GDPR Art. 9 – Special Categories of Personal Data
Explained simply: What are special categories of personal data, why are they especially protected, and when may they nevertheless be processed?
At a Glance
Art. 9 GDPR protects particularly sensitive data – data that can become dangerous if it falls into the wrong hands. This data is called special categories of personal data.
The basic rule is simple:
Sensitive data may as a rule not be processed – unless one of the ten exceptions in Art. 9(2) applies.
Conditions: When is processing permitted?
For someone to be allowed to process sensitive data, all three conditions must be met simultaneously:
- a) The data are genuinely "special categories of personal data" under Art. 9(1)
- b) One of the ten exceptions under Art. 9(2) applies
- c) There is also a regular legal basis under Art. 6(1)
What is sensitive data?
| Category | Everyday example |
|---|---|
| Racial or ethnic origin | Where someone comes from, skin colour |
| Political opinion | Party membership, voting behaviour |
| Religion or belief | Church, atheism, veganism as a life philosophy |
| Trade union membership | Member of ver.di or IG Metall |
| Genetic data | DNA test, hereditary diseases |
| Biometric data | Fingerprint scanner, facial recognition for identification |
| Health data | Diagnosis, prescription, hospital stay |
| Sex life or sexual orientation | Relationship, orientation |
Structure of this commentary
| Section | Topic |
|---|---|
| A. General | What the provision aims to do and how it came about |
| B. The prohibition | What exactly is prohibited and why |
| B.III The categories | Each sensitive data category explained |
| C. Exceptions – overview | The ten exceptions at a glance |
| C – Consent | When consent suffices |
| C – Health sector | Special rules for doctors and clinics |
| D. Opening clause | What Germany may regulate in addition |
| E. German law | BDSG and other German laws |
The legal text – explained simply
Para. 1 – The prohibition: It is prohibited to process data that reveal someone's origin, political opinion, religion or belief, whether someone belongs to a trade union, or that concern genetic characteristics, biometric characteristics for identification, health status, or sex life or sexual orientation.
Para. 2 – The exceptions ((a)–(j)): The prohibition does not apply if one of the ten grounds applies – for example: the person has consented, it is medically necessary, or it serves scientific research.
Para. 3 – Special rule for health: Under the exception for medical purposes ((h)), only professionals subject to a statutory obligation of professional secrecy may process the data – for example, doctors or pharmacists.
Para. 4 – National scope: EU Member States may introduce even stricter rules for genetic data, biometric data and health data.
What happens in case of infringements?
Anyone who infringes Art. 9 risks an administrative fine of up to EUR 20 million or 4% of annual worldwide turnover – whichever is higher.
Frequently Asked Questions (FAQ)
What are "special" categories of personal data? Data for which the risk of misuse is particularly high – because they provide information about a person's identity, body, beliefs or intimate life.
Is a regular legal basis under Art. 6 sufficient? No. You always need both: a legal basis under Art. 6 and an exception under Art. 9(2).
What if I accidentally collect sensitive data? The prohibition still applies – as long as the data objectively contain sensitive information.
Does Art. 9 only apply to companies? No, it applies to everyone who processes data: companies, medical practices, associations, public authorities, and private individuals (insofar as the GDPR applies to them).