Special Categories, Pseudonymisation & Anonymisation

Some personal data is more sensitive than the rest, and the GDPR singles it out for extra protection in Article 9. These are the special categories, and the starting rule is strict: processing them is prohibited unless one of Article 9's specific exceptions applies. The reason is the heightened risk of harm and discrimination if such data is misused, think of someone's health, their faith, or their union membership being exposed.

For the exam, you need to know exactly what is on the list and that the default is a prohibition with limited gateways out, which we will study when we reach lawful processing in Domain three.

Here is the Article 9 list, and it is worth memorising. Special categories are: data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade-union membership; genetic data; biometric data, but only where it is processed for the purpose of uniquely identifying a person; data concerning health; and data concerning a person's sex life or sexual orientation. Two precision points the exam tests.

Biometric data is special only when used to uniquely identify someone, a photograph alone is not automatically special-category. And the list does not include financial data or general contact details, those are ordinary personal data, however valuable. Know the nine items and what is conspicuously absent.

A useful memory aid is to group them: the four belief-and-identity items, racial or ethnic origin, political opinions, religious or philosophical beliefs, and trade-union membership; the two body-data items, genetic and biometric data used for unique identification; and the three intimate-life items, health, sex life, and sexual orientation. Nine in total, three clusters of three, no financial or location data.

Watch this distinction, because it is a classic trap. Data about criminal convictions and offences is governed by Article 10, not Article 9. So strictly speaking, criminal-offence data is not one of the Article 9 special categories, even though it is just as sensitive in practice.

Article 10 says such data may only be processed under the control of official authority, or when authorised by EU or member-state law providing appropriate safeguards. If an exam question asks whether criminal-conviction data is a special category under Article 9, the precise answer is no, it has its own home in Article 10. That kind of fine distinction is exactly what separates a confident pass from a near miss.

Now a pairing the exam tests almost every time: pseudonymisation versus anonymisation. Article 4(5) defines pseudonymisation as processing personal data so that it can no longer be attributed to a specific person without additional information, which is kept separately and protected. Replacing a customer's name with a reference code, while keeping the key in a locked file, is pseudonymisation.

The vital point: pseudonymised data is still personal data, because re-identification remains possible using that separate key. So the GDPR still applies in full. Pseudonymisation is encouraged as a security and data-minimisation measure, the GDPR explicitly rewards it, but it is not a way out of the regulation.

Anonymisation is different in kind. Truly anonymous data is information that can no longer be linked to any identifiable person, by anyone, by any means reasonably likely to be used. Recital 26 is explicit: the principles of the GDPR do not apply to anonymous information.

So genuine anonymisation takes data out of the GDPR's scope entirely, which is why it is so attractive. But the bar is high. The process must be effectively irreversible, with no reasonable prospect of re-identification, even by combining datasets.

If any realistic route back to the individual exists, the data is only pseudonymised, and the GDPR still applies. The exam loves to dress up weak pseudonymisation as anonymisation, so read carefully for any retained key or re-identification risk.

Let's recap the sensitive end of the spectrum. Article 9 lists nine special categories, from racial origin to health and sexual orientation, and processing them is prohibited unless an exception applies. Criminal-conviction data lives separately in Article 10.

Pseudonymised data is still personal data because the key exists, so the GDPR still bites, while truly anonymous data falls outside the GDPR under Recital 26, but only if re-identification is not reasonably possible. Next, we turn to the principles that govern all processing, the seven principles of Article 5, the backbone of the entire regulation. First, go test yourself on special categories.