The GDPR provides comprehensive protection for personal data. This is widely known. What is less well understood, however, is that certain categories of data are considered particularly sensitive and are subject to significantly stricter requirements than the standard consent mechanisms typically managed via Consent Management Platforms.
What Article 9 GDPR protects
Article 9 GDPR regulates the processing of specific categories of personal data that require enhanced protection. What matters is not the form in which the data is collected, but the meaning and implications the data may reveal. The scope of Article 9 applies not only to information that is explicitly provided, but already when sensitive characteristics can be inferred from other data.
The following data categories are considered particularly sensitive under Article 9 GDPR:
- Health data
- Information about a person’s sex life or sexual orientation
- Data relating to ethnic origin
- Political opinions and affiliations, for example trade union membership
- Religious or philosophical beliefs
- Genetic data
- Biometric data
When digital data falls under Article 9 GDPR
Article 9 GDPR does not only apply when sensitive data is explicitly collected. It also applies when digital usage data allows conclusions to be drawn about particularly protected characteristics. The decisive factor is not the data type itself, but the context in which it is processed.
Digital usage data and sensitive inferences
In digital environments, personal data is often generated automatically. This includes page views, URL structures, event names, referrer information, or interaction patterns. Such data is frequently classified as technical or neutral. From a legal perspective, however, it becomes relevant once it is linked to specific content or usage contexts and thereby enables sensitive conclusions to be drawn.
Derivation of sensitive attributes in an online context
Case law makes it clear that merely visiting certain websites or subpages can be sufficient to establish a link to a special category of personal data.
For example, if a user accesses a page such as “headache-relief/ibuprofen-400mg”, the URL alone, when combined with the usage context, may allow conclusions to be drawn about a possible health condition, even if the user does not actively provide any information or purchase a product.
For companies, this means that as soon as digital data, in combination with content, structure, or context, allows a sensitive inference, the processing falls within the scope of Article 9 GDPR. Whether the data is processed for tracking, analytics, or marketing purposes is irrelevant for this legal assessment.
Why consent and downstream measures are not sufficient
Article 9 GDPR permits the processing of special categories of personal data only in very narrowly defined exceptional cases, most notably on the basis of explicit consent. This type of consent is subject to significantly stricter requirements than standard cookie consent and is extremely difficult to implement in a legally robust way in digital environments.
In addition, there is a fundamental technical issue: under the GDPR, processing begins at the moment data is collected. If sensitive references arise at this early stage of processing, they cannot be legitimized retroactively from a legal perspective. When a URL such as “/headache-relief/ibuprofen-400mg” is technically captured, the potential health reference already exists at that very moment, regardless of whether the user later provides consent or additional information.
As a result, downstream measures such as pseudonymization or filtering come too late. Once sensitive personal data has been processed even briefly, the scope of Article 9 GDPR is already triggered.
Technical approach with JENTIS
If sensitive data arises at the point of collection, downstream measures are inherently insufficient. The JENTIS Twin Server technology provides a technical approach that prevents such data from being generated in a sensitive form in the first place.
The original server request is technically intercepted and processed in parallel. From this original request, a “digital twin” with fully neutralized data is created, and only this abstracted data stream is transmitted to external systems such as LinkedIn.
The neutralization is carried out in multiple stages. Content with a potentially sensitive reference is removed or generalized, for example by abstracting URL paths and event names. A page view such as the earlier example “/headache-relief/ibuprofen-400mg” is transformed into a content-neutral signal like “product/article”.
From a legal perspective, the key point is that the scope of Article 9 GDPR is never triggered, because no sensitive personal data is generated in the first place. Third parties never have access to the original data or the transformation logic at any point. They receive exclusively context-neutral interaction data from which no sensitive characteristics can be inferred.
Conclusion
Article 9 GDPR cannot be managed in digital environments solely through consent mechanisms or legal safeguards. The decisive factor is whether technical systems are designed in a way that prevents sensitive personal data from being generated at all. This shifts Article 9 from being primarily a question of legal basis to a question of technical architecture, which can be implemented through specialized solutions such as the patented technology provided by JENTIS.com.
.webp)
_compressed.webp)
