UK GDPR: Special Categories of Data (Article 9)
Special Categories of Personal Data [Art 9]
Rule: Processing of sensitive personal data is prohibited unless a specific condition applies.
What counts as special category data?
| Category | Examples | Citation |
|---|---|---|
| Racial or ethnic origin | Ethnicity, nationality, skin colour | Art 9(1) |
| Political opinions | Party membership, voting intentions | Art 9(1) |
| Religious or philosophical beliefs | Religion, atheism, ethical beliefs | Art 9(1) |
| Trade union membership | Union membership status | Art 9(1) |
| Genetic data | DNA, inherited characteristics | Art 9(1) |
| Biometric data | Fingerprints, facial recognition, retina scans | Art 9(1) |
| Health data | Medical records, disabilities, mental health | Art 9(1) |
| Sex life or sexual orientation | Sexual preferences, gender identity | Art 9(1) |
Conditions for processing [Art 9(2)]
You need BOTH a lawful basis (Art 6) AND one of these conditions:
| Condition | When it applies | Citation |
|---|---|---|
| Explicit consent | Data subject has explicitly consented | Art 9(2)(a) |
| Employment/social security law | Necessary for employment obligations | Art 9(2)(b) |
| Vital interests | Protecting life when consent impossible | Art 9(2)(c) |
| Not-for-profit bodies | Legitimate activities of foundations, associations | Art 9(2)(d) |
| Made public by data subject | Data subject has manifestly made data public | Art 9(2)(e) |
| Legal claims | Establishing, exercising or defending legal claims | Art 9(2)(f) |
| Substantial public interest | UK law provides for this (DPA 2018 Sch 1) | Art 9(2)(g) |
| Health or social care | Medical diagnosis, treatment, health system management | Art 9(2)(h) |
| Public health | Threats to health, ensuring care quality | Art 9(2)(i) |
| Archiving/research/statistics | Scientific, historical research, statistics | Art 9(2)(j) |
Source Text
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
Paragraph 1 shall not apply if one of the following applies:
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…
(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body…
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…
Citation
Article 9, UK GDPR | DPA 2018 Schedule 1