DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

GDPR Special Category Data: What It Is and How to Handle It

#gdpr #privacy #compliance #data

GDPR Special Category Data: What It Is and How to Handle It

Most businesses know GDPR applies to them. Fewer realise that some of the data they routinely process is subject to a far stricter set of rules — rules that require more than a standard lawful basis and carry heavier penalties when they're violated.

That data is called special category data under Article 9 of the GDPR. It gets the highest level of protection the regulation offers. And a significant number of businesses are processing it without realising they even have it.

This guide covers what special category data is, who actually processes it, what you're legally required to do, and how to check whether your own organisation is handling it correctly.

What Is Special Category Data?

GDPR Article 9 lists ten categories of personal data that receive enhanced protection because of their sensitivity and the particular harm their misuse can cause. These categories are:

  1. Racial or ethnic origin
  2. Political opinions
  3. Religious or philosophical beliefs
  4. Trade union membership
  5. Genetic data
  6. Biometric data (where used to uniquely identify a person)
  7. Health data
  8. Data concerning a person's sex life
  9. Data concerning a person's sexual orientation
  10. Criminal convictions and offences (technically Article 10, but handled similarly)

The rationale is straightforward: this kind of information can be used to discriminate against people, expose them to serious harm, or violate their dignity in ways that ordinary personal data typically cannot.

Why Ordinary Consent Isn't Enough

Under standard GDPR rules, you need a lawful basis to process any personal data. The six lawful bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests.

But for special category data, having a lawful basis is not enough on its own.

Article 9 creates an additional layer. Processing special category data is prohibited by default unless you can identify:

  1. A lawful basis (as you would for any personal data), and
  2. A specific Article 9 condition that permits the processing

These two things must both be present simultaneously. Getting one but not the other means your processing is unlawful, regardless of how good your intentions are.

The Article 9 conditions include:

  • Explicit consent — distinct from ordinary consent (more on this below)
  • Employment, social security, and social protection law — where processing is required by law or a collective agreement
  • Vital interests — where the data subject cannot consent and processing is necessary to protect life
  • Legitimate activities of a not-for-profit body — for political, philosophical, religious, or trade union bodies processing data of their own members
  • Data manifestly made public by the data subject — where the person has clearly made this information public themselves
  • Legal claims — necessary for establishing, exercising, or defending legal claims
  • Substantial public interest — authorised by law and subject to appropriate safeguards
  • Medical purposes — health or social care, preventive medicine, medical diagnosis
  • Public health — in the public interest, under professional secrecy obligations
  • Archiving, research, and statistics — subject to appropriate safeguards

Most businesses outside the healthcare, research, and public sectors will rely primarily on explicit consent or employment law conditions.

Explicit Consent vs. Regular Consent

Many organisations assume that if they already collect consent for their standard data processing, they're covered for special category data too. This is a common and potentially costly mistake.

GDPR draws a clear distinction between consent (Article 6) and explicit consent (Article 9).

Regular consent can be given through a clear affirmative action — clicking a button, ticking a box, or selecting a preference. It can be implicit in some circumstances if the action is unambiguous.

Explicit consent must:

  • Be expressed through a clear, specific statement — not an action alone
  • Identify each category of special data being processed
  • Explain why it is being processed
  • Be freely given — no bundling with consent to other processing, no penalty for refusing
  • Be granular — a single tick for all special categories is not enough if multiple categories are involved
  • Be documented — you must be able to prove it was obtained correctly

In practice, this typically means a written statement that the individual positively affirms, clearly identifying that their health data (or biometric data, or religious belief) is being processed and for what purpose. A pre-ticked box, bundled marketing consent, or vague platform terms will not satisfy the requirement.

Who Actually Processes Special Category Data?

The organisations most commonly caught processing special category data without the right controls tend to be those that don't think of themselves as handling sensitive information at all.

HR teams and employers are among the biggest processors of special category data. Sick notes and medical certificates are health data. Disability adjustments require processing health data. Occupational health assessments, pregnancy notifications, and even staff dietary requirements collected for a work event can fall into special category territory. Trade union membership — which employers may record for payroll deductions or bargaining purposes — is explicitly listed in Article 9.

Health apps and mental health platforms process health data as their core function. This is obvious in the case of symptom trackers and medical records apps, but less obviously includes period tracking apps, sleep monitors, meditation platforms that track mood, and any app where users self-report symptoms, diagnoses, or medications.

Faith-based organisations and religious charities process religious belief data about their members and beneficiaries. Churches, mosques, synagogues, temples, and affiliated charities handle special category data routinely — membership records, pastoral notes, prayer requests.

Political parties and campaigning organisations process data about political opinions and membership. Direct marketing to supporters, canvassing records, and donor databases all require particular attention.

Dating apps and relationship platforms process sexual orientation and sex life data. So do some social networks if they provide relationship status, preference settings, or community features that reveal this information.

Gyms, sports clubs, and fitness trackers that use biometric identification — fingerprint scanners for entry, face recognition, body composition measurements tied to individual profiles — process biometric data under Article 9.

Education providers — particularly those offering disability support, wellbeing services, or pastoral care — may process health and other special category data about students.

The Practical Safeguards You Need

Identifying your Article 9 condition is the legal foundation, but the regulation also expects you to put practical controls in place. These are not optional extras.

Data minimisation. Only collect the special category data you actually need. If you're running a company event and want to cater for dietary requirements, asking "do you have any dietary requirements?" is proportionate. Asking staff to provide their full medical history is not.

Access controls. Special category data should only be accessible to those who need it. This typically means role-based access controls, separate storage from general HR records, and documented justifications for who has access and why.

Encryption. At rest and in transit. Special category data should never sit in unprotected databases or be transmitted unencrypted. This is a basic security requirement under Article 32 as well as a sensible safeguard for Article 9 data.

Retention limits. How long do you actually need to keep a sick note? A medical questionnaire from a job applicant? Define specific retention periods for special category data — don't let it accumulate indefinitely.

Staff training. Everyone who handles special category data should understand what it is and why it's treated differently. This is particularly important for HR professionals, line managers, and anyone who handles workplace health or disability matters.

Data Protection Impact Assessments (DPIAs). Where special category data is processed at scale, systematically, or as part of automated decision-making, a DPIA is required under Article 35. For smaller-scale processing, it's still best practice.

Updated privacy notices. Your privacy notice must specifically disclose that you process special category data, identify the categories, explain the lawful basis and Article 9 condition, and describe how it's protected.

Records of Processing

Under Article 30, you must maintain records of processing activities. For special category data, these records must specifically note that special category data is involved and identify the Article 9 condition you're relying on.

If you're ever investigated by a supervisory authority — the ICO in the UK, the Data Protection Commission in Ireland, or any other national authority — this documentation is what determines whether your processing was lawful. "We thought we had consent" is not a defence; you need to be able to show the explicit consent records.

Checklist: Are You Processing Special Category Data Without Knowing It?

Work through this list to identify whether your organisation may be processing Article 9 data without the right controls in place.

Health data

  • Do you collect sick notes or medical certificates?
  • Do you record disability status or adjustments?
  • Do you provide occupational health services?
  • Do you offer a product that tracks health metrics, symptoms, or medical history?
  • Do you collect dietary requirements (which may reveal health conditions or religious beliefs)?

Biometric data

  • Do you use fingerprint or face recognition for building access?
  • Does your product identify users through a biometric template?
  • Do you store fitness measurements tied to unique individuals?

Racial or ethnic origin

  • Do you collect equal opportunities monitoring data?
  • Do you collect nationality information beyond what's required for right-to-work checks?

Religious or philosophical beliefs

  • Do you record staff religious observances for scheduling purposes?
  • Does your organisation operate in a faith context and hold information about beneficiaries' beliefs?

Political opinions

  • Do you work in campaigning, political canvassing, or advocacy?
  • Do you process data about individuals' political party membership or affiliations?

Sexual orientation and sex life

  • Does your platform ask about relationship preferences or sexual orientation?
  • Do you operate a dating or social matching service?

Trade union membership

  • Do you record which staff are trade union members for payroll or consultation purposes?

Criminal convictions

  • Do you conduct criminal record checks (DBS checks in the UK)?
  • Do you record the results of those checks?

If you answered yes to any of these, you're processing special category data. The next question is whether you have the right Article 9 condition documented, explicit consent where needed, and the operational safeguards in place.

What Happens If You Get It Wrong

The consequences of unlawful processing of special category data are severe. Supervisory authorities treat Article 9 violations seriously — these are among the breaches most likely to attract the higher tier of GDPR fines (up to €20 million or 4% of annual global turnover).

Beyond fines, individuals have the right to claim compensation for non-material damage — distress, anxiety, and reputational harm — caused by unlawful processing of their sensitive data. Class action-style litigation against data controllers is growing across Europe.

There is also the reputational damage. A breach involving health records, sexual orientation data, or religious belief information is the kind of story that reaches the press and stays there.

Audit Your Site Now

If you're not sure whether your website, forms, or integrations are collecting special category data, a good first step is to audit exactly what your site is processing.

Run a free privacy scan at Custodia — no account required, results in 60 seconds. It'll show you what trackers and data collection tools are active, what categories of data they're processing, and whether your current consent setup matches your legal obligations.

Understanding what you're collecting is the foundation of getting compliance right — particularly when some of that collection involves data that gets the highest protection GDPR can offer.

This post provides general information about GDPR special category data. It does not constitute legal advice. Privacy law requirements vary by jurisdiction and specific circumstances. Consult a qualified privacy law professional for advice specific to your organisation.

Top comments (0)