What counts as special category data?
Personal data revealing a person’s:
racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic data
biometric data (when used to uniquely identify someone)
data concerning health
data concerning a person’s sex life or sexual orientation
Criminal offence data is not special category data; it has separate rules (GDPR Art. 10 / DPA 2018).
You need two things to process it
A lawful basis under Article 6 (e.g., legal obligation, contract, legitimate interests, etc.) and
A specific Article 9 condition for special category data.
Common Article 9 conditions
In Plain English
Explicit consent from the data subject. Must be specific, informed and documented (separate from Ts&Cs).
Employment, social security & social protection obligations/rights (e.g., payroll health certifications, equality monitoring required by law).
Vital interests where the person is physically or legally incapable of giving consent (e.g., medical emergency).
Legal claims or courts (establish, exercise or defend claims).
Substantial public interest on the basis of law with appropriate safeguards (e.g., safeguarding at-risk individuals).
Healthcare & social care (treatment/management by professionals under confidentiality).
Public health (e.g., protecting against serious cross-border threats).
Archiving/research/statistics with safeguards and minimisation.
Not-for-profit bodies processing data of their members with suitable protections.
Manifestly made public by the individual (use carefully, with proof and minimisation).
- Tip: Your list in practice may be shorter—pick one or two condition(s) that truly fits and document why.
Explicit consent (when you rely on it)
Consent must be explicit and provable. Acceptable methods:
Signed declaration (digital or paper)
Unticked checkbox with clear wording per purpose
Email reply clearly agreeing to a stated purpose
Yes/No selector with purpose-specific text
- Tip: Withdrawal must be as easy as giving consent, and you must stop any processing that relied on it.
Required safeguards & records
Minimise collection and access; use role-based controls and encryption.
Keep an Appropriate Policy Document (UK) or equivalent policy describing why/how you process.
Record the Article 6 basis and Article 9 condition, plus DPIA outcomes where required.
Retention: keep only as long as necessary; define schedules.
DPIA when high-risk (e.g., large-scale health/biometric processing).
Train staff handling sensitive data and log all access/changes.
Practical examples for managers
Occupational health: fitness-for-work notes — lawful basis: legal obligation; Art. 9: health care.
Biometric access control: fingerprints/face ID — lawful basis: legitimate interests (if appropriate); Art. 9: biometric for unique ID under substantial public interest (where legally permitted) or explicit consent with an alternative offered.
Equality monitoring: optional questions about ethnicity/religion — explicit consent with clear “prefer not to say”.
Quick checklist
Have we identified exactly which special category data we hold?
Do we have a valid Article 6 basis and Article 9 condition?
Is explicit consent truly voluntary (if used) and recorded?
Have we completed/updated a DPIA if high risk?
Are access, encryption, retention and audit logs in place?
Is there a clear withdrawal/objection route and response process?
Are staff trained on handling and redaction?
How iProtectU helps with GDPR
IIRSM-approved GDPR awareness training – assign our IIRSM training to staff/managers, track completion, and schedule refreshers.
Policy & document management – publish privacy notices, retention schedules and procedures using our document management software; version control ensures a full audit trail.
Vendor/processor records – store contracts, data processing agreements and due-diligence checks.
DPIAs & risk logs – consistent templates, actions and reviews to manage high-risk processing.
Tasking & reminders – owners, due dates and renewals for RoPA, DPIAs, policy updates and vendor checks.
Dashboards & reporting – real-time view of training, policy acceptance, actions and expiries for audit readiness.
Need to tighten controls around sensitive data?
Book a demo and see how iProtectU keeps you audit-ready.
Next in the series (Part 4): Sensitive or special category data
This article provides general guidance and is not legal advice.
Next in the series (Part 4): Access to Information.
Missed a Part, please click here?
Part 1: GDPR basics for managers — why it matters and how iProtectU helps.
Part 2: Consent that’s freely given (and provable)
Part 4 (coming next): Access to Information
Part 5 (coming next): Notification of a personal data breach
GDPR FAQs
OurFAQs guides enable you to make informed decisions about how our health and safety software can benefit your organisation.
For anything else please request a demo, call or send us an email.
You must stop the processing based on that consent and log the withdrawal. Keep a record that consent was previously given/withdrawn.
No. Consent must be an opt-in via clear affirmative action.
The UK applies the UK GDPR alongside the Data Protection Act 2018; it mirrors GDPR principles closely. If you operate across regions, design for the higher standard.
No. Consent must be specific—give separate choices for each purpose.
No. Consent is one of six lawful bases. For many HR or service-delivery activities, contract or legitimate interests may be more appropriate—document your choice.
A Data Protection Impact Assessment evaluates high-risk processing (e.g., large-scale monitoring, special category data). It documents risks and the measures you’ll put in place.
If a personal data breach is likely to risk people’s rights/freedoms, report to the supervisory authority within 72 hours and inform affected individuals when required.
Yes—book a free demo and we’ll tailor a walkthrough to your industry, data and processes so you can see how iProtectU fits your organisation.
Refresh when your purposes, technology or context change, or when consents become stale for the risk involved.
