Current ECJ decision on “Indirect Identification of Sensitive Data”

Under data protection law, we distinguish between “normal” personal data and data requiring special protection, such as health data or data on sexual orientation. For this special category of personal data, the GDPR has long provided for a general ban on processing.
On 1st August 2022, the European Court of Justice has now given an important ruling on this issue, clarifying that the scope of “special categories of personal data” is to be defined very broadly.
The ECJ ruled in this case C-184/20 as follows:
Taken in isolation, the data in question does not constitute sensitive data within the meaning of Article 9(1) of the GDPR. However, it is possible that data on the sexual orientation of the data subjects can be derived from name-related data on the spouse, cohabitant or partner by deduction and mental combination. This means that these basic data also falls within the scope of Article 9 of the GDPR.
Finally, the ECJ advocates a broad interpretation of sensitive data with reference to the protective idea of the regulation of Art. 9 GDPR. Name-related data on spouses, cohabitants or partners are classified as sensitive data within the meaning of Article 9(1) of the GDPR, as they are considered capable of “indirectly revealing the sexual orientation of a natural person”.
The ECJ’s decision thus extends the scope of application of Art. 9 GDPR in the specific case to “indirectly sensitive data”: i.e. not only sensitive data itself is subject to Art. 9 GDPR, but also data that indirectly allows the inference of sensitive information.
The provisions of Art. 9 GDPR also apply to data that only indirectly allows an inference to special categories of data. Persons responsible in the company must take this principle sufficiently into account in the context of data processing processes in the company.