In one sentence. GDPR Article 9(1) prohibits the processing of special categories of data — racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for unique identification, health data, sexual orientation. Article 9(2) lists 10 exceptions that lift the prohibition, the most operational being (a) explicit consent and (b) employment/social security obligations. Special category data also requires a lawful basis under Article 6 — the two layers are cumulative.
Article 9 is the most stringent provision in the GDPR. It treats certain categories as inherently dangerous to the data subject and requires both a lawful basis (Article 6) and an Article 9 exception to process them. Get this wrong and the fine sits at the top of the Article 83 scale: up to €20M or 4% of global turnover.
For the broader lawful basis framework, see GDPR Article 6 lawful basis. For consent specifically, GDPR Article 7 conditions.
Key takeaways
- 8 categories are special: racial/ethnic origin, political opinions, religion, trade union membership, genetics, biometrics for ID, health, sexual orientation.
- Processing is prohibited by default unless one of 10 Article 9(2) exceptions applies.
- The most operational exceptions: explicit consent, employment/social security law, vital interests, public interest in health.
- Article 9 layers ON TOP of Article 6 — both must apply.
- Article 10 separately governs criminal conviction data.
1. Article 9(1): the 8 special categories
Article 9(1) prohibits processing of personal data revealing:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data (Article 4(13))
- Biometric data for the purpose of uniquely identifying a natural person (Article 4(14))
- Data concerning health (Article 4(15))
- Data concerning a natural person’s sex life or sexual orientation
Note: biometric data is special only when used for unique identification — biometric measurements for general analytics may not qualify. Photographs are special only when processed by specific technical means allowing identification (CJEU clarifications).
2. Article 9(2): the 10 exceptions
The prohibition is lifted if one of these applies:
| § | Exception | Typical use case |
|---|---|---|
| (a) | Explicit consent | Patient consenting to medical research, user opting into health-tracking app |
| (b) | Employment / social security obligations | Sick leave records, occupational health |
| © | Vital interests where consent impossible | Unconscious patient at the ER |
| (d) | Non-profit body processing for political/religious/philosophical/trade union purposes (members only) | Political party member lists |
| (e) | Data manifestly made public by the data subject | Public political statements |
| (f) | Legal claims or judicial actions | Court evidence |
| (g) | Substantial public interest, EU/Member State law | Anti-discrimination monitoring |
| (h) | Preventive medicine, occupational medicine, medical diagnosis | Hospital records |
| (i) | Public health, EU/Member State law | Pandemic surveillance |
| (j) | Archiving / scientific research / statistical purposes | Public health research |
For private sector: the practical exceptions are (a) explicit consent, (b) employment/social security, © vital interests, and (h) medical/healthcare. Others are highly contextual.
3. The two-layer requirement
Processing special category data requires:
- Layer 1 (Article 6): any of the six lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate interests)
- Layer 2 (Article 9): one of the ten Article 9(2) exceptions
Both must apply. Common combinations:
| Layer 1 (Article 6) | Layer 2 (Article 9) | Use case |
|---|---|---|
| Consent (a) | Explicit consent (a) | Health app subscriber |
| Legal obligation © | Employment/social security (b) | Payroll for sick days |
| Legitimate interests (f) | — | Generally forbidden for special categories |
| Contract (b) | Health processing (h) for healthcare contract | Telehealth service |
| Vital interests (d) | Vital interests © | Emergency medical |
Article 9 generally excludes legitimate interests as a Layer 1 basis — the EDPB has clarified that legitimate interests is rarely an appropriate base for special category data.
4. Explicit consent: how it differs from regular consent
For special category data, Article 9(2)(a) requires explicit consent. The EDPB (Guidelines 5/2020) clarifies:
- Standard consent (Article 4(11)) is unambiguous — clear affirmative action
- Explicit consent is expressly stated — written declaration, signed form, or unambiguous specific oral declaration witnessed and recorded
Practical implementations:
- Written declaration signed by the data subject
- Two-step verification (email confirmation after the form)
- Recorded oral statement in a regulated context (telemedicine)
- Signed digital signature with strong identity verification
A standard cookie banner check does not qualify as explicit consent for special category data.
5. Member State derogations
Article 9(4) allows Member States to maintain or introduce further conditions, including limitations, for processing genetic data, biometric data, or health data. This means each EU country may have additional rules:
- France: stricter rules on health data hosting (HDS certification required)
- Germany: BDSG adds employment-context restrictions
- Italy: Garante adds restrictions on biometric data
- Spain: LOPDGDD adds rules on genetic data
A multi-jurisdiction processor of health data must check each Member State’s overlay.
6. Article 10: criminal conviction data
Article 10 separates criminal conviction data from special categories. It can only be processed:
- Under control of an official authority, OR
- When authorized by EU or Member State law providing appropriate safeguards
Examples: AML/KYC checks (under banking law), background checks (under specific employment laws). Private companies cannot generally process criminal conviction data without specific legal authorization.
7. Practical implementation checklist
For each processing of special category data:
- ☐ Layer 1 lawful basis identified (Article 6)
- ☐ Layer 2 exception identified (Article 9(2))
- ☐ For explicit consent: written or recorded declaration, not a checkbox
- ☐ Privacy notice (Article 13) explicitly mentions the special category
- ☐ DPIA conducted (special category data at scale = mandatory under Article 35)
- ☐ Heightened security measures (encryption mandatory, strict access control)
- ☐ Member State-specific derogations checked
- ☐ Sub-processors with special category access have enhanced DPA clauses
- ☐ Retention period documented and justified
8. Sanctions
Article 83(5) places Article 9 violations at the top tier — up to €20M or 4% of global turnover.
Notable cases:
- Clearview AI (CNIL, 2022): €20M for biometric processing without lawful basis
- Hôpital de Bourges (CNIL, 2022): €60K for inadequate security on health data
- Marriott (ICO, 2020 — partly Article 9): for special category data exposed in breach
- H&M (Hamburg DPA, 2020): €35.3M including special category data on employees
9. Tooling
Legiscope flags special category data in your ROPA, requires Article 9 exception documentation, and triggers DPIA workflows for at-scale processing. For health data specifically, the platform integrates HDS-certified hosting providers in its vendor catalog.
For related deep-dives: GDPR Article 6 lawful basis, GDPR Article 7 consent conditions, Article 35 RGPD AIPD, GDPR consent wording examples.
Conclusion
Article 9 is the strictest GDPR provision because it protects the data most likely to harm the data subject if misused. The two-layer requirement (Article 6 + Article 9) is non-negotiable. For private sector, explicit consent and employment/social security are the realistic exceptions; legitimate interests is rarely available. Document both layers in the ROPA, use explicit consent (not standard consent), and build heightened security in by design.
FAQ
What categories of data are “special” under GDPR Article 9?
Eight categories: racial/ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for unique identification, health data, sex life or sexual orientation.
Can I rely on legitimate interests to process health data?
Generally no. Article 9 requires a specific exception in addition to a lawful basis under Article 6. Legitimate interests is rarely an appropriate base for special categories. Use explicit consent or a specific Article 9(2) exception (employment, healthcare, public health).
What’s the difference between standard consent and explicit consent?
Standard consent (Article 4(11)) requires unambiguous indication via clear affirmative action — a checkbox click typically suffices. Explicit consent (Article 9(2)(a)) requires an express statement — written declaration, signed form, or unambiguous oral statement. A cookie banner is not explicit consent.
Are biometric data always special category data?
Only when processed for the purpose of uniquely identifying a natural person. Biometric measurements for general analytics or aggregate statistics may not qualify. Facial recognition for access control is special; counting visitors via anonymous face detection is not.
Is criminal conviction data covered by Article 9?
No — criminal conviction data is governed by Article 10. It can only be processed under official authority or specific EU/Member State law authorization.
Legiscope automates this for you
Stop doing compliance manually. Legiscope's AI handles ROPA creation, DPA audits, and gap analysis — in minutes, not weeks.
Start free trial
