Special Categories of Personal Data (Article 9)

Special Categories of Personal Data (Article 9) – A Comprehensive Guide for CIPP/E Exam Preparation

Introduction

Special categories of personal data represent one of the most critical topics in European data protection law. Article 9 of the General Data Protection Regulation (GDPR) establishes a general prohibition on processing these sensitive data types, with only narrow exceptions. Understanding this provision is essential not only for passing the CIPP/E exam but also for anyone working in privacy and data protection in Europe.

Why Special Categories of Personal Data Are Important

The reason the GDPR singles out certain categories of personal data for heightened protection is simple: processing these types of data poses significantly greater risks to the fundamental rights and freedoms of individuals. Misuse or unauthorized disclosure of sensitive data can lead to discrimination, social stigma, physical danger, and profound invasions of personal dignity.

Consider a scenario where an employer gains access to an employee's health records or political opinions. The potential for discriminatory treatment is substantial. Similarly, the processing of biometric data or genetic data without proper safeguards can lead to irreversible harm. The GDPR recognizes that certain data types require a higher threshold of protection because of the severity of potential consequences if they are mishandled.

From a compliance perspective, organizations that process special category data face stricter obligations. Failure to comply with Article 9 can result in administrative fines of up to €20 million or 4% of annual global turnover (whichever is higher), as outlined in Article 83(5) of the GDPR. This makes understanding special categories not just an academic exercise but a practical business imperative.

What Are Special Categories of Personal Data?

Article 9(1) of the GDPR lists the following categories of personal data that are considered special (sometimes referred to as sensitive data):

1. Racial or ethnic origin – Data revealing a person's race or ethnicity.
2. Political opinions – Data revealing an individual's political views or affiliations.
3. Religious or philosophical beliefs – Data revealing spiritual, religious, or deeply held philosophical convictions.
4. Trade union membership – Data revealing whether a person belongs to a trade union.
5. Genetic data – Data relating to inherited or acquired genetic characteristics, which provide unique information about the physiology or health of an individual (defined in Article 4(13)).
6. Biometric data – Data resulting from specific technical processing relating to physical, physiological, or behavioral characteristics of a person, which allow or confirm unique identification (defined in Article 4(14)). Note: Biometric data is only considered special category data when processed for the purpose of uniquely identifying a natural person.
7. Data concerning health – Data related to the physical or mental health of an individual, including the provision of health care services, which reveal information about the health status of the individual (defined in Article 4(15)).
8. Data concerning a person's sex life or sexual orientation – Data revealing aspects of an individual's sexual behavior or preferences.

Key Point: The list is exhaustive under Article 9. However, Member States may introduce additional conditions (including limitations) regarding the processing of genetic data, biometric data, or data concerning health under Article 9(4). Also note that criminal conviction data is addressed separately under Article 10, not Article 9, though it also receives special treatment.

How Article 9 Works: The General Prohibition and Its Exceptions

Article 9(1) establishes a general prohibition on processing special categories of personal data. This is a critical starting point: the default position is that processing is prohibited.

However, Article 9(2) provides ten exceptions (legal bases/conditions) that, if met, allow the processing of special category data. It is important to understand that these exceptions operate in addition to the requirement for a lawful basis under Article 6. In other words, to lawfully process special category data, a controller must satisfy both an Article 6 legal basis and an Article 9(2) exception.

The Ten Exceptions Under Article 9(2):

(a) Explicit Consent
The data subject has given explicit consent to the processing for one or more specified purposes. Note that this is a higher standard than the ordinary consent required under Article 6(1)(a). Explicit consent must be unambiguous, specific, and clearly affirmed (e.g., a written statement, oral confirmation recorded, or ticking a specific box for sensitive data processing). Member States may, however, provide that the prohibition cannot be lifted by consent in certain circumstances.

(b) Employment, Social Security, and Social Protection Law
Processing is necessary for carrying out obligations and exercising specific rights of the controller or the data subject in the field of employment, social security, and social protection law, insofar as it is authorized by Union or Member State law or a collective agreement, with appropriate safeguards.

(c) Vital Interests
Processing is necessary to protect the vital interests of the data subject or another natural person where the data subject is physically or legally incapable of giving consent. This is a narrow exception typically applicable in life-or-death medical emergencies.

(d) Legitimate Activities by Certain Bodies
Processing is carried out in the course of legitimate activities with appropriate safeguards by a foundation, association, or any other not-for-profit body with a political, philosophical, religious, or trade union aim. The processing must relate solely to members, former members, or persons who have regular contact with the body, and the data must not be disclosed outside the body without the data subject's consent.

(e) Data Manifestly Made Public by the Data Subject
Processing relates to personal data which the data subject has manifestly made public. For example, if a person publicly shares their political opinions on social media, this exception may apply. However, the data must have been made public by the data subject themselves, and the context matters.

(f) Legal Claims and Judicial Acts
Processing is necessary for the establishment, exercise, or defense of legal claims, or whenever courts are acting in their judicial capacity.

(g) Substantial Public Interest
Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law, which is proportionate to the aim pursued, respects the essence of the right to data protection, and provides appropriate and specific measures to safeguard the fundamental rights and interests of the data subject.

(h) Health or Social Care Purposes
Processing is necessary for purposes of preventive or occupational medicine, assessment of the working capacity of the employee, medical diagnosis, provision of health or social care or treatment, or management of health or social care systems and services, on the basis of Union or Member State law or a contract with a health professional, subject to conditions and safeguards. This data must be processed by or under the responsibility of a professional subject to professional secrecy obligations.

(i) Public Health
Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and medicinal products or medical devices. This must be based on Union or Member State law and include appropriate and specific measures to safeguard the rights and freedoms of the data subject, particularly professional secrecy.

(j) Archiving, Research, and Statistics
Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes under Article 89(1), based on Union or Member State law, which is proportionate to the aim, respects the essence of data protection, and provides appropriate safeguards.

Important Structural Points to Remember:

- Many of the exceptions (particularly (b), (g), (h), (i), and (j)) require a basis in Union or Member State law. This means the GDPR alone is often not sufficient; domestic legislation must authorize the processing.
- Several exceptions require appropriate safeguards, and some specify the types of safeguards needed (e.g., professional secrecy for health data).
- Article 9(3) specifically addresses processing under exceptions (h) relating to health data — it must be processed by or under the responsibility of a professional subject to an obligation of professional secrecy under Union or Member State law, or by another person also subject to an obligation of secrecy.
- Article 9(4) allows Member States to introduce further conditions, including limitations, for processing genetic data, biometric data, or data concerning health. This creates variation across EU/EEA jurisdictions.

Interaction Between Article 6 and Article 9

A common area of confusion — and a frequent exam topic — is the relationship between Article 6 (lawfulness of processing) and Article 9 (special categories). The key principle is:

When processing special category data, the controller must identify both:
1. A valid legal basis under Article 6(1) (e.g., consent, contract, legal obligation, vital interests, public interest, or legitimate interests); AND
2. An applicable exception under Article 9(2).

For example, if a hospital processes patient health data, it might rely on Article 6(1)(c) (legal obligation) or Article 6(1)(e) (public interest/official authority) as the Article 6 basis, and Article 9(2)(h) (health or social care) as the Article 9 exception.

It is worth noting that the European Data Protection Board (EDPB) and several supervisory authorities have confirmed this dual-basis requirement.

Practical Examples

- An employer processing employee health data for occupational health assessments: Article 6(1)(c) (legal obligation) + Article 9(2)(b) (employment law) or Article 9(2)(h) (occupational medicine).
- A political party processing members' political opinions: Article 6(1)(a) or (f) + Article 9(2)(d) (not-for-profit body with political aim).
- A research institute conducting genetic research: Article 6(1)(e) (public interest) + Article 9(2)(j) (scientific research), with safeguards under Article 89(1).
- An insurer processing health data to assess a claim: Article 6(1)(b) (contract) + Article 9(2)(f) (legal claims) or a Member State-specific legal basis.

Data Protection Impact Assessments (DPIAs)

Processing of special category data on a large scale is explicitly listed in Article 35(3)(b) as a type of processing that is likely to result in a high risk and therefore requires a Data Protection Impact Assessment (DPIA). This is an important point that connects Article 9 with the broader accountability framework of the GDPR.

Special Categories and Data Subject Rights

Data subjects retain all their rights under Articles 12–22 in relation to special category data. However, some exceptions may apply. For example, Article 89(2) allows Member States to provide derogations from certain rights (such as the right of access, rectification, restriction, and objection) where data is processed for archiving, research, or statistical purposes under Article 9(2)(j), subject to appropriate safeguards.

Criminal Conviction and Offence Data (Article 10)

While not part of Article 9, candidates should be aware that Article 10 addresses processing of personal data relating to criminal convictions and offences. This type of data is also treated with heightened protection, but the regime is different: processing must be carried out only under the control of official authority or when authorized by Union or Member State law providing appropriate safeguards. Article 10 data is not a special category under Article 9 but is often tested alongside it in the CIPP/E exam.

Summary of Key Concepts

- Article 9(1): General prohibition on processing special category data.
- Article 9(2)(a)–(j): Ten exhaustive exceptions to the prohibition.
- Dual legal basis requirement: Article 6 + Article 9(2) must both be satisfied.
- Member State discretion under Article 9(4) for genetic, biometric, and health data.
- Article 9(3): Professional secrecy requirements for health data.
- Article 10: Criminal conviction data is separate from Article 9.
- DPIA required for large-scale processing of special category data.
- Explicit consent under Article 9(2)(a) is a higher standard than ordinary consent.

---

Exam Tips: Answering Questions on Special Categories of Personal Data (Article 9)

1. Memorize the Eight Categories
Know all eight types of special category data listed in Article 9(1) by heart. A common exam technique is to present a scenario and ask whether the data in question qualifies as special category data. Be particularly careful with biometric data — it is only special category data when processed for the purpose of uniquely identifying a natural person. A photograph is not automatically biometric data.

2. Understand the Default Is Prohibition
Always start your analysis by acknowledging that processing of special category data is prohibited under Article 9(1). Then identify which exception under Article 9(2) applies. This mirrors how exam questions are typically structured.

3. Know the Difference Between Consent and Explicit Consent
Article 6(1)(a) requires consent. Article 9(2)(a) requires explicit consent. Be prepared to distinguish between the two. Explicit consent demands a clear affirmative act specifically directed at the sensitive processing — implied consent or pre-ticked boxes are never sufficient. Also remember that Member States can prohibit the lifting of the Article 9(1) prohibition by consent alone.

4. Remember the Dual Legal Basis Requirement
If an exam question asks about the lawfulness of processing special category data, always address both Article 6 and Article 9. Answering with only one is incomplete and will likely cost marks. This is one of the most commonly tested points.

5. Distinguish Article 9 from Article 10
Criminal conviction data is governed by Article 10, not Article 9. Exam questions may try to trick you into classifying criminal offence data as a special category. It is not. Be precise about this distinction.

6. Watch for Member State Derogations
Several Article 9(2) exceptions require a basis in Union or Member State law. If a question asks whether processing is lawful under a particular exception, check whether the exception requires a domestic legal basis. If the question does not mention any such law, the processing may not be lawful despite fitting the general description of the exception.

7. Pay Attention to Safeguards
Many exceptions require appropriate safeguards or suitable and specific measures. In scenario-based questions, look for whether the organization has implemented adequate safeguards. The absence of safeguards can make otherwise permissible processing unlawful.

8. Link to DPIAs
If the question involves large-scale processing of special category data, remember to mention the requirement for a DPIA under Article 35(3)(b). This demonstrates comprehensive knowledge and often earns additional credit.

9. Use Process of Elimination
In multiple-choice questions, eliminate answers that:
- Include data types not listed in Article 9(1) (e.g., financial data, criminal convictions).
- Confuse ordinary consent with explicit consent.
- Fail to reference the need for a Member State legal basis where required.
- Treat biometric data as always being special category data regardless of processing purpose.

10. Scenario-Based Questions: Apply a Structured Approach
When facing scenario questions:
Step 1: Identify whether the data is special category data under Article 9(1).
Step 2: Confirm the general prohibition applies.
Step 3: Identify the applicable Article 9(2) exception.
Step 4: Identify the Article 6(1) legal basis.
Step 5: Check whether additional conditions apply (e.g., Member State law, safeguards, professional secrecy).
Step 6: Consider whether a DPIA is required.

This structured approach ensures you address all relevant points and demonstrates methodical thinking.

11. Biometric Data Nuance
Remember that biometric data only falls under Article 9 when processed for the purpose of uniquely identifying a natural person. A CCTV system that captures faces but does not use facial recognition technology to identify individuals may not involve special category data. This nuance is frequently tested.

12. The 'Manifestly Made Public' Exception
Article 9(2)(e) applies only when the data subject has manifestly made the data public themselves. If someone else discloses the information, or if the data was only semi-public or shared in a limited context, this exception may not apply. Exam questions may test the boundaries of this concept.

13. Read Questions Carefully
Exam questions on Article 9 often include subtle details that change the correct answer. Pay close attention to words like explicit, manifestly, uniquely identifying, large scale, and Member State law. These qualifiers are legally significant and frequently determine the correct response.

Final Takeaway: Special categories of personal data under Article 9 represent one of the most heavily tested areas of the CIPP/E exam. Mastery requires not only memorizing the categories and exceptions but understanding how they interact with Article 6 legal bases, Member State derogations, DPIA requirements, and practical safeguards. A structured, methodical approach to analyzing scenarios will serve you well in the exam.