A. General
What Art. 9 GDPR aims to do, how the provision came about, and how it relates to other data protection rules.
Back to the Art. 9 GDPR overview.
Authorship
This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.
matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.
Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.
According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.
Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.
His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.
For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.
More about Dr. Helbing: www.thomashelbing.com
At a Glance
Art. 9 GDPR states: certain particularly sensitive data are in principle prohibited from processing – unless an exception applies. The provision is not a substitute for Art. 6 GDPR, but an additional hurdle: anyone wishing to process sensitive data always needs both – a legal basis under Art. 6 and an exception under Art. 9(2).
I. What the provision aims to do
Art. 9 protects three things at once:
- The individual person – from discrimination and harm caused by the disclosure of sensitive information
- Groups of people – for example ethnic minorities or religious communities, who could be persecuted through data misuse
- Democracy – because sensitive data in the wrong hands can be misused for the concentration of power and oppression
How paragraphs 1–4 interact
Relationship to Art. 6 GDPR
Art. 6 GDPR governs when personal data may generally be processed. Art. 9 applies in addition when the data are sensitive.
Conditions for permitted processing of sensitive data:
- a) Legal basis under Art. 6(1) (general basis – must always be present)
- b) Exception under Art. 9(2) (specific basis – must additionally be present)
Both must be fulfilled – neither replaces the other.
II. How the provision came about
The idea of giving certain data special protection is not new:
Compared to the old 1995 EU Directive, the GDPR has added three new categories: genetic data, biometric data for identification, and data on sexual orientation.
III. Where Art. 9 also plays a role
Art. 9 affects many other rules in the GDPR:
| Provision | Effect |
|---|---|
| Art. 22(4) | Automated decisions involving sensitive data need additional safeguards |
| Art. 30(5) | No exemption from the record-keeping obligation |
| Art. 35(3)(b) | Data protection impact assessment required for large-scale processing |
| Art. 37(1)(c) | A data protection officer must be appointed |
Frequently Asked Questions (FAQ)
Why is there special protection for certain data at all? Because some data are particularly dangerous: they reveal things that can lead to discrimination, persecution or serious personal harm.
Can Art. 9 be replaced by other rules? No. Where Art. 9 applies, it must always be examined in addition to Art. 6 – it cannot be "circumvented".
Does Art. 9 also apply to data of deceased persons? The GDPR generally only protects living persons. However, individual EU Member States (such as Germany) may also protect data of deceased persons.
Privacy policy in minutes — easy to maintain, no subscription.
Instead of an unreadable text block per tool: a topic-oriented, hybrid approach with a clear list of recipients — maintainable, transparent, GDPR-compliant.
- No subscription, no hidden costs
- Easy to maintain thanks to a topic-based structure instead of tool-by-tool blocks
- Curated by Dr. Thomas Helbing, certified specialist for IT law
The generator is offered by matterius GmbH. matterius is not a law firm and does not provide legal advice.
GDPR Art. 9 – Special Categories of Personal Data
Explained simply: What are special categories of personal data, why are they especially protected, and when may they nevertheless be processed?
B. The prohibition of processing
What exactly is prohibited, who the prohibition applies to, and what consequences follow from an infringement.