Collecting sensitive personal data has become a necessity for businesses. We explain what special category data is and how to stay GDPR compliant.
Special category data is particularly important as its use could significantly risk an individual's fundamental rights and freedoms. Therefore, it is vital that this information be treated with greater care.
What is special category data?
Personal data is information that relates to an identifiable individual or data subject. Sensitive personal data falls into special categories as defined by the GDPR.
Special category data includes gathered, inferred or guessed details about someone, which falls into one of the categories below. It depends on how certain that inference is and whether you are deliberately drawing that inference.
The GDPR defines special category data as:
- Personal data relating to racial or ethnic origin
- Personal data relating to political opinions
- Personal data relating to religious or philosophical beliefs
- Personal data relating to trade union membership
- Genetic data
- Biometric data (where it is used for identification purposes)
- Data relating to health
- Data about a person's sex life
- Data about a person's sexual orientation
What are some tips for dealing with sensitive personal data?
1. Be clear about what data is special category data
Make sure you're clear about what is classed as sensitive personal data (special category data). Broadly, as previously under the Data Protection Act, it includes any data relating to race or ethnic origin, religious or political beliefs (including trade union membership), and data on health, sex life, or sexual orientation. However, under GDPR, special category data also includes genetic and biometric data (see Article 9).
2. Assess your current data processes
Find out what special category personal data is currently collected and processed by your firm. Is it legitimate and lawful? What does your firm need to do to comply with GDPR best practices?
3. Be clear about the legal basis for processing
Ensure that you accurately record the legal basis for processing data. For example, whether you have explicit consent, whether it is required for the performance of specific contracts, or for other specific purposes (such as the public interest or the vital interests of an individual).
4. Assess the impact of holding the data
Conduct a Data Protection (DPIA) and/or Privacy Impact Assessment (PIA). We all have a duty to do so where there is a high risk to the rights or freedoms of data subjects. Remember, individual consent may not be enough, and you may also need processing to be sanctioned by the data protection authority where risks are high.
5. Take extra care with health-related data
The definition of health data is broad under GDPR and includes past, present or future physical or mental health; information from testing or examination of a body part or bodily substance; genetic and biological samples; information on diseases or risk; disability, medical history, clinical treatment, and so on. Be aware that the different EU Member States may also have separate regimes.
6. Ensure you are processing criminal offence data fairly
Criminal offence data are dealt with separately under GDPR, and this type of data is now subject to greater restrictions. Be sure you are processing this data in a way that is lawful, fair, transparent and complies with all the other principles.
Special category data FAQs
Why is special category data treated differently under GDPR?
Because misuse of this data could significantly impact a person’s rights and freedoms (e.g., discrimination or harm), GDPR imposes stricter processing conditions and requires both:
- A lawful basis under Article 6
- A valid condition under Article 9
Do I always need consent to process special category data?
No. Consent is one possible Article 9 condition, but not the only one. Others include:
- Employment/social protection obligations
- Vital interests
- Non-profit or charitable use
- Public interest or public health reasons
- Legal claims
Consent should only be used when it is genuinely voluntary, informed, specific, and easy to withdraw.
What makes consent valid under GDPR?
Consent must be:
- Freely given – no pressure or imbalance of power
- Specific – linked to a clear purpose
- Informed – explained in understandable language
- Unambiguous – clear affirmative action
- Revocable – individuals must be able to withdraw easily
What are the consequences of misusing special category data?
Ireland's Data Protection Commission (DPC) fined Meta a record-breaking €1.2bn. The fine was issued to Facebook's parent company after it mishandled personal data when transferring it between Europe and the United States (US).
In a separate incident, the Data Protection Commission (DPC) issued Meta Platforms Ireland Ltd. (Instagram) a €405m fine, which includes a €20m fine for the infringement of Article 6(1). This is one of the all-time biggest GDPR fines.
An inquiry into the company investigated the processing of personal data of child users on the social networking service Instagram.
Want to learn more about GDPR?
We've created a Data Protection and GDPR Training Package to help you navigate this regulatory landscape with courses designed to improve your GDPR compliance knowledge. The courses include:
We also have additional free resources such as e-learning modules, microlearning modules, and more.
Explore our collectionWritten by: Lynne Callister
Lynne is an instructional designer with over 20 years' storyboarding experience. Her current areas of interest are mobile learning and exploring how cognitive theories of learning can create better learner experiences.
.webp?width=472&name=gdpr_header_image_2025%20(1).webp)
