HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

What is GDPR Special Category Data?

Under GDPR, companies have obligations regarding the personal data of data subjects, but there is also a separate category of data that is treated differently – GDPR special category data.

What is GDPR special category data and how do the rules differ for processing that information.

GDPR Special Category Data

GDPR special category data is personal information of data subjects that is especially sensitive, the exposure of which could significantly impact the rights and freedoms of data subjects and potentially be used against them for unlawful discrimination.

GDPR special category data includes the following information:


    GDPR Compliance Checklist
    for American Companies

    Immediate Access
    Privacy Policy

    • Race and ethnic origin
    • Religious or philosophical beliefs
    • Political opinions
    • Trade union memberships
    • Biometric data used to identify an individual
    • Genetic data
    • Health data
    • Data related to sexual preferences, sex life, and/or sexual orientation

    Because these data elements are particularly sensitive, a company must have a legitimate and lawful reason for collecting, storing, transmitting, or processing these data. Companies are prohibited from collecting or processing these data unless:

    • Explicit consent has been obtained from the data subject; or,
    • Processing is necessary in order to carry out obligations and exercise specific rights of the data controller for reasons related to employment, social security, and social protection; or,
    • Processing is necessary to protect the vital interests of data subjects where individuals are physically or legally incapable of giving consent; or,
    • Processing is necessary for the establishment, exercise, or defence of legal claims, for reasons of substantial public interest, or reasons of public interest in the area of public health; or,
    • For purposes of preventive or occupational medicine; or,
    • Processing is necessary for archiving purposes in the public interest, scientific, historical research, or statistical purposes; or,
    • Processing relates to personal data which are manifestly made public by the data subject; or,
    • Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects

    The processing of all personal data must only occur if there is a lawful reason for using the information, as detailed in Article 6 of the GDPR. Any company that needs to process special category data must check the requirements laid down in Article 9 of GDPR. Personal data related to criminal convictions and offenses are also particularly sensitive and dealt with separately in Article 10 of GDPR.

    If special category data are collected, stored, processed, or transmitted data controllers must ensure that additional protections are put in place to ensure that information is appropriately safeguarded.

    The GDPR Compliance Date has Now Passed

    The compliance data for the General Data Protection Regulation (GDPR) has now passed and companies are required to comply with all GDPR regulations. There are stiff financial penalties now applicable for any company that is not in compliance with GDPR.

    To avoid financial penalties, ensure that appropriate resources are devoted to your GDPR compliance program and you are documenting your compliance efforts and can demonstrate to regulators that you are in the process of complying with the GDPR.

    Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.