Special types of personal data

On this page: sensitive personal data, sensitive data, special category, special categories, politics, race, ethnicity, religion, philosophy, dna, genetics, genes, fingerprint, physical condition, mental illness, sexual identity, gender identity
Date of last review: 2023-10-02

A few special types of personal data are worth taking note of are special categories of personal data, and otherwise sensitive personal data. These types of personal data have additional requirements. If you want to process them, please contact your privacy officer first.

Special categories of personal data

The GDPR explicitly defines eight “special categories of personal data”. Personal data of these types are extra sensitive, because they can be used to discriminate or exclude people. The following types of personal data are defined as “special categories”:

  • racial or ethnic origin (e.g., this could also be a combination of name and country of origin, but not necessarily pictures or videos)
  • political opinions (in the broadest sense, not only membership of a political party)
  • religious or philosophical beliefs (this does not have to be an “official” religion)
  • trade union membership
  • genetic data (e.g., DNA, rec. 34)
  • biometric data, but only when meant to uniquely identify someone (e.g., fingerprints, iris scans)
  • data about physical or mental health in the broadest sense (including indications, diagnoses and treatments, rec. 35)
  • sex life or sexual orientation (including gender identity)

It is in principle prohibited to process these types of personal data, unless an exception applies (art. 9). For research, the following exceptions to this prohibition are the most relevant:

  • Data subjects have made the data publicly available themselves

    You can use special categories of personal data when data subjects have made those data publicly available themselves. It must concern truly public sources (e.g., TV, newpaper, public social media, blogs, etc.) where the data subject does not expect (some) privacy. Moreover, the data subject must have intended to disclose the personal data “as special categories of personal data”.

    An example: if someone writes in their blog that they have been voting for a certain political party all their life, they are consciously making that information public. If someone is confined to a wheelchair and posts a holiday selfie (with a wheelchair) on a social medium, it is not about their disability, but about their holiday. Special category personal data derived from this are still protected by the processing ban. The same applies, for example, to personal data that can be derived from combining various separate data sources.

    Publicly accessible special personal data of well-known personalities (celebrities, politicians, etc.) may be processed, whether those data have been made public by the person in question or by someone else.

  • Data subjects have provided explicit consent to process these data for a specific purpose
    If data subjects have provided explicit consent which satisfies the GDPR criteria for valid consent, then you can use the personal data in your research project.
  • Processing is necessary for scientific research purposes and consent is impossible or unreasonably difficult
    If you are using the special categories for scientific research purposes (incl. historical and statistical purposes), and it is impossible or would take an unreasonable amount of effort to obtain explicit consent (UAVG art. 24), you can use the data in your research. If this is the case, you must substantiate this danger to your project and take additional protection measures. Obtaining consent could take an unreasonable amount of effort, for example, in:
    • large-scale archival research into living people from whom you cannot obtain all or up-to-date contact details
    • webscraping or other big data research, in which the time investment to obtain consent is out of proportion
    • fieldwork outside Europe. In many non-European communities, placing a signature on a consent form is not trusted. Sometimes people also have very poor reading skills. Proving consent is then virtually impossible
    • research within more or less private social media groups.

Even if you can invoke one of these exemptions, special categories of personal data warrant additional security measures to make sure they are protected. Always contact your privacy officer if you intend on using these types of data.

The Dutch Code of Conduct for Health Research (p.68) specifies a number of exceptions for health researchers in which explicit consent for processing special categories of personal data may not be necessary.

Data that are otherwise sensitive

Other types of data can also be sensitive, because they can carry higher risks for the data subjects. These types of data can either not be processed at all, or only under certain circumstances. Either way, they require additional security measures. Always contact your privacy officer if you intend on using these types of data.

Examples are:

  • Financial data
  • Data about relationship problems
  • Data that can be misused for identity fraud, such as the Dutch Citizen Service Number (BSN). The BSN can only be used when legally necessary. Since this is not the case for scientific research, using BSN in research is in most cases forbidden.
  • Criminal data or data about criminal convictions. These can only be processed under governmental supervision or when a derogation exists in national legislation (art. 10). For scientific research, more or less the same regime applies for these data as for special categories of personal data. This means that you are allowed to use them for your study if one of the exceptions mentioned for special categories of personal data applies.