Special Category of Personal Data: GDPR Rules Explained
Learn what special category of personal data means under the GDPR, which data types qualify, and how to process them lawfully. Covers Article 9.
Special category of personal data refers to a defined set of data types that the GDPR treats as inherently sensitive and subjects to stricter processing rules. If your organization collects health information, biometric identifiers, data about religious beliefs, or any of the other categories listed in Article 9, you face legal obligations that go well beyond the standard rules for personal data.
This guide explains what qualifies as a special category of personal data, why these categories receive extra protection, what legal conditions must be met before processing them, and how to build compliance into your operations. This is educational content and does not constitute legal advice. Consult a qualified attorney for guidance on your specific processing activities.
What Qualifies as a Special Category of Personal Data
Article 9(1) of the GDPR defines special categories of personal data through an exhaustive list. Processing any data that falls within these categories is prohibited by default unless one of the specific exceptions in Article 9(2) applies.
The special categories are:
Racial or ethnic origin: Data that reveals or can be used to infer a person's race or ethnicity. This includes direct identifiers such as self-reported ethnicity on a form, and indirect identifiers such as photographs or nationality data that could reveal ethnic origin.
Political opinions: Data revealing a person's political beliefs, party membership, voting intentions, or political activities. This covers explicit statements as well as data that could be used to infer political views, such as donation records to political organizations.
Religious or philosophical beliefs: Data about a person's religion, spiritual practices, or deeply held philosophical convictions. Membership records for religious organizations, dietary preference data linked to religious practice, and requests for religious accommodations all fall within this category.
Trade union membership: Any data revealing whether a person belongs to a trade union. This extends beyond membership lists to include payroll deductions for union dues or attendance records at union meetings.
Genetic data: Data relating to inherited or acquired genetic characteristics that gives unique information about the physiology or health of a person. This includes DNA test results, genetic risk assessments, and genomic sequencing data. The GDPR defines this in Article 4(13).
Biometric data processed for identification: Data resulting from specific technical processing of physical, physiological, or behavioral characteristics that allows or confirms unique identification. Fingerprint scans, facial recognition templates, iris scans, and voiceprints fall within this category when used to identify a person. Recital 51 clarifies that photographs are not automatically biometric data unless processed through specific technical means to enable identification.
Health data: Data relating to the physical or mental health of a person, including the provision of health care services. Article 4(15) defines this broadly to include medical records, test results, disability status, prescription data, and information about past, current, or future health conditions. Recital 35 adds that data collected during registration for or provision of health care services also qualifies.
Sex life or sexual orientation: Data about a person's sexual behavior, preferences, or orientation. This includes data collected directly (such as on dating platforms) and data that could be inferred from other information.
This list is exhaustive. Unlike some national laws that allow supervisory authorities to designate additional sensitive categories, the GDPR's special categories are fixed in Article 9(1). However, the broad definitions mean that data can fall within a special category even when the organization did not intend to collect sensitive information.
Why Special Category Data Receives Extra Protection
The GDPR treats special categories of personal data differently because their misuse creates risks that go beyond ordinary privacy violations. Recital 51 of the GDPR explains that these categories deserve specific protection because processing them "could create significant risks to the fundamental rights and freedoms" of individuals.
The historical and practical reasons for heightened protection include:
Discrimination risk: Data about race, ethnicity, religion, political opinions, and sexual orientation has been used throughout history to discriminate against individuals and groups. Employment decisions, insurance underwriting, housing access, and law enforcement profiling are all areas where misuse of this data causes concrete harm.
Power imbalances: Health data, genetic data, and biometric data give organizations detailed insight into a person's body and medical condition. Misuse by employers, insurers, or governments can lead to exclusion from employment, denial of coverage, or coercive surveillance.
Irreversibility: Genetic and biometric data cannot be changed. If a fingerprint template or DNA profile is compromised in a data breach, the affected individual cannot replace their biometric identifiers the way they can change a password or cancel a credit card.
Chilling effects: If people fear that their political opinions, union membership, or religious beliefs will be recorded and potentially misused, they may avoid exercising fundamental freedoms of expression, association, and religion. Protecting this data supports democratic participation.
These considerations mean that organizations cannot simply apply the same compliance measures they use for standard personal data. Special category data requires a separate and more rigorous legal analysis, additional technical safeguards, and explicit documentation in privacy policies and data protection impact assessments.
Legal Bases for Processing Special Category Data
Processing special category of personal data requires meeting two separate legal tests. First, the organization must have a lawful basis under Article 6 of the GDPR, the same requirement that applies to all personal data. Second, the organization must satisfy one of the ten specific exceptions listed in Article 9(2).
The ten exceptions under Article 9(2)
Explicit consent (Article 9(2)(a)): The data subject has given explicit consent to processing for one or more specified purposes. "Explicit" is a higher bar than the standard consent under Article 6(1)(a). It requires a clear, affirmative statement that specifically references the special category data and the processing purposes. Some member states restrict or prohibit reliance on consent for certain special categories.
Employment, social security, and social protection law (Article 9(2)(b)): Processing is necessary for carrying out obligations under employment law, social security law, or social protection law, as authorized by EU or member state law. This covers activities like payroll processing of trade union dues, occupational health assessments, and disability accommodations.
Vital interests (Article 9(2)(c)): Processing is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent. This is a narrow exception intended for life-threatening emergencies.
Legitimate activities of certain bodies (Article 9(2)(d)): Processing is carried out by a foundation, association, or other not-for-profit body with a political, philosophical, religious, or trade union aim, but only in relation to its members or former members, and only where data is not disclosed outside the body without consent.
Data manifestly made public (Article 9(2)(e)): Processing relates to data that the data subject has manifestly made public. A person who publicly discloses their political views on social media or announces their religious affiliation in a public forum has manifestly made that data public.
Legal claims (Article 9(2)(f)): Processing is necessary for establishing, exercising, or defending legal claims, or when courts are acting in their judicial capacity.
Substantial public interest (Article 9(2)(g)): Processing is necessary for reasons of substantial public interest, as set out in EU or member state law. The law must be proportionate, respect the essence of the right to data protection, and provide suitable safeguards.
Preventive or occupational medicine (Article 9(2)(h)): Processing is necessary for preventive or occupational medicine, assessment of an employee's working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems. This must be based on EU or member state law or a contract with a health professional.
Public health (Article 9(2)(i)): Processing is necessary for reasons of public interest in the area of public health, such as protection against serious cross-border health threats or ensuring high standards of quality and safety of medicines and medical devices.
Archiving, research, and statistics (Article 9(2)(j)): Processing is necessary for archiving purposes in the public interest, scientific or historical research, or statistical purposes, subject to appropriate safeguards under Article 89(1).
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate Now
Identifying the correct exception is essential. Organizations that process special category data without satisfying both Article 6 and Article 9(2) face the GDPR's highest tier of penalties under Article 83(5): fines of up to 20 million EUR or 4% of annual global turnover.
Data Protection Impact Assessments for Special Category Data
Article 35(3)(b) of the GDPR makes Data Protection Impact Assessments (DPIAs) mandatory when processing special categories of personal data on a large scale. Even for smaller-scale processing, a DPIA is strongly recommended because it demonstrates accountability and helps identify risks before they materialize.
A DPIA for special category data should include:
- Description of processing operations: What special category data is collected, from whom, for what purpose, how it is stored, who has access, and how long it is retained
- Assessment of necessity and proportionality: Why processing this data is necessary and whether the purpose could be achieved with less sensitive data or less intrusive means
- Risk assessment: Identification of risks to the rights and freedoms of data subjects, including the likelihood and severity of potential harm from unauthorized access, data breach, misuse, or discrimination
- Mitigation measures: Technical and organizational safeguards to address identified risks, such as encryption, pseudonymization, access controls, staff training, and data minimization
- Consultation requirements: Whether the residual risk is high enough to require prior consultation with the supervisory authority under Article 36
The European Data Protection Board (EDPB) and national supervisory authorities have published lists of processing activities that require DPIAs. Processing special category data combined with other risk factors, such as automated decision-making, large-scale processing, or innovative technology, will almost always trigger the DPIA requirement.
Technical and Organizational Safeguards
Organizations processing special category of personal data must implement heightened security measures that reflect the sensitivity of the data. Article 32 of the GDPR requires security appropriate to the risk, and the risk associated with special category data is inherently high.
Recommended technical measures
- Encryption at rest and in transit: Special category data should be encrypted in databases and during transmission. AES-256 for storage and TLS 1.2 or higher for transmission are industry-standard minimums.
- Pseudonymization: Where possible, store special category data separately from directly identifying information and link them through pseudonymous identifiers. This limits exposure if either dataset is compromised.
- Access controls: Implement role-based access that restricts special category data to authorized personnel with a documented business need. Enforce the principle of least privilege.
- Audit logging: Maintain detailed logs of who accessed special category data, when, and for what purpose. Review logs regularly for anomalies.
- Data segregation: Store special category data in separate databases or tables from standard personal data, with independent access controls and encryption keys.
Recommended organizational measures
- Staff training: Ensure all employees who handle special category data understand the legal requirements, the heightened sensitivity, and the consequences of mishandling
- Data protection policies: Document specific procedures for handling special category data, including collection, storage, access, sharing, retention, and deletion
- Vendor management: If processors handle special category data on your behalf, ensure data processing agreements under Article 28 include specific provisions for sensitive data, and verify compliance through audits or certifications
- Breach response planning: Develop specific incident response procedures for breaches involving special category data, recognizing that such breaches are more likely to require notification to data subjects under Article 34
Special Category Data in Privacy Policies
If your organization processes any special category of personal data, your privacy policy must disclose this clearly. Article 13 and Article 14 of the GDPR require that data subjects be informed about the categories of data processed, the purposes, the legal basis, and the specific Article 9(2) exception relied upon.
Your privacy policy should include:
- Which special categories you process (use the Article 9(1) terminology)
- The specific purpose for processing each category
- The Article 9(2) exception that permits processing
- The Article 6 lawful basis that also applies
- Any additional safeguards you have implemented
- Retention periods for special category data
- Whether the data is shared with third parties and, if so, the legal basis for sharing
Generic statements like "we may process sensitive personal data" are insufficient. The GDPR requires specificity about what is processed and why. A privacy policy generator can help structure these disclosures correctly, but organizations processing special category data should have their privacy policy reviewed by legal counsel to ensure all required elements are present and accurate.
Common Scenarios Involving Special Category Data
Many organizations process special category data without realizing it. Understanding common scenarios helps identify compliance obligations that might otherwise be overlooked.
Employee health and absence records
Employers routinely process health data through sick leave records, occupational health assessments, disability accommodations, and return-to-work interviews. This processing typically relies on Article 9(2)(b) (employment law obligations) or Article 9(2)(h) (occupational medicine), combined with national employment legislation. Employers must limit health data collection to what is strictly necessary and store it separately from general personnel files.
Biometric access control
Organizations using fingerprint scanners, facial recognition, or iris scanners for building access or time tracking process biometric data for identification purposes. This requires either explicit consent under Article 9(2)(a) or authorization under member state law. Several EU member states have enacted specific legislation permitting biometric processing in employment contexts under strict conditions.
Health and fitness applications
Apps that track health metrics, mental health status, reproductive health, or medical conditions process health data. The typical legal basis is explicit consent, but the consent must meet the heightened standard for special category data: it must be specific to the health data processing, clearly distinguishable from other consents, and withdrawable at any time.
Customer demographic data
Surveys or account profiles that ask about ethnicity, religion, or sexual orientation collect special category data. Unless this data is strictly necessary for a purpose covered by an Article 9(2) exception, it should not be collected at all. Voluntary demographic surveys for diversity monitoring may rely on explicit consent, but the data must be anonymized or pseudonymized promptly.
Genetic testing and ancestry services
Companies offering DNA testing, genetic health risk reports, or ancestry analysis process genetic data. This processing requires explicit consent under Article 9(2)(a), and the consent process must explain in detail how genetic data will be used, stored, shared, and eventually deleted. Given the irreversible nature of genetic data, additional safeguards around data security and third-party sharing are essential.
If your website or application collects any of these data types, your legal documents need to reflect this. In addition to a detailed privacy policy, you may need to update your terms of service generator output to include provisions about data handling for special categories.
Enforcement Actions Involving Special Category Data
Supervisory authorities across the EU have taken enforcement action against organizations that mishandle special category data. These cases illustrate the standards regulators expect and the consequences of non-compliance.
Romanian DPA (2019): Fined a bank 150,000 EUR for processing fingerprint data (biometric special category) of employees without a valid Article 9(2) exception. The bank used fingerprints for access control but had not obtained explicit consent or established an alternative legal basis.
Greek DPA (2019): Fined PricewaterhouseCoopers 150,000 EUR for processing employee consent as a legal basis for employment-related data that included special categories, without demonstrating that consent was freely given in the employment context.
Italian DPA (Garante, 2020): Fined a healthcare provider 30,000 EUR for disclosing patient health data (special category) through an email sent to the wrong recipient. The fine reflected both the data breach and inadequate technical measures for handling health data.
French CNIL (2022): Fined Clearview AI 20 million EUR for processing biometric data (facial recognition templates) without a lawful basis. The company collected facial images from public internet sources and processed them through facial recognition technology without consent or any other valid Article 9(2) exception.
Hungarian DPA (2020): Fined a political party 28,000 EUR for creating a database of voters' political opinions based on social media posts without a valid legal basis under Article 9(2).
These cases demonstrate that regulators examine both the legal basis for processing and the adequacy of technical and organizational safeguards. Processing special category data without meeting the dual requirements of Article 6 and Article 9(2) consistently results in enforcement action.
Frequently Asked Questions
What is a special category of personal data?
A special category of personal data is any data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, health data, or data concerning a person's sex life or sexual orientation. Article 9 of the GDPR defines these categories and prohibits their processing unless a specific exception applies.
What is the difference between personal data and special category data?
Personal data is any information that identifies or can identify a living person, such as a name, email address, or IP address. Special category data is a subset of personal data that the GDPR considers inherently sensitive because its misuse could cause serious harm, discrimination, or social disadvantage. Processing personal data requires a lawful basis under Article 6, while processing special category data requires both a lawful basis under Article 6 and a separate exception under Article 9(2).
Can I process special category data with consent?
Yes, but only with explicit consent as defined in Article 9(2)(a) of the GDPR. Explicit consent for special category data must be a clear, affirmative statement specifically naming the categories of data and the purposes for processing. It cannot be implied, bundled with other consents, or obtained through pre-checked boxes. Some member states have enacted additional restrictions or outright prohibitions on consent as a basis for processing certain special categories, so national law must also be checked.
What are the penalties for mishandling special category data?
Violations involving special category data fall under the GDPR's upper tier of penalties. Article 83(5) allows supervisory authorities to impose fines of up to 20 million EUR or 4% of annual global turnover, whichever is higher. Because special category data is inherently sensitive, regulators tend to treat violations more seriously, and fines for mishandling health, biometric, or genetic data have been among the highest issued under the GDPR.