8 Special Categories of Personal Data: Explained

American actor Marlon Brando famously said, “Privacy is not something that I’m merely entitled to; it’s an absolute prerequisite.” Several decades later, the General Data Protection Regulation (GDPR) shook up the data privacy landscape by essentially taking the same attitude toward the privacy rights of EU citizens and residents. GDPR puts individual data privacy and protection as absolute prerequisites for organizations operating in today’s digital world. 

By establishing a series of seven principles, 99 articles that outline compliance requirements, and 173 recitals that provide context to the articles, GDPR forms the most comprehensive data privacy regulation in the world. However, within it, some special categories of personal data come with different rules and restrictions for processing. This article provinces a helpful guide to the eight particular types of personal data in GDPR.

GDPR Explained

GDPR is a comprehensive data privacy regulation enacted on May 25, 2018, in the European Union (EU). It aims to protect the personal data and privacy of EU citizens and residents and regulate how organizations collect, process, and store their data. 

GDPR applies to all organizations, irrespective of location, that process the data of individual citizens or residents of the EU.

The entire text of GDPR is a complex document to navigate and digest. However, GDPR entails the following seven fundamental principles that distill the essence of how the regulation protects personal data and privacy:

1. Businesses must lawfully, fairly, and transparently process personal data, providing clear information about how data is stored and used.
2. You can collect data only for specific, explicit, and legitimate purposes and not process it further in a manner incompatible with those purposes.
3. You must process only the necessary data required for the specified purpose.
4. Data must be accurate and up-to-date. Inaccurate data should be rectified or deleted.
5. Personal data should be kept only as long as necessary for its intended purpose.
6. Organizations must ensure the integrity and confidentiality of personal data, protecting it from unauthorized access, damage, or loss.
7. Companies must demonstrate accountability by complying with GDPR through appropriate policies, procedures, and documentation.

Non-compliance with GDPR can result in significant penalties. Companies receive fines of up to 4% of annual global turnover or €20 million (whichever is greater) for the most severe violations. More minor violations incur penalties of up to 2% of annual global turnover or €10 million.

The regulatory bodies responsible for enforcing GDPR are the national Data Protection Authorities (DPAs) in each EU member state. DPAs can investigate complaints, conduct audits, and impose fines on organizations that violate the regulation. For example:

• Meta was fined €390 million by Ireland’s Data Protection Commission (DPC) in January 2023 for not being transparent enough in outlining the legal basis under which Facebook and Instagram processed users’ data. 
• Retail giant H&M received a €35.3m fine in Germany for processing excessive information about several hundred employees. 

While these penalties provide compelling reasons to comply with GDPR, it’s not just about avoiding fines and legal headaches. Compliance shows current and prospective customers that you value their privacy and are committed to keeping their data safe. 

What is “special category data”?

GDPR deems data information as particularly sensitive;  this data requires extra protection measures and comes with restrictions on its processing because of the following reasons: 

• Increased risk of discrimination: Special category data can reveal intimate or highly personal details about people, which, in the wrong hands, could lead to discrimination or prejudice.
• More significant
• Potential for harm: Misuse or unauthorized disclosure of a particular data category can cause substantial emotional, financial, or reputational damage. 
• Promoting a data privacy culture based on trust and compliance: By imposing higher standards for processing particular category data, the GDPR promotes
•  Trust between individuals and organizations, ensuring that sensitive personal information is handled responsibly and ethically.

8 Unique Categories of Personal Data

1. Health Data

Health data is some of the most sensitive information you can process about a person, so it’s unsurprising that GDPR includes it as a particular category of personal data. Health data is information about an individual’s physical or mental health. It covers information about medical conditions, treatments, diagnoses, or other relevant data collected while providing healthcare services. 

A typical example of this data processing is the tracking apps that collect data about your daily exercise routines, heart rate, and sleep patterns. 

2. Racial or Ethnic Origin

This category refers to any data that reveals the racial or ethnic background of an individual. It could include information about people’s ancestry, nationality, or the specific ethnic group they belong to. For example, a survey conducted by a university asks students about their racial or ethnic background to gather demographic data for statistical purposes; this counts as particular category data.  

3. Political Opinions

Here, we’re talking about data that relates to a person’s political beliefs, affiliations, or opinions. This category includes information about an individual’s political party membership, voting preferences, or any political activities they may have participated in. For example, a list of donors to a political party or a record of someone’s attendance at a political rally or protest.

4. Religious or Philosophical Beliefs

This data reveals an individual’s religious beliefs or philosophical convictions. It may encompass information about a person’s religious denomination, participation in religious activities, or any spiritual or intellectual principles they adhere to. Examples of data requiring special protection in this category include a list of members of a philosophical society or a database of people who have registered for religious education classes. 

5. Trade Union Membership

This category protects any data indicating an individual’s trade union membership. Since trade unions represent the interests of workers in specific industries or professions, membership data is considered sensitive because it could expose people to potential discrimination or mistreatment. An example is a company that processes and stores employee details about their trade union memberships to negotiate collective agreements, such as wage increases or improved working conditions.

6. Genetic Data

This category includes any data obtained from a person’s genetic material, such as DNA or RNA, that provides unique information about their physiological or health characteristics. Genetic data can reveal predispositions to certain diseases or conditions and is special personal data under GDPR because of its potential impact on privacy and potential for misuse. A pertinent example is the increasingly popular direct-to-consumer DNA testing services that analyze the buyer’s genetic makeup to provide insights about their ancestry, potential health risks, or unique physical traits.

7. Biometric Data

Biometric data encompasses information from specific technical processing relating to an individual’s physical, physiological, or behavioral characteristics that are used for identification purposes. This includes fingerprint scans, facial recognition, or voice patterns. For example, a company that requires fingerprint scans for employees to access the office will have to take extra care to protect this data. 

8. Sexual Orientation

This eighth category covers data revealing information about an individual’s sex life or sexual orientation. It includes details about a person’s sexual preferences, experiences, or relationships. For an easily recognizable example of this type of data processing, consider how dating apps typically ask users to disclose their sexual orientation and preferences to find compatible matches for potential romantic relationships.

With Unique Data Comes Special Protection

Article 9 of GDPR prohibits the processing of particular category data except under ten limited circumstances. These circumstances include:

• Where the data subject gives explicit consent for the specified purpose
• Cases where processing is necessary for reasons of public interest in the area of public health
• Where processing is required to protect the vital interests of the data subject

When processing and storing special category data, it’s essential to protect it with the highest security standards since a breach of this information tends to cause much more harm to data subjects:

• Encryption for special category data in transit and at rest is essential. If you have a website or web app, ensure it uses the latest version of Transport Layer Security. Also, consider a technology like Transparent Data Encryption (TDE) for encrypting stored files containing special category data.
• Adequate access controls can also provide an extra layer of protection against the accidental disclosure of, or unauthorized access to, special category data. Limit the permissions you give users to only the databases and files strictly necessary for their roles. Enforce IAM best practices, such as mandating multi-factor authentication for logins to on-premise and cloud databases or data storage apps. 

Go Beyond Compliance to Strengthen Your Brand’s Reputation

When processing special category data, it’s a given that you adhere to standards like GDPR. It’s foundational for establishing trust. But in today’s complex digital environment, mere compliance isn’t enough. The silent threat of website spoofing attacks are perpetually on the horizon, ready to undermine the trust you’ve cultivated with your clients.

Memcyco’s unique PoSA™ technology-based solution bolsters your digital defenses against website spoofing fraud and helps prevent data breaches. It provides vigilant, real-time protection, especially during that critical “window of exposure”—from the moment a deceptive site emerges to the time it’s taken down. Offering your organization complete visibility into any potential threats, Memcyco enables you to take swift remedial action that keeps you compliant, and your clients safe.

Reach out to us for detailed insight into how Memcyco can fortify your defenses against website spoofing.

Ran Arad

Director of Product Marketing