The IT Law Wiki


Cloud computing[]

Sensitive data is

[a]ny classified, personal, proprietary or confidential information or data of any form, nature or structure, that can be created, uploaded, inserted in, collected or derived from or with cloud services and/or cloud computing whose access, use, disclosure or processing is subject to restriction either by applicable law or contract.[1]

EU Directive on the Protection of Personal Data[]

Sensitive data is

data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, data concerning health or sex life.[2]

Federal Trade Commission[]

Sensitive data is

at a minimum, data about children, financial and health information, Social Security Numbers, and certain geolocation data. . . .[3]


Sensitive data is

personally identifiable information about health, financial activities, sexual behavior or sexual orientation, social security numbers, insurance numbers, or any government-issued ID numbers.

Law enforcement[]

Sensitive data is

[i]nformation pertaining to significant law enforcement cases currently under investigation and criminal intelligence reports that require strict dissemination and release criteria.[4]

Overview (EU Directive on the Protection of Personal Data)[]

The prohibition on the processing of sensitive data does not apply if:

(a) the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject's giving his consent; or

(b) processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorized by national law providing for adequate safeguards; or

(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or

(d) processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; or

(e) the processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims.[5]