GDPR - Article 9 - Processing of Special Categories of Personal Data (2025)

Overview:

Article 9 of GDPR outlines conditions for processing special categories of data which include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, and data concerning a person’s sex life or sexual orientation. The exceptions for processing include the following:

1. Explicit consent provided by the data subject
2. Vital interest of the data subject (eg: a medical condition where the data subject is not in a position to provide consent but processing is required to provide emergency assistance)
3. Processing is required for employer to meet legal obligation
4. Processing carried out by not-for-profit-bodies as a part of organzation’s legitimate activities
5. Processing to excise the legal claims for data subject
6. Processing for substantial public interest
7. Processing in public interest for archiving, scientific or historical research purposes

Implementation Guidance

1. Perform a data discovery and identify personal data to be processed. Develop a data inventory and classify the data. Determine the data that falls under special category as specified in Article 9
2. Identify the legal basis for processing the special category of data and document the same
3. Perform a Data Protection Impact Assessment (DPIA) to assess the risk and implement technical controls to mitigate the risks.
4. Review the existing controls and implement if required additional controls to safeguard the special category data. This can be achieved through a Data Security & Privacy risk assessment done at organisation level. Always note that DPIA is done from a data subject perspective and Security & Privacy risk assessment is done from a business perspective.
5. Implement a consent mechanism and communicate the purpose of processing, usage of data and sharing with third-parties with absolute clarity. There should be a mechanism for easy withdrawal of the consent.

Compliance Checklist

1. Privacy Policy
2. Privacy Notice
3. DPIA
4. Security & privacy risk assessment
5. Policies and procedures on the consent mechanism
6. Records of consent ( eg: data and time, details provided for obtaining consent)
7. Data processing Agreement with third-parties with provision of obtaining and managing consent in accordance with GDPR
8. Periodic Audits

Examples and Use cases

1. A hospital collects health related data and monitors blood parameters of the patient to provide appropriate treatment. They also attached a device to monitor the heart rates the patient is diagnosed with. The hospital has communicated with clarity to the patent about the data to be collected ( blood parameters, heart rate) , the purpose of processing ( for providing treatment and the necessity of installing a pacemaker) and whether the data is shared with third-party (eg: laboratory for testing the blood, device provider for monitoring the heart rate) and obtained explicit consent before proceeding with the treatment. This is justified under Article 9 (2) (a) of GDPR.
2. An employer processing health data for providing insurance for the employees to comply with the statutory requirements set forth by the law. The processing of healthcare data is mandatory for the employer to comply with the law of the land.This is justified under Article 9 (2) (b) of GDPR.
3. A hospital processing health data (previous medical reports) of a patient who is in an unconscious state. In this case, the patient is not in a situation to give consent for processing the necessary data for further treatment, but the processing is very much required to protect the vital interest ( saving the life) of the same.This is justified under Article 9 (2) (c) of GDPR.
4. A religious organisation processes its member data to delegate their activities and administer the same. In this case, the processing is allowed in accordance with Article 9 of GDPR provided the organization has implemented necessary physical, administrative and technical safeguards to protect the data.This is justified under Article 9 (2) (d) of GDPR.
5. A celebrity singer shares her views on politics, religious beliefs and stories around her ethnic background on social media regularly. A media organization process these data to publish a feature article in their magazine. In this case, the singer has manifestly published the special category data in public domain. The media organization is processing the data available on public space. This is justified under Article 9 (2) (e) of GDPR.
6. An employee has filed a lawsuit against the employer that the promotion was denied due to racial bias. In this case, the lawyer will process the data of the employee (client) to support the legal claim in the court. The same is justified under article 9 (2) (f) of GDPR to represent the client (employee) in the lawsuit.
7. A government agency collects special category data, racial and ethnic origin to process census requirements. The processing of the data is necessary for policy formulation and implementing mechanisms to identify equality and anti-discrimination measures within the industry. The processing is justified under Article 9 (2) (g) of GDPR.
8. A medical research agency is conducting research on a rare disease and suspect that the disease is genetically inherited by the patient. As a part of the research the agency has to process the genetic data to have a more detailed understanding of the disease and develop new treatment methods. This is justified under Article 9 (2) (j) of GDPR.
9. The national health authority of a country is tasked with the responsibility of controlling pandemic. The agency has to process health related data of the citizen in public interest to identify rate of infection, high risk areas etc. to implement controls to contain the spread of outbreak. This is justified under Article 9 (2) (i) of GDPR.