Skip to content

Special Categories of Personal Data: Rules for Processing Sensitive Information

Special categories of personal data are the most sensitive information protected under GDPR. The label exists because misuse carries high risks of discrimination and violation of fundamental rights.

What Counts as a Special Category

Article 9 GDPR identifies eight categories of personal data considered particularly sensitive.

Main Categories

Racial or ethnic origin:

  • Biological ancestry and hereditary traits
  • Cultural aspects: language, history, traditions
  • Shared values and group belonging

Political opinions:

  • Political affiliations and views
  • Membership in political organizations
  • Voting preferences

Religious or philosophical beliefs:

  • Faith and spiritual practices
  • Worldview
  • Religious organization membership

Trade union membership:

  • Union activities
  • Labor rights and representation
  • Collective bargaining

Biometric and Genetic Data

Personal data relating to inherited or acquired genetic characteristics that give unique information about physiology or health:

  • Chromosomal analysis
  • DNA or RNA analysis
  • Biological sample research
  • Genetic testing

Personal data resulting from specific technical processing relating to physical, physiological, or behavioral characteristics:

  • Fingerprints (dactyloscopic data)
  • Facial recognition
  • Retinal scans
  • Voice characteristics
  • Hand geometry

Important Note on Biometrics

Photographs are considered biometric data only when they are processed by special means for unique identification of a person. Regular photographs on social networks are not biometric data by default.

Health Data

Personal data on physical or mental health, including healthcare service provision, that reveals health status.

Medical information:

  • Medical history and diagnoses
  • Test and exam results
  • Treatments and medications
  • Psychological condition

Indirect health data:

  • Frequency of doctor visits
  • Insurance claim information
  • Data from medical devices
  • Disability information

Private Life Data

Sex life and sexual orientation:

  • Sexual preferences and practices
  • Information about partners
  • Gender transition data
  • Information about same-sex marriage registration

Broad Interpretation of Categories

Special categories of data are defined broadly and may include information that doesn't seem particularly sensitive. For example, a broken leg is technically health data, though less sensitive than mental health information.

General Prohibition

Article 9(1) GDPR establishes a default prohibition on processing special categories of personal data.

Why Extra Protection

High discrimination risks:

  • Unequal treatment based on origin
  • Health-based discrimination
  • Political persecution
  • Religious intolerance

Privacy violations:

  • Disclosure of intimate information
  • Invasion of personal space
  • Detailed personality profiling
  • Manipulation of vulnerabilities
flowchart TD
    A[Special categories of data] --> B{Exception exists?}
    B -->|Yes| C[Determine legal basis Article 6]
    B -->|No| D[Processing prohibited]
    C --> E[Apply additional protective measures]
    C --> F[Document justification]
    E --> G[Lawful processing]
    F --> G

Exceptions

Article 9(2) GDPR provides 10 exceptions to the prohibition.

Stricter than ordinary consent.

Requirements:

  • Clear statement (oral or written)
  • Specifies the special category
  • Specifies processing purposes
  • Withdrawable at any time

Forms:

  • Written statement with signature
  • Electronic form with clear wording
  • Oral consent (documented)
  • Separate consent per category

Processing of personal data manifestly made public by the subject:

Examples:

  • Public statements by politicians
  • Open social media posts
  • Press releases on the person's initiative
  • Participation in public events

Limits:

  • Data must be "manifestly" public
  • Context matters
  • Not all public data qualifies

Vital Interests

Processing necessary to protect vital interests when the subject is physically or legally unable to consent.

Emergencies:

  • Medical care for unconscious patients
  • Rescue operations
  • Protection of life and health
  • Prevention of serious harm

Limited Scope

Vital interests apply only in exceptional cases involving life and death. This exception cannot be used as an alternative to consent if a person is capable of giving it but refuses.

Employment and Social Protection

Labor relations:

  • Employment law processing
  • Social security and protection
  • Authorization by EU or Member State law
  • Appropriate safeguards

Non-profit organizations:

  • Foundations, associations, unions
  • Political, philosophical, religious purposes
  • Members and former members only
  • Appropriate safeguards

Court proceedings:

  • Establishing, exercising, or defending legal claims
  • Judicial actions
  • Courts acting within their legal functions

Public Interest

Conditions:

  • Proportionate to the aim
  • Respects the essence of data protection
  • Special measures for subject rights
  • Based on EU or Member State law

Processing necessary for preventive medicine, work-capacity assessment, medical diagnosis, healthcare or social care delivery:

Purposes:

  • Preventive or occupational medicine
  • Diagnosis and treatment
  • Healthcare system management
  • Contract with health professional

Protection against health threats:

  • Serious cross-border health threats
  • High standards of healthcare quality
  • Safety of medicinal products and devices
  • Professional secrecy

Archiving and Research

Scientific and historical research:

  • Public-interest scientific purposes
  • Historical research
  • Statistical purposes
  • Article 89 safeguards

Additional Protection Requirements

Dual Basis

Critically Important

For lawful processing of special categories of data, it's necessary to determine both a legal basis under Article 6 GDPR and a separate condition under Article 9. These bases don't necessarily need to be linked.

Combination examples:

Article 6 (legal basis)Article 9 (condition)Context
ContractExplicit consentPrivate medical services
Public taskHealthcarePublic hospitals
Legitimate interestsMade public by subjectJournalism

DPIA

Processing special categories, especially at scale, requires a Data Protection Impact Assessment.

Mandatory DPIA elements:

  • Description of processing operations
  • Necessity and proportionality assessment
  • Risk analysis for rights and freedoms
  • Mitigation measures

Appropriate Policy Document

Many exceptions require a policy document covering:

  • Procedures to ensure GDPR compliance
  • Subject rights protection
  • Records of processing activities
  • Security measures

Automated Decisions

Article 22(4) GDPR sets strict rules for automated decisions based on special categories.

Permitted grounds:

  • Explicit consent
  • Substantial public interest
  • Appropriate safeguards for rights and freedoms

Prohibited:

  • Profiling without consent or public interest
  • Automated decisions with legal effect
  • Discriminatory algorithms

Sector-Specific Notes

Healthcare

Medical organizations:

  • Article 9(2)(h) priority for medical purposes
  • Professional secrecy as additional protection
  • Processing without patient consent in some cases
  • Strict security requirements

Medical research:

  • Article 9(2)(j) for scientific research
  • Article 89 safeguards
  • Pseudonymization
  • Limits on further use

Employment

Employers:

  • Limited processing options
  • Legal grounds required
  • Medical exams as required by law
  • Anti-discrimination in hiring

Marketing

Behavioral ads:

  • Explicit prior consent required, separately
  • No targeting by sensitive categories
  • Opt-out is not enough
  • Per-category consent

Advertising Restrictions

Creating advertising categories based on special data can lead to discrimination and privacy violations. Such practice is only possible with explicit prior consent for each specific category.

International Transfers

Cross-border transfers of special categories carry extra requirements.

Additional safeguards:

  • Adequate protection in third countries
  • Special contractual clauses
  • Certification and codes of conduct
  • Supervisory authority approval

Suspension:

  • Can be suspended if protection is insufficient
  • Continuous monitoring of destination protection
  • Notification of supervisory authorities

Subject Rights

Subjects hold enhanced rights for special categories.

Right to information:

  • Specific categories processed
  • Purposes per category
  • Legal basis and condition
  • Retention periods

Right of access:

  • Detailed processing information
  • Copies of data
  • Source information
  • Recipients

Right to rectification and erasure:

  • Correct inaccurate data
  • Complete incomplete data
  • Delete on consent withdrawal
  • Delete unlawful processing

Practical Compliance

Necessity Assessment

Minimization:

  • Process only necessary special categories
  • Periodic relevance checks
  • Auto-delete after retention periods
  • Pseudonymize and anonymize where possible

Technical

Security:

  • Encryption of special category data
  • Need-to-know access
  • Audit all sensitive operations
  • Encrypted backups

Organizational

Training:

  • Special training for sensitive data
  • Legal grounds and exceptions
  • Incident response
  • Knowledge refreshes

Documentation:

  • Registry of all special-category operations
  • Justification of basis selection
  • Safeguards and guarantees
  • DPIAs

Special categories demand close attention and strict GDPR compliance. Assess necessity carefully, choose grounds correctly, and apply real protection.

We design analytics with these constraints in mind: minimal sensitive collection, modern anonymization, and full GDPR compliance for special categories.

About AI participation in writing articles

This article, like many others on our site, was created, written and proofread by a team of developers. Of course, not without the participation of AI assistants. We don't hide this and believe that modern systems are already quite good at handling simple tasks and, relatively speaking, writing an article about Viewport yourself is quite strange. It won't come out significantly better and will take a lot of time. But providing basic understanding to beginner webmasters is necessary. Of course, after the article is written by assistants - there's always proofreading, and this is where not one or two people participate, and only after that the article is published.

Need analytics with personal data protection?

Register for free testing of our web analytics platform. Get the complete picture of user behavior while complying with all GDPR requirements for personal data protection and without risk of processing special categories of information.

Ready to take control of your web analytics? Try Statable free for 30 days — no credit card required, full feature access, GDPR-compliant by default. Start your free trial or view a live demo.