- GDPR Article 9 prohibits processing special category data unless one of ten specific conditions is met
- Special categories: racial/ethnic origin, political opinions, religion, trade union membership, genetic/biometric data, health, sex life/orientation, criminal convictions (Article 10)
- You need both an Article 6 lawful basis AND an Article 9 condition — one is not enough
- Large-scale processing of special category data automatically requires a DPIA
Special category data is personal data that relates to particularly sensitive aspects of an individual's life — aspects where misuse could cause serious harm including discrimination, violence, or significant financial or social damage. GDPR Article 9 establishes a default prohibition on processing special category data, with a closed list of exceptions.
Related HubSecure buying path
Compliance CRM guidecompliance CRM for growing companiesCRM moduleHubSpot comparisoncompliance CRM guideGuide Librarybook a workflow demo
Related security, privacy and governance resources
Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.
Related use case
This guide belongs to the Workspace Alternatives and Tool Consolidation Guides cluster. Continue with the product hub for workspace alternatives and tool consolidation.
What counts as special category data
The following categories are defined in Article 9(1):
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data where processed for the purpose of uniquely identifying a person (fingerprints, facial recognition)
- Health data — including physical and mental health, disability, healthcare records
- Data concerning sex life or sexual orientation
Criminal conviction and offence data is addressed separately under Article 10 and is subject to similar restrictions — processing is only permitted under official authority or as authorised by national law.
Note: The category is triggered by the nature of the information, not how you obtained it or what you intend to do with it. A client disclosure that incidentally reveals a health condition or religious affiliation means you now hold special category data — even if you did not seek it.
The Article 9 conditions for processing
Processing special category data requires one of the following conditions to be met (in addition to an Article 6 lawful basis):
- Explicit consent — more demanding than regular consent; must be specifically for the special category data
- Employment and social security law obligations — e.g., processing health data for sick pay and disability accommodation
- Vital interests — where the individual cannot give consent (medical emergencies)
- Non-profit bodies with a legitimate interest — limited to members and former members only
- Data made public by the individual — only if they have clearly manifested it publicly
- Legal claims — establishing, exercising, or defending legal proceedings
- Substantial public interest — under national law, with proportionate safeguards
- Medical or health purposes — professional secrecy obligation required
- Public health — under national law
- Archiving, research, statistics — under national law, with safeguards
Practical examples for regulated businesses
Law firms
Client matters involving personal injury, immigration, employment discrimination, or family law often involve health data, racial origin data, or data about sex life. Process under Article 9(2)(f) (legal claims) with explicit consent as a secondary basis where appropriate. Ensure matter files with special category data are subject to enhanced access controls.
Healthcare providers
Health data is the core of the business. The Article 9(2)(h) condition (medical purposes, professional secrecy) covers most clinical processing. Systems must enforce strict role-based access and comprehensive audit trails.
Employers
Processing employee health data for sickness absence, disability accommodations, or occupational health assessments typically relies on Article 9(2)(b) (employment law obligations). Do not routinely collect health information beyond what is required for specific employment purposes.
Additional requirements for special category data
- Large-scale processing of special category data automatically triggers a DPIA requirement (Article 35(3)(b))
- Systems holding special category data should implement enhanced security — encryption at rest and in transit, strict access controls, separate storage where possible
- Staff with access should receive specific training on handling sensitive information
- Retention periods should be reviewed carefully — special category data should generally be retained for the shortest defensible period
If a client mentions their health condition in passing, do we hold special category data?
Yes, if it is recorded. A note in a CRM or file that references a client's health condition means your record now contains special category data. Review whether you need to retain that information for the matter or whether it can be removed. If retained, ensure the appropriate Article 9 condition applies.
Does criminal record data fall under Article 9?
Criminal conviction and offence data is covered by Article 10 rather than Article 9, but is subject to similar restrictions. Processing is only permitted under official authority or specifically authorised by national law. AML-related criminal record checks may be authorised under national AML legislation.
Field-level controls for sensitive data
HubSecure Vault supports enhanced access restrictions per field and record type — so sensitive client data is only visible to those with a legitimate need.
Book a demoReviewed for regulated teams
Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.