Special Categories of Data: Handling Sensitive Personal Information
GDPR provides enhanced protection for certain types of personal data considered particularly sensitive. Processing this "special category" data is generally prohibited unless specific conditions are met. Organizations handling such data face additional compliance requirements.
Key Takeaways
| Point | Summary |
|---|---|
| General prohibition | Processing special category data is prohibited by default |
| Specific exceptions | Processing only permitted under explicit conditions (Article 9(2)) |
| Higher standards | More stringent security, documentation, and accountability requirements |
| DPIA often required | Large-scale special category processing typically requires DPIA |
| Common examples | Health data, biometrics, racial/ethnic origin, religious beliefs |
Quick Answer: Special category data (health, biometrics, race, religion, etc.) requires explicit consent or another specific legal condition, plus enhanced security measures. Most organizations can process this data only with explicit consent or where necessary for employment law obligations.
What is Special Category Data?
GDPR Article 9 identifies these categories as requiring enhanced protection:
| Category | Examples |
|---|---|
| Racial or ethnic origin | Ethnicity, nationality, skin color |
| Political opinions | Political party affiliation, voting preferences |
| Religious or philosophical beliefs | Religion, atheism, ethical beliefs |
| Trade union membership | Union affiliation status |
| Genetic data | DNA, hereditary information |
| Biometric data | Fingerprints, facial recognition, iris scans (when used to identify) |
| Health data | Medical records, disabilities, mental health, lifestyle data affecting health |
| Sex life or sexual orientation | Sexual preferences, sexual history |
Related: Criminal Conviction Data
While not technically "special category" data, personal data relating to criminal convictions and offenses receives similar protection under Article 10. This data can only be processed:
- Under the control of official authority, or
- When authorized by EU or Member State law
When Can You Process Special Category Data?
The General Rule
Article 9(1) prohibits processing special category data unless one of the specific conditions in Article 9(2) applies.
Article 9(2) Conditions
| Condition | When It Applies |
|---|---|
| (a) Explicit consent | Individual gives explicit consent for specific purposes |
| (b) Employment and social protection | Processing necessary for employment law obligations |
| (c) Vital interests | Protecting life when consent cannot be obtained |
| (d) Legitimate activities | By nonprofit bodies with appropriate safeguards (members/contacts) |
| (e) Made public | Data manifestly made public by the individual |
| (f) Legal claims | Necessary for legal claims or court proceedings |
| (g) Substantial public interest | Based on law, proportionate, with safeguards |
| (h) Health care | Medical diagnosis, treatment, health system management |
| (i) Public health | Public health purposes (epidemics, quality/safety) |
| (j) Research/statistics | Archiving, research, statistics with appropriate safeguards |
Most Common Bases for Organizations
Explicit Consent (a):
Most common for commercial organizations. Requires:
- Clear, specific consent statement
- Active opt-in (not pre-ticked boxes)
- Separate from other consents
- Easy withdrawal mechanism
- Documented consent record
Employment Obligations (b):
Relevant for processing employee data:
- Disability accommodations
- Health and safety requirements
- Equal opportunity monitoring
- Statutory sick pay administration
Health Care Purposes (h):
For organizations in healthcare sector:
- Medical professionals bound by confidentiality
- Providing health services
- Managing health systems
Practical Requirements
Enhanced Security Measures
Special category data requires particularly robust security:
| Measure | Implementation |
|---|---|
| Encryption | Strong encryption at rest and in transit |
| Access controls | Strict need-to-know access, role-based permissions |
| Audit logging | Comprehensive logging of access and modifications |
| Physical security | Appropriate physical controls for systems and storage |
| Staff vetting | Appropriate background checks for staff with access |
| Training | Enhanced training on handling sensitive data |
DPIA Requirements
Processing special category data at scale typically requires a Data Protection Impact Assessment:
| Scenario | DPIA Required? |
|---|---|
| Large-scale health data processing | Yes |
| Biometric access control system | Likely |
| Diversity monitoring (anonymized/aggregated) | Usually not |
| Individual health insurance processing | Depends on scale |
| Employee disability accommodations | Usually not (small scale) |
Documentation Requirements
Enhanced documentation for special category processing:
| Document | Content |
|---|---|
| ROPA entry | Specific documentation of processing activities |
| Legal basis record | Documented justification under Article 9(2) |
| Consent records | Where explicit consent is the basis |
| Security measures | Documentation of enhanced security |
| DPIA | Where required |
Common Scenarios
Scenario 1: Diversity and Inclusion Monitoring
Many organizations collect diversity data for monitoring and improvement purposes.
Considerations:
- Usually requires explicit consent
- Consider anonymization/aggregation to avoid individual identification
- Clear explanation of purpose and use
- Separate from employment decisions
- Voluntary participation
Approach:
- Make participation clearly optional
- Explain how data will be used (aggregate statistics)
- Consider whether individual-level data is necessary
- Implement strong access controls
Scenario 2: Health and Wellness Programs
Employee wellness programs often involve health data.
Considerations:
- Explicit consent typically required
- Must be genuinely voluntary
- Cannot disadvantage non-participants
- Third-party provider must have appropriate DPA
Approach:
- Ensure voluntary nature is genuine (no pressure)
- Get explicit consent with clear explanation
- Separate from employment record
- Limit access to necessary personnel
Scenario 3: Biometric Authentication
Fingerprint or facial recognition for access control.
Considerations:
- Biometric data when used for identification is special category
- DPIA usually required
- Consider if biometrics are truly necessary
- Alternative authentication options should be available
Approach:
- Conduct DPIA before implementation
- Provide alternatives where possible (card, PIN)
- Strong security for biometric templates
- Clear privacy information for users
Scenario 4: Background Screening
Pre-employment checks that may reveal sensitive information.
Considerations:
- May reveal health conditions, criminal history
- Must have appropriate legal basis
- Proportionate to the role
- Candidate must be informed
Approach:
- Check only what's necessary and proportionate
- Obtain consent where required
- Use accredited screening providers
- Appropriate retention and deletion
Scenario 5: Health-Related Apps and Services
Apps that collect health or fitness data.
Considerations:
- Health data broadly defined (includes fitness data affecting health)
- Explicit consent required
- Enhanced security measures
- May have additional health data regulations
Approach:
- Clear, specific consent for health data
- Robust security measures
- Privacy-by-design approach
- Consider DPIA for new features
Health Data: Special Considerations
Health data is one of the most commonly processed special categories and deserves particular attention.
What Counts as Health Data?
GDPR defines health data broadly:
| Included | Examples |
|---|---|
| Medical records | Diagnoses, treatments, prescriptions |
| Physical health | Disabilities, injuries, conditions |
| Mental health | Psychological conditions, therapy records |
| Health services | Appointments, hospital visits |
| Health-related | Lifestyle data relating to health, fitness trackers |
| Genetic testing | Results revealing health predispositions |
National Variations
Many EU Member States have additional laws for health data:
- Specific confidentiality requirements
- Professional secrecy obligations
- Additional conditions for processing
- Data localization requirements
Organizations should check requirements in countries where they operate.
Biometric Data: Special Considerations
Biometric data is special category only when processed to uniquely identify an individual.
When Biometrics Are Special Category
| Scenario | Special Category? |
|---|---|
| Fingerprint for device unlock | Yes (identification) |
| Facial recognition access control | Yes (identification) |
| Photo for ID badge | No (not biometric identification) |
| Voice recording for customer service | Generally no (unless used for identification) |
Biometric Security Requirements
| Requirement | Implementation |
|---|---|
| Template storage | Store templates rather than raw biometric data |
| Encryption | Strong encryption for biometric templates |
| Revocation | Ability to revoke/replace compromised biometrics |
| Local storage | Consider local device storage vs. central database |
International Transfers
Special category data transfers outside the EEA require:
- All standard transfer mechanism requirements (SCCs, adequacy, etc.)
- Enhanced attention in Transfer Impact Assessments
- Consideration of whether recipient country provides adequate protection for sensitive data
- Stronger supplementary measures may be appropriate
How Bastion Helps
Processing special category data involves navigating complex requirements and implementing enhanced controls. Working with experienced partners helps ensure your approach is both compliant and practical.
| Challenge | How We Help |
|---|---|
| Legal Basis Assessment | Guidance on appropriate Article 9(2) conditions for your processing |
| DPIA Support | Conducting DPIAs for special category processing activities |
| Security Implementation | Recommendations for enhanced security measures |
| Consent Mechanisms | Design and implementation of explicit consent processes |
| Vendor Assessment | Evaluating processors handling special category data |
| Documentation | Templates and support for enhanced documentation requirements |
Special category data is an area where getting the approach right matters significantly—both because of the enhanced regulatory risk and because this data relates to aspects of individuals' lives that deserve particular respect.
Questions about handling special category data? Talk to our team →
Sources
- GDPR Article 9 (EUR-Lex) - Official text on special categories of data
- GDPR Article 10 (EUR-Lex) - Processing of criminal conviction data
- EDPB Guidelines on Consent - Guidance including explicit consent