Special categories of personal data — the subject of Article 9 of the GDPR — are the types of data the regulation considers especially sensitive and therefore subject to heightened protection. The default position is striking: processing this data is prohibited unless one of a specific, narrow set of exceptions applies. Any organisation handling health data, biometric data, or other sensitive information must understand Article 9, because getting it wrong means processing without a lawful footing at all.
What the special categories are
Article 9 lists the special categories precisely: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership; genetic data; biometric data processed for the purpose of uniquely identifying a person; data concerning health; and data concerning a person’s sex life or sexual orientation. These are singled out because their misuse can lead to discrimination and serious harm to fundamental rights.
The default prohibition
Unlike ordinary personal data, which may be processed on any of the six lawful bases, special-category data starts from a position of prohibition. Article 9 states that processing these categories is forbidden — and then provides a closed list of exceptions under which it becomes permissible. This inversion is the key conceptual point: for sensitive data, the question is not “which lawful basis applies?” but “which Article 9 exception lifts the prohibition?”, and an ordinary lawful basis is still required in addition.
The exceptions
Article 9 lists the conditions under which special-category processing is allowed. They include explicit consent; processing necessary for employment, social security, and social protection law obligations; protection of vital interests where the person cannot consent; processing by certain non-profit bodies; data manifestly made public by the individual; legal claims; substantial public interest; health or social care and public health purposes; and archiving, research, or statistics — each subject to its own conditions and often to additional safeguards in national law.
Explicit consent
Where consent is the chosen route for special-category data, it must be explicit — a higher standard than the consent required for ordinary data. Explicit consent generally means a clear, express statement of agreement to the specific sensitive processing, rather than a more general affirmative action. For many commercial uses of health or biometric data, explicit consent is the most relevant exception, and designing a genuinely explicit, specific, and well-documented consent flow is essential.
Health data in particular
Health data is among the most commonly encountered special categories, especially for digital-health and wellness products. It is interpreted broadly, covering not only medical records but any data revealing something about a person’s health status. Products in this space must identify an appropriate Article 9 exception, apply strong safeguards, and often conduct a data protection impact assessment given the sensitivity and likely scale of the processing.
Biometric data
Biometric data — such as fingerprints or facial geometry — is special-category only when processed for the purpose of uniquely identifying a person. This nuance matters: the same underlying data may or may not be special-category depending on the purpose. Where it is, the prohibition and exceptions apply, and the heightened sensitivity intersects with the AI Act’s own biometric provisions, making this an area of layered regulation.
Additional safeguards
Because of the risks involved, special-category processing typically calls for stronger technical and organisational measures than ordinary data: stricter access controls, encryption, pseudonymisation where possible, and tighter retention. The heightened risk also makes a data protection impact assessment likely to be required. In short, identifying an Article 9 exception is necessary but not sufficient — the safeguards around the processing must match the sensitivity.
The Swiss perspective
Swiss data protection law likewise recognises a category of sensitive personal data and affords it special protection, broadly comparable to the GDPR’s approach though defined in its own terms. DACH organisations handling sensitive data therefore face aligned but not identical requirements under both regimes, and — as elsewhere — designing to the stricter standard is the efficient way to satisfy both.
Practical handling
For organisations, the practical sequence is: determine whether any data they process falls into a special category; if so, identify the Article 9 exception that lifts the prohibition and the ordinary lawful basis that also applies; obtain explicit consent where that is the route; apply heightened safeguards; and assess whether a DPIA is required. Treating sensitive data with this extra rigour from the design stage is far safer than discovering the gap later. Innopulse builds this into the data model for DACH products that touch sensitive data.
Conclusion
Special categories of data under Article 9 — revealing origin, beliefs, union membership, or concerning genetics, biometrics, health, or sexual orientation — are prohibited from processing by default, permitted only under a specific exception such as explicit consent, and require heightened safeguards. For digital-health and other products handling sensitive data, identifying the right exception, securing explicit consent where needed, and applying strong protections are not optional refinements but the basic conditions of lawful processing.