GDPR: Sensitive Data Should not be Confused with Confidential Data

GDPR: Sensitive Data Should not be Confused with Confidential Data

Key Takeaways


The concept of “sensitive data” is often confused with confidential data. Yet, under data protection law, these two expressions are not synonymous. How data is classified will determine which compliance obligations apply.


The GDPR provides enhanced protection for sensitive data. However, the notion of “sensitive data” is frequently confused with confidential data. These two expressions are not synonymous under data protection law.

While sensitive data is defined and governed by Article 9 of the GDPR, the Regulation does not, as such, recognize “confidential data” as a separate legal category. Confidentiality nevertheless lies at the heart of the framework.

This distinction between sensitive data and confidential data is not merely theoretical. For data controllers, it helps avoid two common mistakes: incorrectly classifying as “sensitive” data that actually falls within a high-security category, or conversely, underestimating the specific constraints attached to the categories of data referred to in Article 9 of the GDPR. Properly distinguishing between these concepts makes it possible to structure compliance more effectively, prioritize risks more accurately, and better secure processing activities.

The purpose of this article is to clarify the distinction between sensitive data and confidential data and the resulting compliance implications.


1. Sensitive Data: Data Specifically Regulated by the GDPR

    1.1 Categories of Data Covered by Article 9 of the GDPR

The notion of sensitive data is not based simply on a certain level of confidentiality or a general assessment of criticality. It is a category of data specifically defined by Article 9 of the GDPR.

It includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data processed for the purpose of uniquely identifying a natural person, and data concerning health, sex life, or sexual orientation.

Accordingly, data is classified as “sensitive” because it falls within one of the categories identified by the text. This classification has immediate consequences in terms of governance.

    1.2 Health Data at the Core of Sensitive Data

Among these categories, health data occupies a central place, since it directly affects a person’s private sphere and may create significant risks in the event of unauthorized access, disclosure, or misuse.

Health data includes personal data relating to the physical or mental health of a natural person, whether past, present, or future, including the provision of healthcare services, insofar as such data reveals information about that person’s health status.

This category also includes test results, information about a medical condition, a disability, sick leave, a course of treatment, as well as certain information collected through an online health application.

    1.3 Other Categories of Sensitive Data

It would, however, be reductive to equate sensitive data solely with health data.

Article 9 of the GDPR also lists data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, and trade union membership.

Like health data, these categories of data may create significant risks, particularly in terms of discrimination or harassment, in the event of unauthorized access, disclosure, or misuse.

Accordingly, an online form collecting information about trade union membership, an HR platform processing certain biometric data for identification purposes, or a community service displaying religious beliefs or political opinions may also involve the processing of sensitive data, even outside the healthcare sector.

    1.4 The Processing of Sensitive Data Is Prohibited, Subject to Exceptions

As a matter of principle, the processing of sensitive data is prohibited unless one of the exceptions provided for by the GDPR applies.

Generally speaking, the processing of sensitive data will be lawful, in particular, in the following cases:
- where the data subject has given explicit consent to the processing for one or more specified purposes; (1)
- where the processing is necessary for the purposes of employment law, social security, and social protection;
- where the processing is necessary to protect the vital interests of the data subject, where the data subject is physically or legally incapable of giving consent;
- where the processing is carried out in the course of the legitimate activities of a foundation, association, or other not-for-profit body with a political, philosophical, religious, or trade union aim and relates to its members or former members;
- where the processing relates to personal data which are manifestly made public by the data subject;
- where the processing is necessary for the establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity; or
- where the processing is necessary for the purposes of preventive medicine or occupational medicine, provided that such data is processed by a health professional subject to an obligation of professional secrecy.

    1.5 A Heightened Security Obligation

As with any personal data, data controllers must implement appropriate technical and organizational measures when processing sensitive data in order to ensure a level of security adapted to the risk. A data protection impact assessment (DPIA) must also be carried out before sensitive data is processed.

Health data differs from other categories of sensitive data because additional requirements apply, particularly with respect to hosting on digital media. The French Public Health Code provides that any person hosting personal health data collected in connection with prevention, diagnosis, care, or social and medico-social follow-up activities, on behalf of the producer of that data or of the patient, must do so under the conditions set out in Article L.1111-8 (HDS-certified hosting provider). (2)

By contrast, other categories of sensitive data are not, in principle, subject to an equivalent framework; they mainly fall under the general GDPR regime, together with heightened security measures.


2. The Concept of Confidential Data

    2.1 Confidential Data Is Not Necessarily Sensitive

Although sensitive data is generally confidential, confidential data is not necessarily sensitive.

Unlike sensitive data, the concept of confidential data is not defined by the GDPR as a specific legal category. The Regulation provides no list of “confidential data” comparable to that set out in Article 9. The concept of confidentiality is, however, mentioned repeatedly throughout the Regulation.

The GDPR requires personal data to be processed in a manner that ensures its integrity and confidentiality. It requires organizations to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

Confidentiality should therefore be understood first and foremost all as a security requirement.

    2.2 Confidentiality: a Security Requirement

Accordingly, data is not “confidential” because it belongs to a category defined by the GDPR, but because access to it, its use, or its disclosure must be strictly controlled through appropriate technical and organizational measures. Conversely, sensitive data will in practice require a high level of confidentiality. The two concepts may therefore overlap, but they are not the same: one is a legal classification, the other a security and governance requirement.

Data may be confidential not because of its nature under the GDPR, but because access to it, its circulation, or its disclosure must be strictly controlled.

This is the case, for example, for login credentials, bank account details, an HR file, a contract, or an internal exchange concerning a security vulnerability. This data is not “sensitive” within the meaning of Article 9, yet it still requires a high level of protection, either because it exposes the data subjects or because it creates a significant risk for the organization responsible for processing it.

Accordingly, confidentiality is fundamentally about access control. The issue is not only to determine what kind of data is involved, but also who may access it, under what conditions, for what purpose, with what safeguards, and with what traceability. This is why confidential data is, in practice, subject to heightened security measures including access rights management, segregation of duties for authorized personnel, authentication, logging, the control of remote access, and incident management procedures.


3. Compliance: Validate the Data, then Adjust Security Measures 

For controllers, in a “privacy by design” approach, the right reflex is to reason in several steps:

    a. Legally classify the data: is it ordinary personal data, confidential personal data, or sensitive data within the meaning of Article 9 of the GDPR? If it is sensitive data, does the processing rely on one of the exceptions provided for by the GDPR?

    b. Determine the level of security and confidentiality to be applied: is hosting subject to specific regulatory constraints, which staff members need access to the data, what restrictions must be implemented, how can unauthorized disclosure be prevented, and how should an incident be detected and handled?

This approach helps avoid classification errors, prioritize risks more effectively, and build a more robust compliance framework, both from a documentation standpoint and from an operational standpoint.


    In conclusion, the distinction between sensitive data and confidential data must be clarified from the outset in any digital project. Defined in Article 9 of the GDPR, sensitive data falls within a specific legal classification.

As for confidential data, it does not constitute an autonomous category under the GDPR. Confidentiality should instead be understood as a security requirement, directly linked to the principle of integrity and confidentiality and to the obligation to implement technical and organizational measures appropriate to the risk.

* * * * * * * * * * *

(1) As regards the concept of the data subject’s explicit consent in relation to sensitive data, it should be noted in particular that where health data or data concerning sexual orientation may be disclosed in the course of a service, it is not sufficient that the person speaks freely. A positive expression of explicit consent is required. This must be accompanied by specific information regarding the sensitive nature of the data and the use made of it. CNIL decisions SAN-2024-014 and SAN-2024-015 of September 26, 2024 (in French).

(2) https://esante.gouv.fr/ens/offre/hds

Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

April 2026

Go back to News and Publications

Mots clés :

advertising (1) adwords (3) ai (29) anssi (3) arcep (5) arcom (21) artificial intelligence (12) audiovisual (2) audit (4) blockchain (8) cbpr (7) children (4) cjeu (2) cloud computing (3) cnil (24) commerce (6) communication (9) compliance (44) confidentiality (2) consumers (3) contract (9) cookies (8) copyright (5) cross-border data transfers (8) cybercrime (2) cybersquatting (3) data controller (3) data privacy (22) data privacy framework (2) database (1) digital accessibility (1) domain names (2) dpf (2) drones (1) dsa (10) e-commerce (17) e-consumers (1) employee (3) encryption (1) eu (26) europe (25) france (15) fraud (1) gdpr (38) general data protection regulation (12) health (1) indexing (2) information technology (9) intellectual property (10) internet (36) ip (5) legal training (4) liability (5) métavers (3) networks (1) nft (4) privacy (17) privacy shield (2) regulation (4) robotics (7) rpa (6) safe harbor (2) search engines (4) security (4) singapore (5) social media (7) software (7) terms and conditions (gtc's) (1) trademark (2) uas (1) unmanned aircraft (1) us (3) video game (3)