metaphysics.

  • In other words and in a short way, it is all that will allow you to determine the person opinions on the concepts which surround us and which make us (humanity, things, metaphysical problems, universe, God…)

Processing sensitive data

As a matter of principle, it is prohibited to collect such data.

But as everyone knows, there are exceptions to every principle…

Exceptionally, it will be possible to collect this data as soon as your situation corresponds to one of the following:

  • You have obtained express consent from the concerned person, that is, written, clear and explicit consent. In other words, you have obtained unambiguous consent.

consent sensitive date

  • These data are necessary for a medical purpose or for research related to the health field. For example, it is necessary to know a person’s blood type in order to treat him.

medical necessity GDPR

  • The use that you make of these data is of public interest or authorized by the CNIL.

public authority GDPR

  • If the sensitive data concerns a member or an adherent of an association/ political organization/ religious/ philosophical/ political/ trade union.

authorization to collect sensitive data

Only in these four cases you will be allowed to be in possession of sensitive data.

WARNING: you are in possession of data relating to criminal offences? Although the law does not classify them directly as sensitive data, they are subject to the same protection. Be careful!

Criminal offense GDPR

Sensitive data: to do list

In addition to the complex collection of these data, it must be known that once they have been collected, they must benefit of a special security.

sensitive data to do list

Do to list if you have sensitive data:

  • MANDATORY implementation of a PIA
  • Establishment of an adequate protection for this category of data

To learn more about how to effectively protect your websites / web applications.

Do you want to go further the processing of your sensitive data within your company? Take advantage of our GDPR 2.0 training! The Ziwit Academy provides a complete training divided into 8 modules for a perfect understanding of the GDPR.



Your email address will not be published.