The General Data Protection Regulation (GDPR) sets strict boundaries for how organizations handle personal data, particularly when it involves information that is highly sensitive. Article 9 of the GDPR specifically addresses “special categories of personal data,” which includes details about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health information, and data concerning a person’s sex life or sexual orientation. These data types are protected under higher standards due to their potential to expose individuals to discrimination or harm if misused.
This article explores real-world examples and scenarios of how Article 9 applies, demonstrating both prohibited and permitted processing of special categories of data. Each example highlights the practical meaning of Article 9, its lawful exceptions, and how organizations ensure compliance while still processing sensitive data when necessary.
1. Example: Processing Health Data in a Hospital Setting
A hospital collects and stores extensive health information about its patients — from blood test results and X-rays to mental health assessments and genetic data. Under GDPR Article 9(1), such processing is prohibited unless one of the exceptions in Article 9(2) applies.
In this case, hospitals rely on Article 9(2)(h), which allows processing of health data for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care, or management of health systems.
To comply, the hospital ensures:
-
Access is limited to authorized personnel (doctors, nurses, and administrative staff bound by confidentiality).
-
Data is encrypted and stored securely in electronic health record systems.
-
Patients are informed through privacy notices explaining the purpose of data use.
This example demonstrates lawful processing because it serves an essential public interest — healthcare delivery — and meets the conditions under Article 9(2)(h) and Article 9(3), which requires professional secrecy obligations.
2. Example: Employer Processing Employee Health Information
A company requests medical certificates from employees who are on extended sick leave. These certificates contain information about the employee’s health status, which qualifies as sensitive personal data under Article 9.
In this situation, processing is justified under Article 9(2)(b) — necessary for carrying out obligations and exercising specific rights in employment and social security law, provided it is authorized by Union or Member State law and subject to adequate safeguards.
To remain compliant, the employer must:
-
Limit access to HR staff who handle sick leave documentation.
-
Avoid disclosing the medical condition beyond what is strictly necessary.
-
Retain such records only for the legally required duration.
If the company uses the data for any other purpose — such as assessing job performance or sharing with third parties — it would constitute unlawful processing under Article 9.
3. Example: Processing Biometric Data for Employee Access Control
A financial institution introduces a fingerprint-based access system for employees entering secure areas. Fingerprints qualify as biometric data, which falls under special categories if processed for identification purposes.
The company may rely on Article 9(2)(a) — explicit consent of the data subject — provided employees freely give consent and alternative access methods exist for those who refuse. However, since consent in the employment context can be problematic due to power imbalance, the company could instead justify processing under Article 9(2)(b) or (g) if national law allows biometric data for security purposes.
Compliance steps include:
-
Conducting a Data Protection Impact Assessment (DPIA).
-
Implementing encryption and biometric template storage instead of raw fingerprints.
-
Ensuring transparent communication about the purpose and retention period.
This example illustrates how Article 9 demands strict conditions and technical safeguards when processing biometric data.
4. Example: Religious or Philosophical Beliefs in a School Context
A private school asks parents to provide information about their child’s religion or dietary restrictions to accommodate meals and holidays. Religious affiliation is a special category of data under Article 9.
The school can process this data under Article 9(2)(a) — explicit consent. Parents voluntarily provide the information to ensure proper care of their children.
However, compliance requires that:
-
Consent is specific, informed, and freely given.
-
Data is used solely for the stated purpose (e.g., meal planning or scheduling).
-
The school provides an easy way to withdraw consent.
If the school later uses the data to categorize students or make unrelated decisions (e.g., preferential treatment), it would violate GDPR principles of purpose limitation and fairness.
5. Example: Trade Union Membership Records
A trade union keeps records of its members, including names, addresses, and details of membership fees. Trade union membership is explicitly mentioned as sensitive data under Article 9(1).
Here, processing is lawful under Article 9(2)(d) — carried out in the course of legitimate activities with appropriate safeguards by a foundation, association, or any other not-for-profit body with a political, philosophical, religious, or trade union aim.
Such processing is limited to members or persons who have regular contact with the organization, and data cannot be disclosed outside without consent.
This example illustrates how Article 9 provides flexibility for organizations that exist to serve specific communities while maintaining strict confidentiality obligations.
6. Example: Genetic Data in Scientific Research
A university conducts a medical research project studying genetic markers related to Alzheimer’s disease. Genetic information is a special category of data, and its processing normally requires the individual’s explicit consent under Article 9(2)(a).
However, the GDPR also allows processing without consent under Article 9(2)(j) for scientific research purposes, subject to appropriate safeguards such as pseudonymization and ethical oversight.
In practice, researchers:
-
Remove identifying details before data analysis.
-
Store genetic samples in controlled environments.
-
Obtain ethics committee approval.
This example shows how Article 9 enables research that benefits society, provided individuals’ privacy rights remain protected through technical and organizational measures.
7. Example: Data Concerning Sexual Orientation in a Social Study
A national statistics agency runs a survey to study discrimination based on sexual orientation. Respondents are asked to self-identify, and participation is voluntary.
Processing this data is justified under Article 9(2)(g) — processing necessary for reasons of substantial public interest, on the basis of Union or Member State law.
To comply, the agency ensures:
-
Participation is anonymous or pseudonymized.
-
Data is aggregated to prevent re-identification.
-
Respondents are informed about the purpose, retention period, and safeguards.
This example highlights how Article 9 supports social progress while balancing data protection principles.
8. Example: Processing Ethnic Origin Data in Equal Opportunity Monitoring
A government agency or private company might collect information on employees’ ethnic backgrounds to monitor equality and diversity initiatives.
Although this involves sensitive personal data, it may be lawful under Article 9(2)(b) or (g) if required by labor laws or public interest policies promoting equality.
For example:
-
The organization collects data anonymously for reporting diversity statistics.
-
Data subjects are informed that participation is voluntary and results will not affect employment conditions.
By anonymizing data and ensuring transparency, the organization fulfills both social objectives and Article 9 obligations.
9. Example: Processing Health Data for Insurance Purposes
An insurance company requests health details from applicants when assessing life or medical insurance policies. Such data processing is necessary for the conclusion and performance of a contract but still falls under Article 9 restrictions.
The lawful basis is Article 9(2)(g) — processing necessary for reasons of substantial public interest, on the basis of law that provides safeguards, or Article 9(2)(a) if the applicant gives explicit consent.
The insurer must:
-
Limit processing to relevant health data (e.g., medical history, lifestyle).
-
Keep records confidential and use encryption.
-
Allow applicants to withdraw consent or access their data.
This ensures compliance while enabling the company to assess risk fairly.
10. Example: Processing Data on Sexual Orientation in Employment Context
A company organizes diversity workshops and collects anonymous survey data from employees about their gender identity and sexual orientation.
Such processing, if fully anonymized, may fall outside GDPR scope. However, if identifiable, it must rely on explicit consent (Article 9(2)(a)) or a public interest basis (Article 9(2)(g)).
The company must:
-
Clearly state participation is voluntary.
-
Store results anonymously or delete identifiers promptly.
-
Avoid any form of discrimination or profiling.
This demonstrates how Article 9 safeguards individuals against misuse of deeply personal data in workplace contexts.
11. Example: Political Opinions in Campaigning Organizations
A political party processes data about its members’ political opinions and participation in campaigns. This qualifies as a special category of data.
Under Article 9(2)(d), processing is lawful because it is carried out in the course of legitimate activities of a not-for-profit body with a political aim, provided safeguards exist and data is not disclosed outside the organization without consent.
To comply, the party ensures:
-
Membership lists are confidential.
-
Only authorized campaign staff can access the data.
-
Data is used solely for internal communication and event organization.
This example shows how political freedom is protected under GDPR while ensuring personal privacy.
12. Example: Use of Biometric Data in Airports
Airports increasingly use facial recognition for boarding and security checks. Biometric data processed for identification clearly falls within Article 9’s special categories.
To comply, airports rely on Article 9(2)(g) (public interest in ensuring safety) or Article 9(2)(a) (explicit consent). However, given the scale of processing, explicit safeguards must be implemented:
-
Facial data is deleted immediately after verification.
-
Passengers are informed of their rights and alternatives.
-
Data Protection Impact Assessments (DPIAs) are conducted before deployment.
This example underscores how Article 9 governs modern technologies that intersect security and privacy.
13. Example: Processing of Health Data in a Pandemic
During a pandemic, public authorities and employers may need to process individuals’ health information — such as infection status or vaccination records — to protect public health.
Under Article 9(2)(i), processing is lawful for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
For example:
-
A company checks employee vaccination certificates before returning to the office.
-
Authorities collect anonymized infection data to track spread.
Such processing must be proportionate, time-limited, and accompanied by safeguards such as confidentiality and minimal data collection.
14. Example: Religious Beliefs in Employment Settings
An employee requests time off to celebrate a religious holiday, disclosing their religious belief. The employer processes this information only to accommodate the request.
Here, the lawful basis is explicit consent (Article 9(2)(a)), as the employee voluntarily provides the information for a specific purpose. The employer must:
-
Avoid recording the religion permanently unless necessary.
-
Not share the data beyond HR.
-
Delete the information after fulfilling the request.
This illustrates how Article 9 protects even incidental disclosures of sensitive data in everyday scenarios.
15. Example: Sexual Health Clinics
A sexual health clinic handles data concerning patients’ sexual orientation, test results, and health status. Such processing is essential for medical care, fitting under Article 9(2)(h).
The clinic ensures:
-
Staff are bound by professional confidentiality.
-
Data is stored under strong encryption.
-
Patients receive privacy notices outlining their rights.
Article 9 here enables socially critical services while ensuring the utmost protection of personal dignity.
Conclusion
GDPR Article 9 serves as one of the strongest shields for personal privacy, addressing the most intimate aspects of individuals’ lives — health, identity, beliefs, and personal relationships. Through its clearly defined exceptions, the regulation strikes a balance between protecting individuals and enabling legitimate uses of sensitive data for medicine, research, employment, and public safety.
The examples above reveal that Article 9 is not a blanket prohibition but a framework for responsible data governance. Whether it’s a hospital managing patient records, a researcher handling genetic data, or a company conducting diversity monitoring, each entity must apply the principles of necessity, proportionality, and transparency.