While the GDPR imposes strict rules on sensitive data processing, gender identity does not automatically fall under this category. Only personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed to uniquely identify a natural person, health data, and data concerning a natural person’s sex life or sexual orientation are explicitly protected as sensitive data by the GDPR. Consequently, the European Court of Justice (C-184/20 of August 1, 2022) only qualified circumstantial personal information (in this case, name-specific data relating to the spouse, cohabitee or partner of a person) as sensitive data when it indirectly discloses the sexual orientation of a natural person (i.e., applying a derivate protection approach).
Robust legal protection of gender identity can still be constructed using the tools of the GDPR. To achieve this, we must distinguish between gender identity and biological sex. While gender identity is chosen by the data subject and can therefore only be reliably collected from that person, biological sex is not a matter of self-identification. These two categories of data must be examined separately in order to meaningfully assess the permissibility of their processing.
The challenge of processing data on gender identity
The collection of data on gender identity is relevant, such as for addressing a person correctly. The key aspect of gender identity is that it can be chosen by the person concerned and can be changed at any time. If a company disregards a data subject’s explicit specification of a certain gender identity and processes a different gender identity for processing purposes where biological sex is not relevant, it violates the principle of data accuracy under the GDPR. This violation can also raise doubts about the legal basis of the processing, especially concerning the legitimate interests assessment as per Art. 6(1)(f) GDPR, as it can be doubted whether the company can claim to have a legitimate interest in processing incorrect information. This consideration does not apply where data on biological sex is necessary for the relevant processing purposes (e.g. pension and certain benefits administration, equal pay audits and health and safety).
The practical challenge is the lack of distinction between gender identity and biological sex in current business processes and most standard software. Failing to differentiate between these categories where relevant could in itself constitute a GDPR violation. Inadequate identification of the specific category of data collected and the resulting lack of clarity within the company about the legal framework for processing this data may breach both the principle of data accuracy and the principle of fair processing under the GDPR. This applies ever more where a company actively promotes vis-à-vis employees the possibility of specifying one’s gender identity.
Lack of options regarding gender
Companies that collect data on gender identity under the category “gender” often disregard the fact that there are also persons whose gender identity is neither female nor male and that it must therefore also be possible to specify a gender identity other than these two. For example, software used for addressing customers should where possible allow individuals to select an appropriate honorific title, whether Mr, Ms, or another option.
Under the GDPR, companies that fail to implement the necessary distinction between gender identity and biological sex in their processes and IT systems, especially when actively offering to employees to specify their respective gender identity, therefore risk incurring a fine. The same applies potentially to companies that disregard a request from a data subject to correct their gender identity. For these violations, the fine can reach up to EUR 20 million or up to 4% of the global group turnover. In addition, the data subject may under certain circumstances claim non-material damages by filing a civil lawsuit if they have suffered a corresponding emotional or psychological impairment as a result of the disregard for their gender identity or the confusion of gender identity and biological sex.
The protection of gender identity under data protection law is all the more topical now that the European Court of Justice (C-394/23 of April, 29, 2024) had to answer to the question of whether the collection of the civil titles (“Mr” or “Ms”) is contrary to the minimization principle, following a lawsuit filed by the Mousse Association representing 64 individuals, against France’s national state-owned railway company’s practice of requiring passengers to choose between the civil titles “Mr” or “Ms” when purchasing train tickets. If the association wins the case, private and public organizations in the 27 European Union States could have to stop collecting gender markers when it is unnecessary or provide an option for non-binary persons in their forms.
Inclusion as an added value for business
Implementing changes to business processes and IT systems can be time-consuming and resource-intensive. However, both from a legal and ethical perspective, it’s essential to recognize that individuals from minority groups require special consideration. Moreover, the added business value of diversity and inclusion cannot be underestimated; companies with more diverse workforces are more likely to outperform their competitors. To operate in a legally compliant and ethically sound manner as well as be equally attractive to all persons regardless of their gender identity, companies must proactively address this challenge.
This is the final post in our three-part blog series. You can access the first two articles at the following links: