As in Directive 95/46/EC (Article 8), sensitive data are not officially defined but are identified in the provision governing their use (Article 9). This typology is made up of the following categories of data relating to:

Generally speaking, processing of sensitive and judicial data is prohibited. This prohibition, however, is subject to specific exceptions (Article 9) which follow the hypotheses already provided for in Directive 95/46/EC, with certain variants (Article 8).

Biometric data are defined as those «relating to the physical, physiological or behavioural characteristics of» a data subject «resulting from specific technical processing» and «which allow or confirm the unique identification of that natural person», such as dattiloscopic data [art. 4 (14)]. A simple photo does not contain biometric data as it is not obtained by means of a «specific technical processing» [Recital (51)].

Genetic data are defined as those «relating to the inherited or acquired genetic characteristics of» an individual «which give unique information about the physiology or the health (...) and which result, in particular, from an analysis of a biological sample» [art. 4, (13)].

Health data finds a specific definition within art. 4, (15). They are considered as such, information about an individual's health status. The definition specifies that they concern «personal data related to the physical or mental health of a natural person, including the provision of health care services».

Infringement related to the processing of sensitive data (Article 9) is sanctioned with administrative fines of «up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher» (Article 83.5).