Special categories of personal data: Special requirements and conditions

Reading Time: 3 minutes


Dr Rachel Finn | Director, Data Protection & Cyber-risk Services / Head of Irish Operations

Date: 20 November 2019

Special categories of personal data, colloquially called ‘sensitive data’, were already recognised under the Data Protection Directive 95/46/EC as a category of personal data requiring further protection. Regulation (EU) 2016/679 (GDPR) has added genetic and biometric data to the list of sensitive data and enhanced their protection. In this article, we look at and discuss the key considerations of the ICO updated guidance on special categories of personal data.

Data mapping and management

Organisations should consider whether they hold and use personal data and, more specifically, special categories of personal data.

Special category data is information concerning a person’s:

  • health;
  • sex life or their sexual orientation;
  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs; or
  • membership of a trade union.

Information that relates to the above aspects but is not associated with a particular individual is not personal data. Examining whether information is personal or non-personal is a thorny issue, requiring context-specific and objective assessments. We have produced guidance on this issue to help you assess whether you hold personal data or not, especially in complicated situations, such as genetic data. Specific advice should be also sought about biometric data, which allows or confirms the unique identification of that natural person.

Regarding obscure cases, such as inferences about sensitive data, the ICO advises that if you can infer relevant information with a reasonable degree of certainty then it’s likely to be special category data even if it’s not a cast-iron certainty. But if it is just a possible inference or an ‘educated guess’, it is not special category data (unless you are specifically processing to treat someone differently on the basis of that inference) – even if that guess turns out to be right.

For example, surnames may indicate ethnicity. This does in and of itself mean they are sensitive data even if this inference is correct. Nonetheless, if you process this data because of this inferred information, then you should treat this as sensitive data.


Processing sensitive data requires additional lawfulness safeguards. Organisations should have a lawful basis to process data both under Article 6 and Article 9 GDPR. Specific conditions and considerations apply for each legal basis and you should carefully consider what legal basis is appropriate.

Additional transparency and accountability requirements

Where processes or systems involve the processing of special categories of personal data, you should consider whether this requires the conduct of a DPIA before processing sensitive data in line with Article 35 GDPR.

The ICO also provides guidance on the requirement for an appropriate policy document in accordance with the Schedule 1 of the UK Data Protection Act 2018. Under this Schedule, controllers should have an appropriate policy document in place where they rely on the legal basis of substantial public interest or for employment, social security and social protection conditions. The ICO sheds light on this novel requirement, which is a short document outlining the compliance measures and retention policies for special category data. This document should include information about the legal bases, procedures for complying with each of the principles, retention and deletion policies indication of the retention period for the specific data. This document should be retained until six months after the date you stop the relevant processing and kept up to date. The ICO has prepared a template.

Other national and sectoral requirements

The GDPR includes some open clauses, which allow Member States to further specify the application of the GDPR provisions in national law, especially in relation to genetic, biometric and health data. Organisations should refer to and consult the applicable national data protection legislation and check whether additional requirements apply. For example, the Irish Health Research Regulations 2018, lay down additional conditions for the processing of health data for research purposes. As our research shows, it is not necessary to dwell on your problem. Visit the site, and the company’s consultants will help you to understand the problem, give comprehensive answers to your questions, make a request, will be engaged in delivery. Every request to purchase Cialis will not be ignored by our specialists and will remain confidential.

What’s more

The ICO points out that the risk of misusing sensitive data and infringing fundamental rights and freedoms requires organisations to bear in mind that the principles of data minimisation and fairness should be respected.


Processing sensitive data may be required in order to comply with the law, provide services or enhance information utility within your organisation. Data utility comes, though, with the requirement for greater care and consideration when using sensitive data. Sensitive data exposes individuals to risks to their fundamental rights and freedoms. Therefore, organisations should ensure that they are aware of the categories of personal data they keep and use. They should also constantly monitor that the data uses are permitted and in line with applicable legislation and official guidance.

For more information on how Trilateral can support you in complying with the requirements for processing special category data, please refer to our list of services or get in touch with one of our advisors for support on your compliance journey.

Related posts

Get the latest insights from Trilateral in our new monthly article, featuring the latest developments from across our innovation and researc…

Let's discuss your career