- What Is Special Category Data Under GDPR?
- Article 9 Processing Conditions: The Ten Exceptions
- How Article 9 Maps to CIPP/E Exam Domains
- High-Risk Scenarios Tested on the CIPP/E
- Special Category Data vs. Criminal Conviction Data
- Member State Derogations and Why They Matter on the Exam
- Structuring Your Study: A Domain-by-Domain Approach
- Frequently Asked Questions
- Article 9 lists ten explicit processing conditions - memorise each one with its exact statutory language for Domain 2 questions.
- Special category data appears across Domains 2, 3, and 5; expect scenario-based questions, not just definitions.
- Criminal conviction data under Article 10 is a separate regime - confusing the two is a common exam mistake.
- Member state derogations allow national law to open or restrict Article 9 conditions - a frequent CIPP/E scenario topic.
What Is Special Category Data Under GDPR?
Article 9 of the GDPR identifies a set of personal data categories so sensitive that their misuse poses especially grave risks to fundamental rights and freedoms. The regulation labels these special category data, and it subjects their processing to a stricter legal framework than ordinary personal data. For CIPP/E candidates, understanding this distinction is not optional - it is central to passing the exam.
The eight categories named in Article 9(1) are:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (where processed to uniquely identify a natural person)
- Health data
- Data concerning a natural person's sex life or sexual orientation
Notice that the biometric data category has a qualifier: it must be processed for the purpose of uniquely identifying a person. A photograph alone does not automatically become special category data - but a facial recognition system that uses that photograph for identification does. This nuance appears regularly in CIPP/E scenario questions, so internalise it now.
The general rule under Article 9(1) is a prohibition on processing. Unlike ordinary personal data, where a controller simply needs one of the six lawful bases in Article 6, special category data cannot be processed at all unless one of the ten explicit exceptions in Article 9(2) is satisfied in addition to a valid Article 6 basis. That layered requirement is a classic CIPP/E exam concept.
Article 9 Processing Conditions: The Ten Exceptions
Candidates who attempt to memorise the Article 9(2) conditions as a numbered list often struggle with application questions. A better approach is to understand the logic behind each exception - who it protects, in what context, and what accompanying safeguards it implies.
| Article 9(2) Condition | Core Requirement | Typical Exam Scenario |
|---|---|---|
| (a) Explicit consent | Freely given, specific, informed, unambiguous - and explicit (not just opt-in tick box) | Health app asking users to share medical history |
| (b) Employment / social security obligations | Must be authorised by Union or Member State law with appropriate safeguards | Employer processing disability data for workplace adjustments |
| (c) Vital interests | Data subject physically or legally incapable of consenting | Emergency room accessing unconscious patient's allergy records |
| (d) Legitimate activities of not-for-profit bodies | Relates only to members/former members; data not disclosed outside without consent | Political party processing members' political opinions |
| (e) Manifestly made public | Data subject deliberately put it in the public domain | Journalist referencing politician's public speech on religion |
| (f) Legal claims | Establishment, exercise, or defence of legal claims | Law firm using health records in personal injury litigation |
| (g) Substantial public interest | Must be based on Union or Member State law, proportionate to aim, with appropriate safeguards | Public authority processing racial data for anti-discrimination monitoring |
| (h) Healthcare / medical diagnosis | By or under responsibility of a professional bound by secrecy | Hospital sharing patient records with treating specialist |
| (i) Public health | Serious cross-border threats; Union or Member State law basis required | National health agency processing genetic data during pandemic |
| (j) Archiving / research / statistics | Must be proportionate, respect essence of the right to data protection, suitable safeguards | University processing health data for longitudinal medical study |
Key Takeaway
For each Article 9(2) condition, ask: (1) Who authorises it? (2) What safeguards are required? (3) Can Member States expand or restrict it? Answering those three questions for every condition is the fastest route to exam readiness on this topic.
How Article 9 Maps to CIPP/E Exam Domains
The CIPP/E exam is organised around five domains, and special category data under Article 9 genuinely spans three of them. Understanding which domain a question is testing helps you apply the right frame of analysis under time pressure.
Domain 2: European Data Protection Law and Regulation
This is where Article 9 lives structurally. Expect questions testing the precise text of conditions, the relationship between Articles 6 and 9, and the distinction between explicit consent (Article 9) and ordinary consent (Article 6).
- The prohibition in Article 9(1) and its relationship to fundamental rights
- The exact wording distinguishing each of the ten conditions
- How Member State law interacts with conditions (b), (g), (h), (i), and (j)
- Article 10 on criminal conviction data as a separate - not sub-category - regime
Domain 3: Compliance with European Data Protection Law and Regulation
Here the focus shifts to what controllers and processors actually do when they handle special category data. Questions test DPIAs, records of processing, and the role of the Data Protection Officer.
- When a DPIA is mandatory for special category data processing (Article 35)
- Documenting the Article 9(2) condition relied upon in Records of Processing Activities
- Implementing appropriate technical and organisational measures specific to high-sensitivity data
- Role of binding corporate rules and standard contractual clauses when transferring special category data internationally
Domain 5: European Data Protection in Practice
Scenario-heavy questions place candidates inside real organisations - healthcare providers, insurers, HR departments, research institutions - and ask for practical judgments about lawfulness and risk.
- Healthcare sector: balancing Article 9(2)(h) with patient confidentiality obligations
- Employment context: using Article 9(2)(b) for occupational health programmes
- Insurance underwriting: assessing whether health data can be processed under explicit consent or another basis
- Research and statistics: applying the safeguards required under Article 9(2)(j) and Recital 156
If you want to understand how these domain questions are formatted and weighted, reviewing the CIPP/E Exam Format and Question Types Explained article will give you a concrete picture of what to expect on test day.
High-Risk Scenarios Tested on the CIPP/E
The CIPP/E is not a recall exam. Its questions are predominantly scenario-based, presenting a situation with four plausible answer choices that often differ only in the legal basis or the safeguard invoked. For Article 9, the following scenario types appear with notable frequency.
Workplace Health and Disability Data
An employer needs to process an employee's disability information to make reasonable workplace adjustments. The question will typically ask which Article 9(2) condition applies. The answer is (b) - employment obligations - not explicit consent, because relying on consent in an employment relationship is problematic given the power imbalance. The EDPB has issued guidance reinforcing this, and the exam reflects it.
Genetic Testing and Insurance
An insurance company wants to use genetic test results to calculate premiums. This scenario tests whether explicit consent under Article 9(2)(a) is a sufficient basis when national law restricts the use of genetic data in insurance contexts. In many Member States, it is not - demonstrating the critical role of domestic legislation layered on top of the GDPR.
Biometric Access Control Systems
An employer installs fingerprint scanners to control building access. Does this trigger Article 9? Only if the fingerprint data is processed to uniquely identify the person - which a standard access system typically does. A question might then ask whether explicit consent from employees is a valid basis, testing the same employment power-imbalance principle as above.
Special Category Data vs. Criminal Conviction Data
Article 10 of the GDPR covers the processing of personal data relating to criminal convictions and offences. The CIPP/E tests candidates on the distinction between Article 9 and Article 10 because students frequently conflate them. The key differences are structural: Article 10 data is not processed under the Article 9(2) conditions. Instead, it may only be processed under the control of official authority, or when Union or Member State law authorises it with appropriate safeguards.
Common exam traps include scenarios involving:
- Background checks by employers - these typically involve Article 10, not Article 9
- Insurance companies asking about driving convictions - again, Article 10 territory
- A data subject voluntarily disclosing a past conviction - the "manifestly made public" condition in Article 9(2)(e) does not apply to Article 10 data
The GDPR Special Category Data: CIPP/E Guide to Article 9 framework is your reference point for this distinction - bookmark it for quick revision.
Member State Derogations and Why They Matter on the Exam
One of the features that makes European data protection law genuinely complex - and genuinely interesting to examine - is that the GDPR is a regulation with built-in flexibility. Several Article 9(2) conditions explicitly require or permit Member State law to set the detailed rules. Domain 1 (Introduction to European Data Protection) establishes this constitutional architecture, and Domain 2 then applies it.
Where Derogations Create Exam Complexity
Under Article 9(2)(b), processing for employment purposes must be authorised by Union or Member State law. Germany's Federal Data Protection Act, France's Loi Informatique et Libertés as amended, and Ireland's Data Protection Act 2018 each contain sector-specific rules about employee health data that go beyond the GDPR's baseline. The exam will not ask you to memorise German employment law - but it will ask you to recognise that Member State law can impose additional restrictions, and to identify scenarios where a controller relying solely on the GDPR text would be non-compliant domestically.
Similarly, Article 9(4) allows Member States to maintain or introduce further conditions - including limitations - on processing genetic, biometric, or health data. This provision is tested in Domain 4 (Territorial and Material Scope, and Accountability) when questions involve multinational organisations that process health data across several EU jurisdictions.
Structuring Your Study: A Domain-by-Domain Approach
Because special category data under Article 9 spans multiple CIPP/E domains, a naive chronological reading of the GDPR is not the most efficient preparation strategy. The following structure aligns your revision weeks with the exam's domain architecture.
Domain 2 Foundation: Article 9 Text and Structure
- Read Article 9 in full, plus Recitals 51-56
- Memorise all eight special categories with their qualifiers
- Map each Article 9(2) condition to its authorising source (Union law, Member State law, data subject action)
- Read Article 10 and note structural differences from Article 9
Domain 3 Application: Compliance Obligations
- Study Article 35 - when DPIAs are mandatory for special category processing
- Review Article 30 on records of processing - what must be documented for Article 9 data
- Read EDPB guidelines on Data Protection Officers (WP243) with special category focus
- Practice scenario questions at CIPPE Exam Prep targeting Domain 3 topics
Domains 4 & 5: Territorial Scope and Sector Practice
- Work through health, employment, and research sector scenarios in Domain 5
- Apply Domain 4 thinking: how does establishment, targeting, or monitoring trigger GDPR for special category data?
- Focus on international transfer scenarios involving special category data
- Review Member State derogation examples in employment and health contexts
Timed Practice and Gap Analysis
- Complete full timed mock exams at CIPPE Exam Prep and track Article 9 question accuracy
- For every wrong answer, identify whether the error was domain knowledge, scenario analysis, or answer elimination
- Re-read EDPB guidelines relevant to your weakest scenarios
- Review the CIPP/E Exam Format and Question Types Explained guide to refine your elimination technique
Frequently Asked Questions
No. Article 9(2)(a) explicit consent satisfies the special category condition, but you still need a separate Article 6 basis - most commonly Article 6(1)(a) consent or another applicable basis. The CIPP/E frequently tests this layering requirement. Treating explicit consent as satisfying both simultaneously is one of the most common mistakes candidates make.
Under Article 9(1), trade union membership is a special category regardless of how it was disclosed. However, if the data subject has manifestly made it public themselves, condition (e) in Article 9(2) may apply. The exam will test whether that condition is genuinely satisfied - casual workplace disclosure is not the same as deliberate public disclosure.
The exam tests the concept of derogation - that certain Article 9(2) conditions require or permit national law, that Member States may impose additional restrictions, and that a controller must check both the GDPR and applicable domestic law. Questions will signal a relevant domestic context and test whether the candidate recognises the derogation mechanism, not whether they know the specific national statute.
These are separate categories. Health data (defined in Article 4(15)) covers information about physical or mental health status. Genetic data (defined in Article 4(13)) refers to personal data relating to inherited or acquired genetic characteristics. A person's HIV status is health data. A DNA profile from a genealogy test is genetic data. Both can also be biometric data if processed to uniquely identify the person - creating potential overlap that Article 9 questions exploit.
Not automatically, but Article 35(3)(b) explicitly requires a DPIA for large-scale processing of special category data, and supervisory authority lists of mandatory DPIA triggers almost universally include special category processing. On the CIPP/E, if a scenario involves special category data at organisational scale, a DPIA should be your default assumption unless the question provides specific context suggesting otherwise.