Sensitive data - Article 9 framework
Article 9 prohibits processing of special-category data unless an exception applies. The categories are: racial/ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, and sex life or sexual orientation. The GDPR added genetic and biometric data to the Directive's list. Photographs are not automatically biometric - only when processed by specific technical means for unique identification. Crucially, a controller needs both an Article 6 basis AND an Article 9 condition.
The starting point of Article 9 is a prohibition on processing sensitive data, then narrow exceptions. The GDPR added genetic data and biometric data for unique identification to the Directive's categories. Notably, social security numbers and credit card details are NOT special categories, even though their misuse can cause serious harm.
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data (added by GDPR)
- Biometric data for the purpose of uniquely identifying a person (added by GDPR)
- Data concerning health
- Data concerning a person's sex life or sexual orientation
Satisfying an Article 9 exception does not exempt processing from the rest of the GDPR. A controller must meet a condition under both Article 6 and Article 9 when processing sensitive data - and comply with Articles 12–14 transparency too.