Library / Glossary

Special Categories of Personal Data

Categories of personal data that GDPR Article 9 prohibits processing by default, with limited exceptions.

Also: Sensitive personal data · Article 9 data

Special categories of personal data are types of data that GDPR Article 9 treats as inherently sensitive and, by default, prohibits from being processed. The list:

  • Racial or ethnic origin.
  • Political opinions.
  • Religious or philosophical beliefs.
  • Trade union membership.
  • Genetic data.
  • Biometric data processed for the purpose of uniquely identifying a natural person.
  • Health data.
  • Data concerning sex life or sexual orientation.

When processing is allowed

Article 9(2) lists ten exceptions. The most commonly relied on:

  • Explicit consent.
  • Necessary for employment, social security, and social protection law obligations.
  • Necessary to protect vital interests where the data subject can't consent.
  • Processing by a not-for-profit body (within strict scope).
  • Data manifestly made public by the data subject.
  • Necessary for the establishment, exercise, or defence of legal claims.
  • Necessary for reasons of substantial public interest based on EU or member state law.
  • Necessary for preventive or occupational medicine, medical diagnosis, healthcare provision by a professional under a duty of secrecy.

Any processing of special-category data requires both an Article 6 basis and an Article 9 condition. Member state law adds more conditions for some categories — UK Data Protection Act Schedule 1 is the relevant one in the UK; each EU member has its own equivalents.

Why this matters for vendor work

Vendors that touch any special-category data — HR systems with sickness absence, customer support tools that may receive health-related questions, identity verification services using biometric matching — fall into a much higher tier of compliance scrutiny:

  • DPIA is presumptively required.
  • A DPO is more likely to be required for the controller (Article 37(1)(c)).
  • The DPA must reflect the heightened security and confidentiality obligations.
  • Transfer impact assessments need to weigh the sensitivity. A health-data transfer to a non-adequate country needs more supplementary measures than a CRM data transfer.

When monitoring a vendor that processes special-category data, treat any change in subprocessor list, retention, or jurisdiction as elevated severity by default — not just because the documents changed, but because the underlying risk is higher.

Related terms