TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. Special Category Data Under GDPR: A Complete Guide
Legal Compliance

Special Category Data Under GDPR: A Complete Guide

Learn what special category data is under GDPR, the legal bases for processing it, and how to protect sensitive personal data in your business.

TermsBox Team|April 3, 202612 min read

Special category data is one of the most regulated areas of data protection law. If your business collects health information, biometric identifiers, data revealing religious beliefs, or any of the other categories the GDPR classifies as sensitive, you face stricter legal requirements than for ordinary personal data.

This guide explains what special category data is, which legal bases allow you to process it, what safeguards you need, and how to document your compliance. This content is educational and does not constitute legal advice. Consult a qualified data protection attorney for guidance specific to your situation.

What Is Special Category Data?

Special category data is personal data that the GDPR (Regulation 2016/679) treats as inherently sensitive because of the risks its misuse poses to fundamental rights and freedoms. Article 9(1) of the GDPR defines special category data as data revealing or concerning:

  1. Racial or ethnic origin
  2. Political opinions
  3. Religious or philosophical beliefs
  4. Trade union membership
  5. Genetic data (data relating to inherited or acquired genetic characteristics)
  6. Biometric data when processed to uniquely identify a person (fingerprints, facial recognition, iris scans)
  7. Health data (physical or mental health conditions, healthcare provision)
  8. Sex life or sexual orientation

The general rule under Article 9(1) is straightforward: processing special category data is prohibited unless one of the specific exemptions in Article 9(2) applies. This is a stronger default position than for ordinary personal data, where processing is permitted as long as you have a valid legal basis under Article 6.

The term "special categories of personal data" is the official GDPR language. You may also see it called "sensitive personal data," which was the terminology used under the earlier Data Protection Directive (95/46/EC). Both refer to the same concept, though the GDPR expanded the list to explicitly include genetic and biometric data.

Why Special Category Data Gets Extra Protection

The rationale for additional protection is that misuse of this data can lead to discrimination, social exclusion, or physical danger. Consider the consequences of unauthorized disclosure.

A health insurer accessing genetic data could discriminate in coverage decisions. An employer learning about an employee's political opinions or trade union membership could make biased decisions about promotion or termination. A government accessing religious affiliation data could enable persecution.

Recital 51 of the GDPR states that special categories of personal data "merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms" of individuals. This is not a theoretical concern. The European Data Protection Board (EDPB) has issued multiple guidelines addressing real-world scenarios where special category data was mishandled, including cases involving employee health monitoring, facial recognition in public spaces, and political profiling.

Legal Bases for Processing Special Category Data

Processing special category data requires meeting two legal thresholds simultaneously. You need a lawful basis under Article 6 of the GDPR (such as consent, legitimate interest, or contractual necessity) and you need an exemption under Article 9(2). Neither alone is sufficient.

Article 9(2) provides 10 exemptions. The most commonly used in business contexts are:

Explicit consent (Article 9(2)(a))

The data subject has given explicit consent to the processing for one or more specified purposes. This is a higher bar than regular consent under Article 6(1)(a). Explicit consent must be:

  • A clear, affirmative statement (not inferred from silence or pre-ticked boxes)
  • Specific to the sensitive data being processed and the purpose of processing
  • Separate from other consents (not bundled into a general terms acceptance)
  • Documented and verifiable
  • Withdrawable at any time without detriment

Employment, social security, and social protection (Article 9(2)(b))

Processing is necessary for obligations and rights in the field of employment law, social security, or social protection. This covers scenarios like processing employee health data for sick leave administration, disability accommodations, or occupational health assessments. Member State law must authorize this processing and provide appropriate safeguards.

Vital interests (Article 9(2)(c))

Processing is necessary to protect the vital interests of the data subject or another person, where the data subject is physically or legally incapable of giving consent. This applies in genuine emergencies, such as a hospital processing health data for an unconscious patient.

Substantial public interest (Article 9(2)(g))

Processing is necessary for reasons of substantial public interest, based on Union or Member State law. This exemption is used by public authorities and organizations carrying out tasks in the public interest, such as fraud prevention, equality monitoring, or regulatory compliance.

Health and social care (Article 9(2)(h))

Processing is necessary for purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care, or management of health or social care systems. This exemption requires processing by or under the responsibility of a professional subject to medical confidentiality obligations.

Archiving, research, and statistics (Article 9(2)(j))

Processing is necessary for archiving in the public interest, scientific or historical research, or statistical purposes. Article 89(1) requires appropriate safeguards, including data minimization and, where possible, pseudonymization.

Examples of Special Category Data in Practice

Understanding the categories in abstract terms is one thing. Recognizing them in your actual data flows is where compliance becomes practical.

Health data

This category is broader than many businesses realize. Health data includes:

  • Medical records and diagnoses
  • Prescription information
  • Fitness tracker data (heart rate, sleep patterns, calorie intake)
  • Sick leave records maintained by employers
  • Insurance claims related to medical treatment
  • Disability status
  • Mental health information

The Court of Justice of the European Union (CJEU) confirmed in Case C-184/20 (Vyriausioji tarnybin\u0117s etikos komisija, 2022) that data which indirectly reveals health information can qualify as special category data, even when the data was not collected for health-related purposes.

Biometric data

Biometric data only qualifies as special category data when it is processed for the purpose of uniquely identifying a natural person. This includes:

  • Fingerprint scans used for authentication
  • Facial recognition templates
  • Voice recognition profiles
  • Iris or retinal scans
  • Behavioral biometrics (gait analysis, keystroke dynamics) when used for identification

A photograph alone is not automatically biometric data. It becomes biometric data when processed through facial recognition software to extract a unique biometric template, as clarified in Recital 51.

Racial and ethnic origin data

This extends beyond explicit racial categories. Data that indirectly reveals racial or ethnic origin can qualify, including:

  • Nationality or country of origin fields
  • Language preferences (in certain contexts)
  • Photographs (which may reveal ethnic origin)
  • Names (which may indicate ethnic background)

The EDPB has noted that the threshold for "revealing" racial or ethnic origin is low. If the data makes it possible to deduce this information, even indirectly, it may fall within the special category.

How to Comply When Processing Special Category Data

Compliance with the special category data rules requires a structured approach that goes beyond simply identifying a legal basis.

Conduct a Data Protection Impact Assessment

Article 35 of the GDPR requires a Data Protection Impact Assessment (DPIA) when processing is "likely to result in a high risk to the rights and freedoms of natural persons." Processing special category data on a large scale is explicitly listed as a scenario requiring a DPIA.

A DPIA must include:

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now
  • A systematic description of the processing operations and their purposes
  • An assessment of the necessity and proportionality of the processing
  • An assessment of the risks to individuals' rights and freedoms
  • The measures you will implement to address those risks

Apply data minimization rigorously

Collect only the special category data you genuinely need. If you can achieve your purpose with less sensitive data, use the less sensitive option. Article 5(1)(c) requires that data be "adequate, relevant and limited to what is necessary." This principle applies to all personal data but is enforced more strictly for special categories.

Implement appropriate technical safeguards

Special category data demands stronger security measures than ordinary personal data. Consider:

  • Encryption at rest and in transit (AES-256 for storage, TLS 1.2 or higher for transmission)
  • Access controls restricting who can view or process the data (role-based access, need-to-know basis)
  • Pseudonymization separating identifiers from sensitive attributes
  • Audit logging tracking all access to and modifications of the data
  • Data segregation storing special category data separately from general personal data

Document everything in your privacy policy

Your privacy policy must clearly disclose when you process special category data. Under Articles 13 and 14 of the GDPR, you must inform data subjects of:

  • The categories of special data you process
  • The legal basis and Article 9(2) exemption you rely on
  • The purposes of processing
  • Retention periods
  • Any recipients or categories of recipients
  • The data subject's rights, including the right to withdraw consent

If your privacy policy does not address special category data and you are processing it, you are already in violation of the GDPR's transparency requirements.

Special Category Data and Criminal Offense Data

Article 10 of the GDPR addresses personal data relating to criminal convictions and offenses separately from Article 9. Criminal offense data is not technically "special category data," but it receives similar heightened protection.

Processing criminal offense data is only permitted under the control of an official authority, or when authorized by Union or Member State law providing appropriate safeguards. This is relevant for businesses that conduct background checks, employment screening, or fraud prevention activities.

The distinction matters because the legal bases available under Article 10 are narrower than those under Article 9(2). You cannot rely on explicit consent alone to process criminal conviction data in most Member States. National law must specifically authorize the processing.

Special Category Data Outside the GDPR

While the GDPR provides the most detailed framework for special category data, other data protection laws have similar concepts.

UK GDPR

The UK retains the same special category data rules post-Brexit, supplemented by Schedule 1 of the Data Protection Act 2018, which provides additional conditions for processing. The UK Information Commissioner's Office (ICO) has published detailed guidance on appropriate policy documents that must accompany reliance on Schedule 1 conditions.

California Consumer Privacy Act (CCPA/CPRA)

The CPRA introduced the concept of "sensitive personal information," which overlaps significantly with GDPR special categories. It includes Social Security numbers, financial account credentials, precise geolocation, racial or ethnic origin, religious beliefs, biometric data, health data, and sex life or sexual orientation data. Consumers have the right to limit the use of their sensitive personal information under California Civil Code Section 1798.121. Violations can result in fines of $2,500 to $7,500 per violation.

Other jurisdictions

Brazil's LGPD (Lei Geral de Protecao de Dados) defines "sensitive personal data" in Article 5(II) with a similar list to the GDPR. South Africa's POPIA restricts processing of "special personal information" under Section 26. India's Digital Personal Data Protection Act addresses sensitive data through the concept of "significant data fiduciary" obligations.

Practical Steps for Businesses

If you are uncertain whether your business processes special category data, start with these steps.

Audit your data flows

Map every point where you collect, store, or process personal data. For each data element, ask whether it falls within any of the eight Article 9 categories, or whether it could indirectly reveal information in those categories. Pay particular attention to:

  • HR and employee records
  • Customer onboarding forms
  • Health and wellness features in apps
  • Biometric authentication systems
  • Marketing segmentation that uses demographic data

Review your legal bases

For each instance of special category data processing, confirm that you have both an Article 6 legal basis and an Article 9(2) exemption. Document these in your records of processing activities (ROPA) as required by Article 30.

Update your privacy documentation

Ensure your privacy policy explicitly addresses special category data processing. If you collect cookies or use tracking technologies that might capture sensitive data, your cookie policy should address this as well.

Train your staff

Employees who handle special category data need targeted training on the heightened requirements. This includes HR teams, healthcare professionals within your organization, customer support staff who may encounter sensitive disclosures, and IT teams responsible for securing the data.

Frequently Asked Questions

What is special category data under GDPR?

Special category data refers to personal data that the GDPR considers particularly sensitive and grants extra protection. It includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, health data, and data concerning a person's sex life or sexual orientation. Article 9 of the GDPR prohibits processing this data unless a specific exemption applies.

What is the difference between personal data and special category data?

Personal data is any information that can identify a living person, such as a name, email address, or IP address. Special category data is a subset of personal data that reveals sensitive characteristics like health conditions, religious beliefs, or biometric identifiers. Processing personal data requires a legal basis under Article 6, while special category data requires both an Article 6 basis and an Article 9 exemption.

Can I process special category data with consent?

Yes, but the GDPR requires explicit consent for special category data, which is a higher standard than regular consent. Explicit consent must be a clear, affirmative statement specifically addressing the sensitive data being processed. It cannot be bundled with other consents, must be freely given, and the individual must be able to withdraw it at any time without detriment.

What are the penalties for mishandling special category data?

Violations involving special category data fall under the higher tier of GDPR fines: up to 20 million EUR or 4% of global annual turnover, whichever is greater. National data protection authorities can also issue enforcement notices, processing bans, and orders to erase data. In severe cases, individuals can bring private claims for material and non-material damages under Article 82.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: How to Use privacy.apple.com

Apple's data & privacy website at privacy.apple.com lets you download, correct, or delete your data. A step-by-step guide, plus how long a request takes.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Is Special Category Data?
  • Why Special Category Data Gets Extra Protection
  • Legal Bases for Processing Special Category Data
  • Explicit consent (Article 9(2)(a))
  • Employment, social security, and social protection (Article 9(2)(b))
  • Vital interests (Article 9(2)(c))
  • Substantial public interest (Article 9(2)(g))
  • Health and social care (Article 9(2)(h))
  • Archiving, research, and statistics (Article 9(2)(j))
  • Examples of Special Category Data in Practice
  • Health data
  • Biometric data
  • Racial and ethnic origin data
  • How to Comply When Processing Special Category Data
  • Conduct a Data Protection Impact Assessment
  • Apply data minimization rigorously
  • Implement appropriate technical safeguards
  • Document everything in your privacy policy
  • Special Category Data and Criminal Offense Data
  • Special Category Data Outside the GDPR
  • UK GDPR
  • California Consumer Privacy Act (CCPA/CPRA)
  • Other jurisdictions
  • Practical Steps for Businesses
  • Audit your data flows
  • Review your legal bases
  • Update your privacy documentation
  • Train your staff
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.