DSGVO Wissen
GDPR Art. 9

B. The prohibition of processing

What exactly is prohibited, who the prohibition applies to, and what consequences follow from an infringement.

Back to the Art. 9 GDPR overview.

At a Glance

Art. 9(1) prohibits the processing of sensitive data. This prohibition applies abstractly – meaning: it does not depend on whether anyone is actually harmed in the individual case. The mere type of data is enough to trigger the prohibition.

I. What exactly is prohibited

The prohibition covers all forms of processing, for example:

  • Collection and storage
  • Reading and analysis
  • Disclosure and publication
  • Erasure and destruction

The processing of metadata is also prohibited if sensitive information can be inferred from it.

What does "from which … may be inferred" mean?

Not every piece of data that incidentally contains something sensitive automatically triggers the prohibition. What is decisive is:

  • a) The data are capable of revealing something sensitive – directly or in combination with other data
  • b) If the controller analyses the sensitive content in a targeted manner, Art. 9 applies mandatorily

Important: the Court of Justice of the European Union has clarified that Art. 9 also applies where the processing was unintentional – as soon as the data are objectively capable of revealing sensitive characteristics.

II. Who the prohibition applies to

The prohibition is addressed to controllers – that is, anyone who determines the purposes and means of the processing of personal data:

  • Companies and businesses
  • Public authorities
  • Associations
  • Medical practices
  • Private individuals (insofar as the GDPR applies)

Processors (e.g. IT service providers) are indirectly affected because they may only act on the controller's instructions.

Whose data are protected?

Protected are data concerning living natural persons. Companies or other organisations are not covered.

Territorial scope

Art. 9 applies where:

  • a) the controller or processor is established in the EU, or
  • b) it concerns data of persons in the EU to whom services are offered or whose behaviour is monitored

III. Why the prohibition exists

IV. Consequences of an infringement

For the data subject

ClaimLegal basis
Erasure of dataArt. 17(1)(d) GDPR
Restriction of processingArt. 18 GDPR
Compensation (including non-material damage)Art. 82 GDPR

For the controller

Frequently Asked Questions (FAQ)

Does the prohibition apply even if I had no bad intentions? Yes. The prohibition applies regardless of intent – what matters is the type of data being processed.

What is a "controller"? Anyone who, alone or jointly with others, determines why and how data are processed.

May an IT service provider process sensitive data? Only if a controller (e.g. a hospital) has instructed them to do so and the statutory requirements are met.

Next: B.III The individual categories

A. General

What Art. 9 GDPR aims to do, how the provision came about, and how it relates to other data protection rules.

B.III The individual categories

Each of the eight sensitive data categories under Art. 9(1) GDPR explained – with everyday examples.

On this page

At a GlanceI. What exactly is prohibitedWhat does "from which … may be inferred" mean?II. Who the prohibition applies toWhose data are protected?Territorial scopeIII. Why the prohibition existsIV. Consequences of an infringementFor the data subjectFor the controllerFrequently Asked Questions (FAQ)