Sensitive data has a special status, and its use is, with some exceptions, strictly prohibited. The data controller must therefore be extremely vigilant if they are to handle them.


Sensitive data is very specific personal data. In the event of disclosure, their processing could be detrimental to the persons concerned. According to the CNIL, this information indeed reveals “the alleged racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership” of an individual. Sensitive data also concerns “genetic data, biometric data for the purpose of uniquely identifying a natural person, as well as data concerning the health, sex life or sexual orientation of a natural person”.

The General Data Protection Regulation (GDPR) simply prohibits their collection and use, except in a very specific number of exceptions:

– If the data subject has given explicit consent to the processing of this data for one or more specific purposes,

– If the processing is necessary for the purposes of the performance of the obligations and the exercise of the rights specific to the controller or the data subject in terms of labour law, social security and social protection,

– If the processing is necessary to safeguard the vital interests of the data subject,

– If the processing is carried out, within the framework of their legitimate activities and subject to the appropriate guarantees, by a foundation, an association or any other non-profit organization and pursuing a political, philosophical, religious or trade union purpose,

– If the processing relates to personal data which are manifestly made public by the data subject,

– If the processing is necessary for the establishment, exercise or defense of a legal right,

– If the processing is necessary for reasons of important public interest, on the basis of Union law or the law of a Member State,

– If the processing is necessary for the purposes of preventive medicine or occupational medicine, the assessment of the worker’s ability to work, medical diagnoses, health or social care, or the management of systems and health care or social welfare services,

– If the processing is necessary for reasons of public interest in the field of public health,

– If the processing is necessary for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes.


It should be noted that data relating to offences, convictions and security measures are not considered sensitive data by the GDPR. But they are very strictly regulated by law. Only the courts, certain public authorities and auxiliaries of justice (lawyers, for example) can treat them, as well as the victim legal person within the framework of the defense of its interests.


Multiple obligations for the data controller

As with any personal data, the controller of sensitive data must ensure that the purpose of the processing is adequate, relevant and limited to what is necessary in relation to the purposes it pursues. He must also ensure that the data is processed in a lawful, fair and transparent manner with regard to the persons concerned. Finally, he must put in place reinforced security measures in order to protect them effectively.

The data controller must also check that the free comment areas (also called “notepad areas”), which make it possible to improve the monitoring of a customer file or to personalize a commercial relationship, are used with discernment. The CNIL has already had the opportunity to issue several formal notices and warnings due to the misuse of these text areas. The information collected on individuals must be adequate, relevant and not excessive in relation to the purpose of the processing envisaged, whether automated or in paper format. Comments should therefore not be inappropriate, subjective and insulting.

The CNIL specifies for example: “It seems legitimate for a company to identify customers whose particular situation justifies a moderation or staggering of payments. However, the registration of the reasons is often irrelevant, even excessive. For example, the comment “divorcing”, or “unemployed client” is considered, in certain circumstances, to be inappropriate, irrelevant and excessive”.


The special case of research work

However, certain processing operations implemented in scientific research work relate to categories of sensitive data. Some processing necessary for conducting studies on measuring the diversity of origins may thus relate to objective data, such as the language spoken or geographical origin within a national territory. However, as the Constitutional Council has ruled, they cannot be based on ethnic origin or so-called “race”.

It is also possible to collect subjective data (example: the “feeling of belonging”, via questions on self-image or experiences of discrimination and the gaze of others) if this is not intended, directly or indirectly, to classify respondents according to either their declared ethnic or supposedly racial origin, or an ethno-racial reference.

Researchers must also take care not to transform data that is a priori non-sensitive into sensitive data. Research on the geolocation of vehicles could indeed reveal real or supposed political beliefs, religious beliefs and/or data relating to health by studying travel habits and parking in the car park of particular places (premises of a political party, attendance at places of worship, etc.).

In all cases, persons who have entrusted sensitive data to anybody, whether in the context of research work or not, must have, at any time, a right of access, erasure and opposition. The CNIL is particularly vigilant about sensitive data. Illegal use of this data exposes any offending company to penalties of up to 4% of its turnover.