Skip to content

Privacy Concepts & Foundations

What Is Special Category Data, and Why It Gets Extra Protection

Some details about you are treated as more sensitive than the rest. Here is what counts as special category data under UK GDPR, why the law sets a higher bar for using it, and how that shapes your own privacy choices.

In short

Special category data is a defined set of sensitive personal data — health, race or ethnicity, religion, sexual orientation, political opinions, trade union membership, genetic and biometric data, and sex life. UK GDPR gives it extra protection: organisations generally cannot use it without meeting a stricter, named condition on top of the usual lawful basis.

What counts as special category data

Not all personal data is treated the same. UK GDPR (Article 9) singles out a specific list of sensitive details and calls them special category data. These are the kinds of facts that, if mishandled, could expose you to discrimination or serious harm, so the law holds them to a higher standard than ordinary information like your name or email address.

The categories are defined and closed — an organisation cannot simply decide that something else is sensitive and add it to the list, nor leave one out because it finds it inconvenient. If a detail falls within these categories, the stricter rules apply.

It is worth noting that data revealing a special category counts too, even if it is not stated outright. A photograph that makes your ethnicity apparent, or a membership list that implies your religion, can bring something into scope by inference rather than by label.

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data and biometric data used to identify you
  • Health data, including physical and mental health
  • Data concerning your sex life or sexual orientation

Why the law gives it extra protection

For most personal data, an organisation needs a lawful basis — a justified reason such as consent, a contract, or a legitimate interest. Special category data carries a second requirement on top of that: the organisation must also meet one of the specific conditions listed in Article 9 before it can process the information at all. In practice that is two locks instead of one.

These extra conditions are narrower and more demanding. Explicit consent is one route, but others are tightly drawn — for example, certain uses in healthcare, employment law, or matters of substantial public interest, each with its own safeguards. The point is to make sensitive use deliberate and accountable rather than incidental.

The reasoning is straightforward. The exposure of your shopping habits is an intrusion; the exposure of your health condition, your faith, or your sexuality can affect your safety, your employment, and your relationships. The law treats that gap in potential harm by raising the bar before such data can be collected or shared.

What this means for your own privacy choices

Knowing which of your details are special category data helps you reason about your footprint with more precision. When you review what a company holds, you can pay particular attention to anything sensitive and ask whether it was ever necessary for them to have it in the first place.

It also shapes how you make requests. If you ask an organisation for a copy of your data, or to delete or correct it, special category data is squarely within those rights — and because the bar for holding it is higher, an organisation may find it harder to justify keeping it without a clear, named reason.

OSINTA is a self-only tool: it helps you see and understand your own digital footprint and prepare your own data-rights requests, and it suggests while you decide. This article is general information, not legal advice. If a situation involving sensitive data is high-stakes, consider speaking to a qualified adviser or your data protection regulator.

Frequently asked questions

Is a phone number or email address special category data?

No. Ordinary identifiers like your name, phone number, email address, or home address are personal data, but they are not special category data. The special categories are limited to sensitive details such as health, beliefs, ethnicity, biometrics, and sexual orientation, which UK GDPR protects more strictly.

Are criminal offence records special category data?

Not quite. Data about criminal convictions and offences is handled under its own provision (Article 10) rather than the Article 9 special categories, but it is treated with similar care and carries its own restrictions on who may process it and under what controls.

Does an organisation always need my explicit consent to use sensitive data?

Not always. Explicit consent is one condition, but UK GDPR allows other narrowly defined conditions — for example certain healthcare, employment, or substantial-public-interest uses, each with safeguards. The key point is that some specific, named condition must apply, not just a general reason.

Can I ask a company to delete special category data it holds about me?

You can ask. Your right to erasure and your right of access cover special category data like any other personal data. Because the threshold for lawfully holding sensitive data is higher, an organisation may find it harder to justify keeping it. This is general information, not legal advice.

Related terms

This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.

Reviewed by OSINTA's founding lawyer — 2026-06-27.

Reviewing what an organisation holds about you?

A clear, calm walkthrough of how to ask for your own data — and what to expect back.

See the DSAR guideJoin the waitlist