Not all personal data is equal under GDPR. A specific, sensitive subset — known as special category data — carries heightened protection because misuse can lead to discrimination or serious harm. Handling it correctly is one of the most important parts of any GDPR compliance, and one of the easiest to get wrong.
This guide explains what counts as special category data, the conditions that allow you to process it, and the extra safeguards GDPR expects.
What is special category data?
Special category data is a subset of personal data that GDPR singles out as especially sensitive, because misuse could cause significant harm or discrimination. Article 9 lists it, and the starting position is strict: processing it is prohibited unless a specific condition applies.
This reverses the usual logic. With ordinary personal data you need a lawful basis to proceed; with special category data you need a lawful basis and a separate Article 9 condition before you may touch it at all.
The full list of special categories
Article 9 covers data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and trade-union membership. It also covers genetic data, biometric data used to uniquely identify someone, health data, and data concerning a person’s sex life or sexual orientation.
If your processing touches any of these categories — directly or by inference — the stricter rules apply, even where the data seems incidental to your main purpose.
Free resource
The Ultimate Guide to GDPR
Handle sensitive data correctly with the right conditions and safeguards.
Criminal offence data is handled separately
Data about criminal convictions and offences is not technically “special category” data, but Article 10 gives it similar heightened protection. You may only process it under the control of official authority or where authorised by law with appropriate safeguards.
So treat criminal-offence data with the same caution as special category data, checking for a specific legal authorisation before processing it.
Why it is treated so strictly
The categories share a common thread: if exposed or misused, they can lead to discrimination, exclusion or serious harm. Knowing someone’s health condition, religion or sexual orientation creates obvious risks in employment, insurance, services and personal safety.
GDPR therefore raises the bar deliberately, requiring stronger justification, tighter security and often a formal risk assessment before this data is processed.
The conditions for processing it
Article 9(2) sets out the conditions that lift the prohibition. The most common for businesses are explicit consent, processing necessary for employment and social security obligations, protecting someone’s vital interests, and processing for the establishment or defence of legal claims.
Others include data the individual has manifestly made public, processing by certain not-for-profit bodies, substantial public interest, and various health and research purposes — several of which also require a basis in member state law.
Explicit consent
Where you rely on consent for special category data, it must be explicit — a clear, specific, affirmative statement, not merely implied or bundled. The person must understand exactly which sensitive data is involved and why, and be able to withdraw consent as easily as they gave it.
Because explicit consent is demanding and can be withdrawn, many organisations prefer to rely on another Article 9 condition where one genuinely applies.
Health data in practice
Health data is the special category most businesses encounter, and it is broad: it covers any data about physical or mental health, including information that reveals health status indirectly. An employer recording sick leave, a fitness app logging activity, or a form asking about dietary needs may all be processing health data.
Each needs an Article 9 condition — often the employment condition or explicit consent — plus proportionate security and a clear retention limit.
Biometric data
Biometric data — fingerprints, facial geometry, voiceprints — is only special category data when used to uniquely identify someone. A photo on its own is generally not special category data, but the same photo processed through facial-recognition to identify an individual is.
This distinction matters for access control, authentication and surveillance systems, which often tip into special category processing and therefore require a condition and usually a DPIA.
Inferred sensitive data
You can hold special category data without ever asking for it. Inferring someone’s health, religion, ethnicity or sexual orientation from other data — purchases, browsing, group memberships — can amount to processing special category data, with all the same obligations.
Profiling and targeting systems are particularly exposed here, so review whether your models infer sensitive attributes, even unintentionally.
Extra obligations that follow
Processing special category data usually triggers additional requirements. You will often need a Data Protection Impact Assessment, an appropriate policy document setting out how you comply, enhanced security measures, and shorter, well-justified retention periods.
These are not optional extras — they are how you demonstrate the heightened care GDPR expects for this data.
Practical safeguards
Sensible safeguards include strict access controls so only those who need the data can see it, encryption at rest and in transit, pseudonymisation where feasible, detailed logging, and clear staff training on handling sensitive information.
The aim is to minimise both the amount of special category data you hold and the number of people who can access it, reducing the harm if anything goes wrong.
Common mistakes
Typical failings include collecting sensitive data by default on forms “just in case”, relying on ordinary consent instead of explicit consent, missing inferred sensitive data in profiling, and keeping special category data far longer than needed.
Each is avoidable with a simple discipline: identify special category data, justify it with a specific condition, minimise it, and protect it more tightly than ordinary data.
How ISpectra helps
Handling special category data well is one of the clearest tests of a mature programme and a serious commitment to GDPR compliance. ISpectra Technologies helps organisations identify sensitive data (including inferred data), select the right Article 9 condition, run the necessary DPIAs, and put proportionate safeguards in place.
If your forms, HR systems or analytics touch sensitive data, a short review will confirm you have the conditions and controls the law expects.
In one paragraph
Special category data — covering health, biometrics used for identification, genetic data, racial or ethnic origin, political opinions, religious beliefs, trade-union membership and sexual orientation — is the most sensitive personal data, and processing it is prohibited unless an Article 9 condition applies, such as explicit consent or an employment or legal-claims basis. Criminal-offence data gets similar protection under Article 10. Because misuse can cause real harm, this data usually demands a DPIA, tighter security and shorter retention. Identify it, justify it with a specific condition, minimise it, and protect it more carefully than ordinary personal data.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
Documenting your condition and policy
Because special category processing is prohibited by default, the burden is on you to show why it is lawful. That means writing down which Article 9 condition you rely on for each activity, and — for several conditions, including substantial public interest — maintaining an appropriate policy document that explains how you comply with the principles and how long you will keep the data.
This documentation is not bureaucracy for its own sake. If a regulator or an individual ever questions your handling of sensitive data, a clear record of the condition, the safeguards and the retention period is exactly the evidence the accountability principle expects you to be able to produce. Build it at the point you start processing, not after a complaint arrives.