GRCWatch
Sign inStart free trial

GDPR A9-02: Obtaining Explicit Consent for Special Category Data

Processing special category data—health, biometric, racial, or religious information—requires explicit consent that meets strict GDPR standards. Your consent mechanism must be clearly separated, freely given, and documented to survive regulatory scrutiny. This guide walks you through the requirements and implementation steps.

What this means

GDPR Article 9 restricts processing of special categories of personal data (sensitive data). When explicit consent is your legal basis, that consent must be unambiguous and backed by a clear affirmative action from the data subject. Crucially, consent for special categories must be visually and functionally distinct from other consents—bundling it with standard privacy notices is not permitted.

How to comply

  1. 1.Separate consent requests: Create a distinct consent mechanism specifically for special category processing, visually and textually separated from general privacy notices.
  2. 2.Use clear affirmative action: Require an active opt-in (checkbox, button click, or signature)—pre-ticked boxes or silence do not qualify.
  3. 3.Provide specific information: Clearly state what special categories you will process, why, who will access them, and how long you'll retain them.
  4. 4.Document consent: Maintain timestamped records of when, how, and what consent was given for each data subject.
  5. 5.Enable withdrawal: Provide an easy mechanism for data subjects to withdraw consent at any time.
  6. 6.Avoid bundling: Do not mix special category consent with other processing consents in a single request.
  7. 7.Train staff: Ensure teams collecting or processing special data understand explicit consent requirements.

Evidence auditors look for

  • A standalone consent form with a dedicated checkbox for health data processing, dated and signed
  • Audit log showing separate consent collection for biometric data distinct from general cookie/marketing consents
  • Email or interface screenshot capturing the exact affirmative action and timestamp of consent
  • Privacy notice appendix explicitly describing special categories, purposes, recipients, and retention periods
  • Data subject withdrawal request log showing dates and confirmation of consent removal
  • Consent management platform audit trail demonstrating separation of consent flows

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates special category consent capture and separation, maintains timestamped audit trails, and flags consent withdrawal requests—eliminating manual tracking and reducing the risk of invalid consent invalidating your entire special data processing chain.

See how GRCWatch handles this control automatically

Start free trial

Related controls

GDPR A7-04 — Conditions for ConsentGDPR A21-01 — Right to ObjectGDPR A17-01 — Right to Erasure