Sensitive data are subject to a particularly strict ban on processing (Art. 9 GDPR). There are only a few legal grounds in the GDPR that directly legitimise the processing of sensitive data. More often, a specific legal ground in Member State law (or in Union law) is required. The permissibility of processing sensitive data is thus largely left to Member State law. Depending on how one counts, there are 11 opening clauses in the GDPR for this:

Art. 9 II a: Prohibiting that the prohibition of processing sensible data may be lifted by the data subject

Art. 9 II b: Employment, social security and social protection law

Art. 9 II g: Substantial public interest

Art. 9 II h: Preventive or occupational medicine, assessment of working capacity of the employee, medical diagnosis, health or social care systems                

Art. 9 II i: Public interest in the area of public health             

Art. 9 II j: Archiving purposes in the public interest

Art. 9 II j: Scientific and historical research purposes

Art. 9 II j: Statistical purposes

Art. 9 III: Obligation of professional secrecy

Art. 9 IV: Genetic, biometric or health data

Art. 10: Data relating to criminal convictions and offences