GDPR A9-01: Processing Special Categories of Personal Data
Article 9 of GDPR imposes strict prohibitions on processing sensitive personal data—including health records, biometric data, and political beliefs—unless your organization meets one of the explicit legal exceptions. Without proper documentation of your lawful basis, you face significant fines and operational disruption. This control ensures you identify, document, and maintain compliance for every special category data flow.
What this means
GDPR Article 9 prohibits processing of personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, details of sex life or sexual orientation. The regulation is absolute unless you fall under one of Article 9(2)'s enumerated exceptions—such as explicit consent, employment law compliance, vital interests protection, or processing by certain organizations like NGOs. Your obligation is to identify all special category processing in your systems, document which exception applies to each, and maintain evidence that the exception remains valid.
How to comply
- 1.Conduct a comprehensive data inventory to identify all personal data flows involving special categories (health, biometric, political, religious, genetic, trade union, sex life data, etc.)
- 2.For each special category dataset, determine which Article 9(2) exception legally permits processing (e.g., explicit consent, employment law, vital interests, public task, legitimate processing by NGO/political party, genetic testing, health/social care, public health, historical/statistical research, legal claims)
- 3.Document the lawful basis for each processing activity in writing—this evidence is your primary control artifact
- 4.If relying on consent, implement explicit opt-in mechanisms separate from general consent and maintain records of when and how consent was obtained
- 5.For other exceptions (e.g., employment, vital interests), document why the exception applies and the specific legal or contractual provision that authorizes processing
- 6.Restrict access to special category data to only those staff members with a documented business need
- 7.Implement technical safeguards such as encryption, pseudonymization, or access controls appropriate to the sensitivity of the data
- 8.Review and renew documentation annually or whenever processing scope changes
- 9.Train staff on what constitutes special category data and the processing restrictions that apply
Evidence auditors look for
- Data processing inventory or mapping document that identifies systems and datasets containing special categories of personal data
- Privacy impact assessments (PIAs) or data protection impact assessments (DPIAs) for each special category processing activity
- Lawful basis justification memo for each Article 9(2) exception invoked (e.g., consent records, employment contract clauses, legal opinion on vital interests)
- Explicit consent forms (separate from general consent) signed by data subjects, with timestamps and retention records
- Access control logs or role-based access policy restricting special category data to authorized staff
- Data processing agreements (DPAs) with vendors who access special category data
- Technical documentation of encryption, pseudonymization, or anonymization measures applied
- Staff training records or acknowledgment forms confirming understanding of Article 9 restrictions
- Annual review or audit memo confirming lawful basis remains valid and processing scope is unchanged
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates identification and inventory of special category data flows across your systems, flags processing without documented Article 9 exceptions, and maintains audit trails of your lawful basis justifications—eliminating manual spreadsheet tracking and reducing compliance blind spots.
See how GRCWatch handles this control automatically
Start free trial