The General Data Protection Regulation (GDPR) classifies some types of personal data as “special category data” because of their sensitive nature. These categories include information about a person’s health, racial or ethnic origin, sexual orientation, political or religious beliefs, and biometric or genetic identifiers. To protect individuals’ privacy and reduce the risk of discrimination, Article 9 of the GDPR generally prohibits processing such data — unless a lawful exemption applies.
Understanding the Article 9 GDPR exemptions is essential for any organisation handling sensitive personal information. Misinterpreting or misapplying these exemptions can lead to compliance breaches, legal penalties, and severe damage to reputation. This article provides a comprehensive overview of these exemptions, the conditions for their lawful use, and practical examples to help organisations stay compliant.
What Is Special Category Data Under Article 9?
Before exploring the exemptions, it is important to understand what qualifies as special category data. According to Article 9(1), this includes:
-
Racial or ethnic origin
-
Political opinions
-
Religious or philosophical beliefs
-
Trade union membership
-
Genetic or biometric data for uniquely identifying a person
-
Health data
-
Sex life or sexual orientation
This type of data is considered highly sensitive because, if misused or exposed, it may lead to discrimination, social harm, or personal risks for individuals. As a result, stricter safeguards apply compared to regular personal data.
General Rule: Processing Special Category Data Is Prohibited
The default position under Article 9 is simple:
Processing special category data is prohibited unless one of the exemptions in Article 9(2) applies.
This rule puts the burden of proof on the organisation to demonstrate that data processing falls within one of the lawful exemptions. Additionally, organisations must implement adequate security measures and meet other GDPR principles, such as minimisation, transparency, purpose limitation, and accountability.
The Lawful Exemptions Under Article 9 GDPR
Article 9 provides 10 specific exemptions that allow processing of special category data in certain circumstances. However, each exemption comes with strict conditions and often requires additional local legislation or safeguards.
Below is an overview of the exemptions with explanations and real-world examples.
1. Explicit Consent (Article 9(2)(a))
Processing is permitted if the data subject has given explicit consent for one or more specified purposes.
This consent must be:
-
Freely given
-
Specific and informed
-
Unambiguous and separate from other consents
-
Explicit — usually requiring a written or clearly affirmative statement
Example:
A private clinic collects medical history from patients for a health assessment program. Patients are clearly informed about how their health data will be used and sign a consent form authorising the clinic to process it.
Important note: Consent can be withdrawn at any time, and relying on consent is risky when there is a power imbalance (e.g., employer–employee relationships), meaning other exemptions may be more appropriate.
2. Employment, Social Security, and Social Protection Law (Article 9(2)(b))
This exemption permits processing when necessary for fulfilling obligations and exercising specific rights under employment, social security, or social protection laws. It typically applies where the processing is mandated or allowed by law.
Example:
An employer collects medical certificates to manage sick leave entitlements or workplace injury compensation as required by national labour legislation.
Because this exemption must be grounded in specific law, organisations must ensure that relevant national legislation applies before relying on it.
3. Vital Interests of the Data Subject (Article 9(2)(c))
Processing is allowed if it is necessary to protect the vital interests of the person concerned — essentially, matters of life or death — and the person is unable to give consent.
Example:
A paramedic treats an unconscious accident victim and shares their medical details with the hospital to save their life. Since the individual cannot provide consent, processing is justified under vital interests.
This exemption is interpreted narrowly and applies only in emergencies.
4. Processing by Not-for-Profit Bodies (Article 9(2)(d))
Non-profit organisations, foundations, political parties, religious associations, and trade unions may process special category data of their members or individuals in regular contact with them — provided the data is not disclosed to external parties without consent.
Example:
A religious organisation maintains membership records, including members’ religious beliefs, for administrative and community purposes.
The exemption only applies internally and requires proper safeguards.
5. Data Made Public by the Data Subject (Article 9(2)(e))
If an individual clearly and deliberately makes their special category data public, it may be processed without consent.
Example:
A public figure openly reveals their sexual orientation in an interview. Media outlets reporting this information do not require consent because the individual has voluntarily made it public.
However, “public” must be an affirmative act — accidental exposure does not qualify.
6. Legal Claims and Judicial Purposes (Article 9(2)(f))
Processing is allowed where necessary for the establishment, exercise, or defence of legal claims, or when courts act in their judicial capacity.
Example:
A lawyer collects medical information to file a personal injury claim on behalf of a client.
This exemption protects the rights to fair legal representation and due process.
7. Substantial Public Interest (Article 9(2)(g))
Processing is permitted when necessary for reasons of substantial public interest, based in EU or Member State law, and proportionate to the aim pursued. Safeguards must be in place to protect rights and interests.
Example:
Government bodies collect racial or ethnic data in equal opportunity monitoring programs to combat discrimination.
This exemption requires careful assessment, as “public interest” must be clearly evidenced and legislated.
8. Public Health (Article 9(2)(i))
Processing for reasons of public interest in the area of public health is allowed, particularly for:
-
Protecting against serious cross-border health threats
-
Ensuring high standards of healthcare, medical research, and safety
Example:
Health authorities collect and share infection data during a pandemic to track contagion patterns and manage public health measures.
This exemption must be based on law and respect confidentiality standards.
9. Preventive or Occupational Medicine and Health or Social Care (Article 9(2)(h))
Processing is lawful when necessary for:
-
Medical diagnosis
-
Provision of health or social care
-
Managing healthcare systems
Confidentiality duties such as medical secrecy must apply.
Example:
Hospitals maintain electronic health records for treating patients and coordinating care with specialists and pharmacies.
Patients’ sensitive health information is protected through strict professional secrecy obligations.
10. Archiving, Scientific or Historical Research, or Statistical Purposes (Article 9(2)(j))
Where processing is necessary for research or archiving in the public interest or for statistical purposes, it may be allowed if subject to appropriate safeguards — such as pseudonymisation or data minimisation.
Example:
A university uses anonymised genetic data for medical research studies aimed at improving cancer treatments.
The exemption promotes research advancements that benefit society.
Additional Safeguards Required When Using Article 9 Exemptions
Relying on an exemption is not enough on its own. Organisations must still comply with all other core GDPR obligations, including:
-
Data minimisation – only collect what is essential
-
Purpose limitation – do not reuse data for incompatible purposes
-
Transparency – inform data subjects clearly
-
Security measures – encryption, access controls, anonymisation
-
Accountability – demonstrate compliance if audited
Many exemptions require supporting national legislation, and organisations may need to conduct a Data Protection Impact Assessment (DPIA) before processing.
Common Misinterpretations and Pitfalls
Several organisations make compliance errors when handling special category data. Frequent mistakes include:
-
Assuming standard consent is enough — Article 9 requires explicit consent
-
Using the “made public” exemption too broadly
-
Relying on employer consent in workplace situations, despite the power imbalance
-
Collecting more sensitive data than necessary for the stated purpose
-
Lacking proper documentation to justify reliance on an exemption
Misuse of Article 9 exemptions can lead to regulatory investigations, fines, and reputational damage.
Practical Steps to Ensure Compliance
To properly apply Article 9 exemptions, organisations should:
-
Identify whether the data is special category data
-
Confirm that processing is strictly necessary for the stated purpose
-
Select the most suitable exemption and document why it applies
-
Check applicable national laws where required
-
Implement technical and organisational safeguards (TOMs)
-
Maintain transparent communication with data subjects
Conclusion
Article 9 of the GDPR places stringent restrictions on processing special category data to protect individuals' privacy and prevent misuse. While exemptions exist, they must be applied carefully, lawfully, and with proper safeguards. Organisations handling highly sensitive personal information need to ensure that data processing is truly necessary, falls under one of the permitted exemptions, and complies fully with GDPR principles.
By understanding and correctly implementing Article 9 exemptions, organisations can protect individuals’ rights, maintain trust, and avoid regulatory risks — achieving a balance between operational needs and data privacy.