4 min read

Writen by Zlatko Delev

Posted on: August 25, 2021

Special category data

Special category data is personal data that needs more protection because it is sensitive.In order to lawfully process special category data, you must identify both a lawful basis under Article 6 of the UK GDPR and a separate condition for processing under Article 9. These do not have to be linked.You need to complete a data protection impact assessment (DPIA) for any type of processing which is likely to be high risk. You must therefore be aware of the risks of processing the special category data.

What is special category data?

The UK GDPR defines special category data as:

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life; and
  • data concerning a person’s sexual orientation.

This does not include personal data about criminal allegations, proceedings or convictions, as separate rules apply. For further information, please see our separate guidance on criminal offence data.

Special category data includes personal data revealing or concerning the above types of data. Therefore, if you have inferred or guessed details about someone which fall into one of the above categories, this data may count as special category data. It depends on how certain that inference is, and whether you are deliberately drawing that inference.

What are the rules for special category data?

You must always ensure that your processing is generally lawful, fair and transparent and complies with all the other principles and requirements of the UK GDPR. To ensure that your processing is lawful, you need to identify an Article 6 basis for processing.

In addition, you can only process special category data if you can meet one of the specific conditions in Article 9 of the UK GDPR. You need to consider the purposes of your processing and identify which of these conditions are relevant.

Five of the conditions for processing are provided solely in Article 9 of the UK GDPR. The other five require authorisation or a basis in UK law, which means you need to meet additional conditions set out in the DPA 2018.

You must also identify whether you need an ‘appropriate policy document’ under the DPA 2018. Our template appropriate policy document shows the kind of information this should contain.

You must do a DPIA for any type of processing that is likely to be high risk. This means that you are more likely to need to do a DPIA for processing special category data. For further information, please see our guidance on DPIAs.

If you process special category data you must keep records, including documenting the categories of data. You may also need to consider how the risks associated with special category data affect your other obligations – in particular, obligations around data minimisation, security, transparency, DPOs and rights related to automated decision-making.

What are the conditions for processing special category data?

Article 9 lists the conditions for processing special category data:

(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
(c) Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims or judicial acts
(g) Reasons of substantial public interest (with a basis in law)
(h) Health or social care (with a basis in law)
(i) Public health (with a basis in law)
(j) Archiving, research and statistics (with a basis in law)

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

ISO 27001 Controls: A Comprehensive Step-by-Step Guide

Organisations in today's world filled with technology require a good information security setup and

Comparing Information Security Frameworks and Data Protection Frameworks

With cyber threats evolving at an unprecedented rate and regulations tightening globally, understan

EU AI Act Summary: Key Compliance Insights for Businesses

The EU AI Act is a pioneering attempt to regulate AI systems, striving for a balance between foster

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us

Contact Us

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy