Not all personal data carries the same risk. Some categories of data are so sensitive — so capable of causing discrimination, harm, or irreversible damage to an individual’s life — that GDPR imposes a separate, more demanding protection regime on top of the standard Article 6 requirements. Article 9 identifies these special categories, prohibits their processing by default, and then sets out the limited conditions under which processing is permissible. Understanding this regime is essential for any organisation that handles health records, biometric identifiers, genetic data, or any of the other protected categories.
The practical stakes are high. Several of the largest GDPR fines imposed to date have involved special category data — particularly health data and data relating to children. Any organisation that processes special category data without satisfying both an Article 6 basis and an Article 9(2) condition is in violation of two separate provisions of GDPR simultaneously, with a correspondingly elevated enforcement and fine risk.
The Eight Special Categories
Article 9(1) defines the eight categories of personal data that receive heightened protection. Processing of these categories is prohibited unless one of the Article 9(2) conditions is met.
ARTICLE 9 — SPECIAL CATEGORIES AT A GLANCE
| Category | Definition | Common Processing Contexts | Key Risks if Exposed |
|---|---|---|---|
| Racial or ethnic origin | Data revealing racial or ethnic background | Equal opportunity monitoring; identity documents; facial recognition | Discrimination; targeting; hate crime facilitation |
| Political opinions | Data revealing political views or affiliations | Electoral systems; political campaigns; employee monitoring | Political persecution; employment discrimination |
| Religious/philosophical beliefs | Data revealing faith or belief system | Prayer room requests; dietary requirements; faith-based HR | Religious discrimination; persecution in some jurisdictions |
| Trade union membership | Data revealing union affiliation | HR systems; payroll deductions; strike monitoring | Employment retaliation; union-busting |
| Genetic data | Data from biological samples revealing genetic characteristics | Healthcare; insurance; DNA testing; research | Discrimination in insurance/employment; irreversibility of exposure |
| Biometric data (for ID purposes) | Fingerprints, facial recognition, iris scans used to identify individuals | Access control; time & attendance; device authentication | Identity theft; mass surveillance risk |
| Health data | Data relating to physical or mental health status | HR absence records; healthcare systems; wearables; insurance | Discrimination; stigma; insurance/employment consequences |
| Sex life / sexual orientation | Data revealing sexual preferences or behaviour | HR records; dating platforms; healthcare | Discrimination; persecution; blackmail |
The Default Prohibition and Why It Matters
Article 9(1) states that processing of the special categories of personal data listed above shall be prohibited. This is a default prohibition, not merely a heightened standard. It means that an organisation that processes special category data and cannot point to a specific Article 9(2) condition is not merely failing to meet an elevated standard — it is processing data that is prohibited.
The prohibition applies regardless of how carefully the data is protected, how legitimate the underlying purpose might seem, or what Article 6 lawful basis exists for the general processing. Article 6 and Article 9 are cumulative requirements. For special category data, both must be satisfied: the processing must have an Article 6 lawful basis, and it must meet one of the Article 9(2) conditions. Satisfying one without the other is insufficient.
| IMPORTANT | Many organisations discover they are processing special category data without realising it. An HR system that records sickness absences and the nature of the illness processes health data. A security system that uses fingerprint or facial recognition for access control processes biometric data for identification purposes. A CRM that records whether a customer is vegetarian for catering purposes may process data revealing religious beliefs. Mapping special category data is a critical first step. |
The Ten Article 9(2) Processing Conditions
Article 9(2) provides ten conditions under which the default prohibition may be lifted. Only one condition needs to apply, but it must apply genuinely and the organisation must be able to demonstrate it. Below is a practical guide to each condition.
ARTICLE 9(2) — CONDITIONS FOR PROCESSING SPECIAL CATEGORY DATA
| Condition | Article | When It Applies | Practical Examples |
|---|---|---|---|
| Explicit consent | 9(2)(a) | Data subject gives explicit consent for specific purposes | Health apps; genetic testing services; optional monitoring programmes |
| Employment, social security, social protection law | 9(2)(b) | Necessary for employment/social law obligations | Sickness records; occupational health; disability adjustments; pension processing |
| Vital interests (unable to consent) | 9(2)(c) | Protect life when data subject cannot consent | Emergency medical treatment; disaster response |
| Not-for-profit bodies with legitimate activities | 9(2)(d) | Political, philosophical, religious or trade union bodies processing member data | Political party member data; religious organisation records; union member data |
| Manifestly made public by the data subject | 9(2)(e) | Data subject has clearly made this data public themselves | Politician’s public statements about their faith; public social media health disclosures |
| Legal claims establishment, exercise or defence | 9(2)(f) | Processing necessary for legal proceedings | Health records in personal injury litigation; union membership in employment tribunal |
| Substantial public interest (member state law) | 9(2)(g) | Authorised by national law for substantial public interest | Equality monitoring; safeguarding; fraud prevention schemes |
| Preventive/occupational medicine (health professionals) | 9(2)(h) | Medical diagnosis, treatment, social care management by health professionals under secrecy | GP records; hospital treatment; occupational health assessments |
| Public health (member state law) | 9(2)(i) | Serious cross-border health threat or quality/safety of healthcare/medicinal products | Disease surveillance; pharmacovigilance; pandemic response |
| Archiving, research, statistics (member state law) | 9(2)(j) | Authorised research or statistical purposes in public interest with appropriate safeguards | Academic medical research; population health statistics; historical archives |
Explicit Consent: A Higher Standard
Article 9(2)(a) requires explicit consent — a deliberately more demanding standard than the ‘unambiguous indication’ that constitutes ordinary consent under Article 6(1)(a). Explicit consent requires a clear, unambiguous statement or affirmative action that explicitly covers the special category data and its processing purpose. A checkbox that says ‘I agree to the terms and privacy policy’ does not constitute explicit consent for processing health data, even if the privacy policy mentions health data processing. The consent must explicitly reference the sensitive data and the specific purpose.
The EDPB recommends that explicit consent for special category data be obtained through a separate, dedicated mechanism — a standalone consent form or screen that focuses specifically on the sensitive processing, uses clear language about what is being consented to, and records the consent separately from any general consent. Bundling explicit consent for special category data with broader consent notices creates ambiguity about whether the data subject understood and specifically consented to the sensitive processing.
| KEY IDEA | Explicit consent under Article 9(2)(a) is not merely consent obtained clearly — it is consent where the data subject has explicitly acknowledged the sensitive nature of the data being processed and specifically authorised that processing. The word ‘explicit’ adds a substantive requirement: the statement of consent must itself contain an explicit reference to the special category processing. |
Health Data: The Highest-Volume Special Category
Health data is the special category most commonly encountered in commercial and employment contexts. Its definition under Article 4(15) is broad: any personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveals information about health status. This captures not only clinical records but absence records revealing a condition, insurance claims data, wearable device data, pharmacy records, and data from which health information can be inferred.
HEALTH DATA — EXAMPLES ACROSS BUSINESS CONTEXTS
| Context | Data That Constitutes Health Data | Most Applicable Art. 9(2) Condition |
|---|---|---|
| HR / Employment | Sickness absence records; medical certificates; disability adjustments; fit-for-work assessments | 9(2)(b) — Employment law obligation |
| Insurance | Claims data; medical underwriting information; pre-existing condition declarations | 9(2)(a) — Explicit consent (commercial) OR 9(2)(b) if mandatory scheme |
| Healthcare provider | Patient records; diagnoses; treatment notes; prescriptions; lab results | 9(2)(h) — Medical care by health professional |
| Wearables / Health apps | Heart rate; sleep data; fitness metrics; menstrual cycle data; blood glucose | 9(2)(a) — Explicit consent |
| Research institution | Anonymised patient cohort data; clinical trial data; population health surveys | 9(2)(j) — Research / statistics with safeguards |
| Employer wellness programme | Blood pressure readings; BMI; stress assessments; EAP usage | 9(2)(a) — Explicit consent (must be genuinely voluntary) |
Biometric Data: When Processing Triggers Article 9
Biometric data is subject to Article 9’s heightened protection only when it is processed for the purpose of uniquely identifying a natural person. This is a critical qualifier. A standard photograph is biometric data in the general sense, but it does not fall under Article 9 unless it is processed through facial recognition technology to identify the individual. Fingerprints collected for criminal investigation fall under Article 10 (criminal offences data), not Article 9, where the purpose is law enforcement. But fingerprints used by an employer for access control — processed to confirm the identity of the person at the door — are special category data under Article 9.
The rise of biometric time-and-attendance systems and biometric access control in workplaces has created significant compliance challenges. For employment-related biometric processing, the most commonly applicable Article 9(2) condition is explicit consent under 9(2)(a) — but given the EDPB’s position on consent in employment relationships, several national DPAs have questioned whether employee consent for biometric workplace monitoring can be truly freely given. Some member states — Germany, Sweden — have imposed strict limits on biometric processing in employment contexts even where consent is given.
| BITLION INSIGHT | Before deploying any biometric identification system — facial recognition, fingerprint scanners, iris recognition — organisations must complete a DPIA under Article 35. GDPR’s list of processing activities likely to result in high risk (Article 35(3)) specifically includes large-scale processing of biometric data. The DPIA must assess the necessity and proportionality of biometric processing, consider less invasive alternatives, and document the residual risk and mitigation measures before deployment begins. |
DPIA Mandatory for Special Category Processing
Article 35(3)(b) explicitly requires a Data Protection Impact Assessment for processing on a large scale of special categories of data or personal data relating to criminal convictions and offences. The DPIA requirement is not limited to large-scale processing — the Article 29 Working Party (now EDPB) guidelines on DPIAs identify processing of special category data more broadly as a risk indicator that makes a DPIA likely to be required even outside large-scale contexts.
A DPIA for special category processing must address: the necessity and proportionality of the processing; the specific Article 9(2) condition relied on; the security measures protecting the sensitive data; the risks to data subjects if there is a breach; and the measures taken to mitigate those risks. Article 2.7 of this knowledge hub covers DPIA methodology in depth. For special category data, the DPIA is not a formality — it is the mechanism through which the organisation demonstrates that it has genuinely assessed the elevated risks before processing begins.
Security Requirements for Special Category Data
Article 9’s heightened protection extends to the security measures required to protect special category data. While Article 32’s general security requirement is risk-proportionate, processing special category data materially elevates the risk baseline. DPAs consistently expect higher security standards for health, biometric, and genetic data than for standard personal data.
ENHANCED SECURITY MEASURES FOR SPECIAL CATEGORY DATA
| Control Area | Standard Personal Data | Special Category Data |
|---|---|---|
| Encryption at rest | Recommended; required for high-risk | Mandatory; AES-256 minimum |
| Access controls | Role-based; need-to-know | Strict need-to-know; additional approval for access |
| Access logging | Recommended | Mandatory; reviewed regularly |
| Staff authorisation | General data handling training | Explicit authorisation; specific role-based clearance |
| Pseudonymisation | Risk-reduction measure | Expected standard; separation of key required |
| Data residency | Flexible | May require specific geographic restrictions |
| Breach response time | 72-hour SA notification | Likely individual notification required; expedited response |
| DPIA | Required for high-risk processing | Required; updated when processing changes significantly |
Staff Training and Confidentiality
Article 9(3) requires that health data processed under Article 9(2)(h) be processed by or under the responsibility of a professional subject to an obligation of professional secrecy. For non-healthcare organisations, the equivalent obligation is implemented through staff training, confidentiality agreements, and role-based access controls that limit exposure of special category data to personnel with a genuine need.
Staff who handle special category data — HR personnel with access to health records, security teams operating biometric systems, research staff handling genetic data — must receive specific training on the nature of the data, the conditions under which it may be processed, the security measures they are required to apply, and their obligations if they become aware of a potential breach. General data protection training is not sufficient. The training must address the specific categories of sensitive data that the staff member’s role involves.
| KEY IDEA | Confidentiality of special category data is not just a security requirement — it is a professional and legal obligation. Organisations that allow special category data to be accessible to staff beyond those with a genuine need are violating both the data minimisation principle and the integrity and confidentiality principle simultaneously. Access to health records, biometric data, and similar sensitive categories should be the exception that requires justification, not the default that requires restriction. |
Criminal Convictions and Offences Data
Article 10 provides a parallel regime for personal data relating to criminal convictions and offences, or related security measures. This data may only be processed under the control of official authority, or when authorised by EU or member state law providing for appropriate safeguards for the rights and freedoms of data subjects. No general legitimate interests basis is available for criminal records data outside these conditions.
Commercial contexts where this arises include: employee background screening (which must be conducted under specific national legal frameworks); financial services KYC processes with PEP/sanctions checking; fraud prevention databases; and platform moderation systems that record reports of criminal conduct. Each jurisdiction has its own rules on when and by whom criminal records data may be processed, and organisations operating across multiple EU member states must navigate the variation in national authorisations.