Analyzing critical legal trends and developments across data, cyber, AI and digital regulations from around the world and beyond borders

1.              Introduction

In recent decisions, the Court of Justice of the European Union (CJEU) has clarified its interpretation of what constitutes “sensitive” (or special category) data under the GDPR. These rulings provide valuable guidance as even seemingly standard data processing may involve sensitive data – and thus be prohibited – under Art. 9(1) of the GDPR, unless an exemption applies. Consequently, it is essential for businesses to carefully assess whether the personal data they process qualify as sensitive.

Art. 9(1) of the GDPR prohibits the processing of “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.

A key challenge in applying Art. 9(1) of the GDPR lies in distinguishing between “regular” personal data and sensitive data when regular data might indirectly reveal characteristics that fall within the special categories. The CJEU has recently delivered three significant rulings that clarify this distinction:

  • OT v Vyriausioji tarnybinės etikos komisija, 1 August 2022, (Case C-184/20) (hereafter “OT Case”),
  • Meta Platforms v Bundeskartellamt, 4 July 2023, (Case C-252/21) (hereafter “Meta Platforms Case”), and
  • ND v DR, “Lindenapotheke”, 4 October 2024, (Case C-21/23) (hereafter “Lindenapotheke Case”),

In these rulings, the CJEU has clarified that “revealing” does not require explicit disclosure; rather, the mere possibility of inferring or deducing protected characteristics from personal data triggers the prohibition of Art. 9(1) of the GDPR, unless an exemption under Art. 9(2) applies. We examine these rulings below and consider their practical implications for data controllers and processors.

2.              The CJEU’s latest significant rulings on sensitive data

  • OT Case

The CJEU examined in this case whether publishing private interest declarations on the Lithuanian Chief Official Ethics Commission’s website involves processing special categories data when information such as spouse or partner names could indirectly reveal sexual orientation.

The CJEU ruled that data enabling the inference of sensitive characteristics through an intellectual operation involving comparison or deduction (§120) qualifies as special category data. Consequently, spouse or partner names fall under Art. 9(1) of the GDPR because they could reveal information about sexual orientation.

  • Meta Platforms Case

At issue in this case was whether user data from website visits, apps, and social networks – including browsing data and registration information – should qualify as sensitive data, particularly when users visited health-related or religious websites.

The CJEU emphasized that the decisive factor is whether the data could potentially reveal information falling within any special categories, even indirectly. It ruled that such personal data qualify as sensitive regardless of the controller’s intent to process sensitive data or the potential inaccuracy of the revealed information.

  • Lindenapotheke Case

In the very recent Lindenapotheke Case, the CJEU examined whether the sale of non-prescription, pharmacy-only items online – requiring processing of the buyer’s name, address, and purchased items – reveals sufficient information about a user’s health status to trigger application of Art. 9(1) of the GDPR.

Consistent with its previous rulings in OT and Meta Platforms Cases, the Court confirmed that health data could be revealed “by means of an intellectual operation involving collation or deduction”. The Court held that order details may establish a link between a medicinal product, its therapeutic uses, and an identifiable person through their name or delivery address. Therefore, such link triggers the qualification of sensitive data.

The Court reiterated and clarified that the following factors do not affect qualification as special category data:

  • the data controller’s intent to obtain special category data;
  • that the products are non-prescription, as factors such as the severity of potential health issues that may be revealed do not affect whether they qualify as special category data;
  • the possibility that the data might be inaccurate; even though products might be ordered for someone else, the data still qualifies as special category when there is a probability of personal use.

3.              Practical implications of the CJEU’s case-law

The CJEU has established a clear principle: data qualify as sensitive if they enable deduction of protected characteristics through intellectual reasoning. The controller’s intent, the probability of such deductions being made, and the accuracy of these deductions are all irrelevant. While this interpretation robustly protects data subjects’ rights, it can be argued that it creates some uncertainty for data controllers and processors. Nonetheless, we see the following practical implications:  

  • If you are a trader: consider whether you sell or provide “sensitive” goods or services. Offering goods or services online that relate to “sensitive characteristics”- such as health, religious or political beliefs (like halal or kosher products, over-the-counter personal care products, political merchandise) may entail processing sensitive data (for example, during the ordering or shipping process). Since distinguishing between “ordinary” and “sensitive” items can be complex, traders should carefully assess whether their products and services might trigger sensitive data processing.
  • If you are an online platform: identify whether advertising for sensitive goods or services is displayed on your platform. The Digital Services Act1 (“DSA”) introduces new rules that build upon the GDPR’s concept of sensitive data. Under Art. 26, §3 of the DSA, online platform providers are prohibited from presenting advertisements based on profiling using sensitive data – with no possible exemptions. Because user interest in sensitive goods or services shown through online behaviour may constitute sensitive data, platforms must exercise caution when displaying behavioural or targeted advertising for products with ties to sensitive characteristics.
  • In any case, identify your role in the processing activity potentially involving sensitive data. If you process sensitive data, you must determine your specific role to determine whether additional obligations apply. The CJEU and European Data Protection Board (“EDPB”) have clarified the concepts of “controllers” and “processors” through case law and guidelines. On the same topic, you can read our article on the IAB Europe case to learn more about controllership.
  • In any case, identify if you need to implement new appropriate safeguards and additional measures. If you are processing sensitive data as a controller, you will need to take into account additional obligations under the GDPR, and, possibly, under national laws supplementing the GDPR. For instance, you will need to ensure that you rely on one of the exemptions under Art.9(2) of the GDPR. You should also update your documentation (including your record of processing activities (“ROPA”) and privacy policies) to include these processing activities.

Do not hesitate to contact our Baker McKenzie experts for assistance in navigating the complexities of sensitive data processing.


1 Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC.

Author

Magalie Dansac Le Clerc is a partner in Baker McKenzie's Paris office. A member of the Firm's Information Technology and Communications Practice Group, she is a Certified Information Privacy Professional (CIPP).

Author

Elisabeth is a partner in Baker McKenzie's Brussels office. She advises clients in all fields of IT, IP and new technology law, with a special focus on data protection and privacy aspects. She regularly works with companies in the healthcare, finance and transport and logistics sectors.

Author

Juliette is a member of the Information Technology and Communications team and focuses on new technologies, computer technology, internet and telecommunications.