Special category data is the most sensitive tier of personal data under GDPR. Processing it requires more than a standard Article 6 lawful basis — you also need a specific justification under Article 9. Many companies process special category data without realising it, which is one of the most common sources of serious GDPR compliance failures.
What Is Special Category Data?
GDPR Article 9(1) defines special categories as personal data revealing or concerning:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data used for the purpose of uniquely identifying a natural person
- Health data
- Sex life or sexual orientation
Article 10 adds a near-equivalent category: 9. Criminal convictions and offences (subject to official authority oversight)
Why This Matters: The Double Requirement
For any other personal data, you need one lawful basis (from Article 6). For special category data, you need two:
- One Article 6 basis (consent, contract, legitimate interest, legal obligation, vital interests, public interest)
- One Article 9 basis (explicit consent, employment law obligations, vital interests, health treatment, research, etc.)
Both must apply simultaneously. Having a legitimate interest does not entitle you to process health data without an Article 9 ground. Having explicit consent under Article 9 does not replace the need for an Article 6 basis.
The Article 9 Grounds
The full list of Article 9(2) processing grounds:
(a) Explicit consent: The individual has given explicit (not just implied) consent to the processing for one or more specified purposes.
(b) Employment, social security, social protection law: Processing is necessary for the controller's obligations and rights in employment law, social security, or social protection — and national law permits it.
(c) Vital interests: Processing is necessary to protect the vital interests of the data subject or another natural person where the person is unable to give consent.
(d) Legitimate activities of foundations, associations, etc.: Processing by a not-for-profit organisation relating to its members or former members, with appropriate safeguards.
(e) Data made manifestly public: The individual has already manifestly made the data public.
(f) Legal claims: Processing is necessary for the establishment, exercise, or defence of legal claims.
(g) Substantial public interest: Processing is necessary for reasons of substantial public interest — national law must authorise this.
(h) Health and social care: Processing by health professionals for the provision of health or social care.
(i) Public health: Processing necessary for public health purposes.
(j) Research and statistics: Processing for archiving, scientific/historical research, or statistical purposes with appropriate safeguards.
For most commercial companies, the practical Article 9 grounds are: explicit consent, employment law, health treatment, legal claims, and manifestly public data.
Common Products That Process Special Category Data
Many SaaS companies process special category data without a deliberate decision to do so:
HR platforms: Sickness absence records = health data. Biometric clock-in = biometric data. Disability accommodations = health data. Trade union data (if the HR system records union membership).
Recruitment tools: Certain diversity data collected in hiring processes = racial or ethnic origin, disability. Right-to-work verification may reveal nationality. Video interview analysis may infer health or demographic attributes.
Wellness and fitness apps: Any data about physical or mental health = health data.
Mental health or EAP platforms: Clearly health data — one of the most sensitive sub-categories.
Dating platforms: Sexual orientation or sex life is directly involved.
Religious or belief-based products: Dietary requirements, religious holiday requests, spiritual content — can reveal religious beliefs.
Financial services: Not inherently special category, but some financial data (debt related to illness, financial hardship linked to disability) may reveal health or disability status.
What to Do When Your Product Processes Special Category Data
Step 1: Identify it. Audit every feature and data collection point for special category data. The categories are broader than they first appear — biometric authentication is biometric data; sick leave tracking is health data.
Step 2: Document the bases. For each special category processing activity, record both the Article 6 and Article 9 grounds in your RoPA.
Step 3: Conduct a DPIA. Special category data processing at scale requires a Data Protection Impact Assessment under Article 35.
Step 4: Implement enhanced security. Special category data requires security measures appropriate to the heightened sensitivity. This typically means: encryption at rest and in transit, strict access controls, audit logging, and data minimisation.
Step 5: Update your privacy notice. Special category processing must be explicitly disclosed in your privacy notice, with the legal bases described.
Step 6: Plan for consent withdrawal. Where explicit consent is the basis, there must be a clear, easy withdrawal mechanism — and a process for deleting data when consent is withdrawn.