Guide: Data Privacy

Processing Special Categories

The amount of data collected on a daily bases is astronomical. Businesses must ensure that they protect all of the collected data. 

Therefore, a common method of keeping the most private information safe is to process it within special categories. While you should protect all data, personal information is especially vulnerable.

Personal information (PII) designated within the special data category requires a higher level of security as it is sensitive personal data. This requires first the identification of the lawful basis for a special category; then the particular condition for the lawful processing of personal data within a special category. 

This article will cover the following themes surrounding processing special categories for sensitive data in further depth:


To learn more about Data Privacy with Satori read our Data Privacy Guide.

What is Special Category Data?

Special category data is a type of personal data (PII) that is considered particularly sensitive. This type of data includes information about a person’s race, ethnic origin, political opinions, religious beliefs, trade union membership, health, and sexual orientation. It also includes processing genetic information and biometric data used to identify a person’s identity.

In the European Union, the General Data Protection Regulation (GDPR) provides specific protections for processing special category data. This means that organizations must have additional safeguards in place when handling this type of data, and may only process it in certain circumstances.

Processing of Special Categories of Personal Data

In order to process special categories an exemption is first needed. If you obtain this exemption to the rule prohibiting processing, you can process special categories.

Before beginning the handling of special category data you need to show that you meet two requirements. First, the exclusions to the restriction on processing special category data. Second, the requirements for explicit consent. Both of these are required to process the special category data.

The following are the exceptions as outlined in Article 9 of the GDPR.

  • Explicit consent, unless the protection law forbids the processing and the individual cannot override the prohibition imposed by the law.
  • Necessary to process the supervisor’s legal responsibility for employment, social security, and other related issues.
  • Protection of the core interests of the research participant or another individual in situations where the subject in question is lawfully or physically unable to give consent. This protection includes cases when the data subject is a child.
  • Within the course of activities carried out by non-profit organizations, but are not disclosed outside the organization without explicit consent. 
  • The person whose data it is has exposed their private information to the world.
  • Legal procedures are filed when asserting or defending legal actions or when judges operate in their judicial capacity.
  • A substantial public interest that, concerning the goal sought, is reasonable, recognizes the substance of the right to data protection, and offers concrete security.
  • Essential for precautionary or medicine, determining an individual’s capacity for employment, making a medical diagnosis, providing health or social treatment options, or managing health and social care programs and services.
  • Public health.
  • Keeping records in the public interest, doing research, and compiling statistics.

Substantial Public Interest Conditions

The GDPR makes reference to the substantial public interest in paragraphs 2(g), (i), and (j). In each of these paragraphs, it is possible to lift the prohibition on processing the special category of data, within the defined scope. However, nowhere does the GDPR define what constitutes substantial public interest. 

The UK has defined substantial public interest as a broad spectrum of values and concepts associated with the concept of the public good, sometimes known as what is in the best interests of society. It is essential that it be genuine and consists of substantial content. It is not sufficient to make a general or hazy public interest argument when dealing with special category data because these data come with their intrinsic concerns.

Data Protection Impact Assessment

If the planned processing is expected to pose a significant threat to the rights and freedoms of the individual or to process special category data on a wide scale. Then, a Data Protection Impact Assessment, or DPIA is required.

Using a Data Protection Impact Assessment the controller to evaluates the proposed handling of personal information in an unbiased, methodical, clear, and concise manner. It also aims to determine the dangers to an individual and take steps to minimize those risks when creating a new system or modifying an existing one.

The primary objective of a DPIA is to establish a balance between the necessity of the processing and the possible benefits it could provide and the potential impacts on individuals. An efficient DPIA can provide compliance, monetary, and reputational benefits, all of which help indicate responsibility and support a controller in building trust and confidence with people.

When performing a DPIA each potential risk and the subsequent degree of harm to people or the community as a whole, in the event any risk materializes, must be considered and evaluated. However, the purpose of the DPIA is not required to eliminate all risks but rather work to minimize those risks and determine whether any risks still exist or are warranted.


The GDPR regulates the use and protection of private information. It stipulates specific requirements for processing special categories of data that can cause harm to an individual if compromised. However, if you follow all regulations, you can still handle and process special category data. Satori’s data security platform can help maintain compliance while processing special category data.

To learn more:

Last updated on

January 4, 2023

The information provided in this article and elsewhere on this website is meant purely for educational discussion and contains only general information about legal, commercial and other matters. It is not legal advice and should not be treated as such. Information on this website may not constitute the most up-to-date legal or other information. The information in this article is provided “as is” without any representations or warranties, express or implied. We make no representations or warranties in relation to the information in this article and all liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed. You must not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider. This article may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites.