Skip to content

Sensitive data and GDPR

What type of data is sensitive?

Sensitive data is classified information that must be protected from unauthorized access. Sensitive data can be accessible to outside parties ONLY with expressly granted permissions. The main types of sensitive data are human, ecological (e.g. location of endangered species), and confidential data.

Sensitive personal data is any data that reveals:

  • personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs,

  • trade-union membership,

  • genetic data, biometric data processed solely to identify a human being,

  • health-related data,

  • data concerning a person’s sex life or sexual orientation.

Sensitive personal data is subject to specific processing conditions according to the GDPR.

To learn more, see: Definition of Sensitive Data

What is personal data?

Personal data is any information related to an identified or identifiable living individual. Personal data can also be different information that can lead to the identification of one person when collected together.

Examples of personal data are:

  • a name and surname;

  • a home address;

  • email address;

  • social security number;

  • location data (for example, the location data function on a mobile phone);

  • (IP) address;

  • a cookie ID.

What is the difference between sensitive personal data and personal data?

Sensitive personal data is a specific set of “special categories” of personal data that must be treated with extra security. To learn more see: Definition of Sensitive Data.

What is the GDPR?

The General Data Protection Regulation is a European Union (EU) data privacy and security law that regulates the management and processing of personal data.

It defines:

  • what is personal data

  • what is data processing

  • what are the roles of all the parties involved (Data Controller, Data Processor, Data Subject)

  • key principles that regulate EU data protection

Any organization that stores or processes personal information regarding EU citizens is obliged to comply with the GDPR.

What are the roles of CSC and its service users under GDPR?

In GDPR terms, CSC is always a data processor acting on behalf of a data controller. GDPR also requires that this relationship be done in writing. Therefore, the data controller (a group leader, researcher, research organization or their legal representative) needs to sign the Data Processing Agreement with the CSC, a legal contract. CSC never acts as a data controller, but our services give CSC users all the instruments necessary to manage the access to sensitive data. The CSC service user remains fully responsible for the data and is required to choose a service that complies with the security level needed for the data.

I am not sure if the data I am working with is sensitive or not. Where can I find support?

You can write to (email subject: Sensitive Data) describing your research and the data you are working with (e.g. providing your Data Management Plan, DMP). You can also contact the legal services or Data Protection Officer in your own organization. They can give you more details about your organization's policies.

What type of sensitive data can I process with CSC Sensitive Data Services?

Any type of sensitive data consented for research. Note: currently, it is not possible to process registry data as CSC Sensitive Data Services have not yet been certified to fulfill the Finnish Health and Social Data Permit Authority Findata.

What type of documentation do I need to provide to use CSC Sensitive Data Services?

You need to have a CSC project with specific settings to use our services. When creating a new project in MyCSC, you are guided to sign a Data Processing Agreement (DPA) and describe the type of data you are processing in the description of processing activities form. You can also download the DPA and share it with the legal services in your organization or the Data Controller's legal representative. If you have any questions about these documents or addittional legal agreements are needed between your organization and CSC, write to (email subject: Sensitive Data).

Last update: April 4, 2022