2LRN4 security awareness platform
← Back to overview

Special category data: extra protection, extra rules

Health, religion and biometrics are special category data. Which categories exist, why they get extra protection, and how to handle them in practice.

The GDPR has a category of data so sensitive that processing is prohibited in principle: special category data. Think of health or religion. Stricter rules apply, because misuse can lead to discrimination or other serious harm. Anyone working with it must know what demands extra care.

Which data is special?

Article 9 of the GDPR lists these categories:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Health
  • Sex life or sexual orientation
  • Genetic data
  • Biometric data used to uniquely identify a person

Why the extra protection?

This data touches the core of someone's personal life. In the wrong hands it can lead to discrimination, exclusion or stigmatisation. That is why processing is prohibited in principle.

There are exceptions, such as explicit consent, a legal obligation in healthcare, or protecting vital interests. But the bar is high: you must be able to point to a specific exception.

In practice: where do you meet it?

Many employees handle it without realising. An HR officer sees sick notes (health), a care worker sees records, a reception desk sometimes an access pass with a fingerprint (biometrics).

National identifiers are not special category data, but often have their own strict regime under national law: use them only where the law allows. Treat them with the same caution.

How to embed this in your awareness programme

This is role-based material: not everyone handles special category data, so segment your audiences.

  • Aim this module specifically at healthcare, HR and the public sector, where special category data occurs.
  • Make the stricter rules concrete with scenarios, such as a sick note, a record or a biometric pass.
  • Tie it to your access and sharing policy, so behaviour and technology align.
  • Offer the deeper courses via our course catalogue.

FAQ

What is special category data?

Extra sensitive data such as health, racial or ethnic origin, religion, political opinions, trade union membership, sexual orientation, and genetic and biometric data. The GDPR prohibits processing in principle.

So may I never process special category data?

Only under a specific exception, such as explicit consent, a legal obligation in healthcare or protecting vital interests. Without such an exception, processing is prohibited.

Are national identifiers special category data?

No, but they often have their own strict regime under national law: use them only where the law requires. Treat them with the same caution as special category data.

Is a photo special category data?

Not automatically. An ordinary photo is ordinary personal data. Only when you deliberately use it to infer race, health or biometrics does it become special category data with stricter rules.

How do I share special category data safely?

Only with those who genuinely need it, through secure and approved channels, with limited access and a short retention period. Never via personal apps, personal email or public AI tools.

Want help with implementation?

Book a short demo or discuss your use case. We respond quickly.

Book a demo View support