The General Data Protection Regulation (GDPR)↗ has defined a subsection of personal data known as "special category data" or data that regulators consider extremely sensitive. Under the GDPR, organizations are required to take extra measures to protect this sensitive personal information. Follow this list of best practices for collecting and handling special category data to ensure GDPR compliance↗ and keep your customers' confidential data safe. » How do you protect sensitive information? Consider these security methods to protect sensitive information↗ What Is Special Category Data? What is it about certain data that makes it special? The GDPR defines special category data as personal information that could cause significant privacy issues for the individual involved if it were leaked or lost. This includes:
- Biometrics or genetics
- Health
- Political opinions
- Race or ethnicity
- Religious or philosophical beliefs
- Sexual orientation or sexual life
- Trade union membership
The risks involved in the misuse of special category data include identity fraud, in addition to reputational damage, embarrassment, discrimination, and personal harm. Note that information surrounding children and criminal records aren't included but are addressed by separate laws. » How is special category data different from personal data? Compare PII vs sensitive data vs sensitive PII↗ Best Practices to Process Special Category Data Article 9↗ of the GDPR outlines when and how businesses should process special category data. Under normal circumstances, processing such data is prohibited unless absolutely necessary and justifiable. The conditions for processing special category data are outlined in Article 9 and summarized below:
1. Get Explicit Consent
Businesses can only process special category data if they have express consent from the data subject or if the subject has publicized the data themselves. Otherwise, a business has no legal right to process special categories of data. It's important to note that even with explicit consent from the data subject, EU member states can still prohibit data processing at their discretion. Consulting a compliance expert↗ and having a clear and thorough consent process are important best practices to ensure you get explicit consent from your data subjects.
2. Process Only Necessary Data
Needed for Employment, Social Security, and Protection Law Necessary special category data may be processed if it's required to fulfill obligations or exercise specific rights of the data subject concerning employment, protection, and social security law. This processing must be authorized by Union or Member State law or a collective agreement and must have appropriate safeguards in place. Protect the Vital Interests of the Data Subject or Others Processing special category data may also be permitted if it's necessary to protect the vital interests of the data subject or another person, such as in cases where health information is required for medical care. This also applies when data processing is necessary for filing, pursuing, or defending legal claims or whenever courts are involved.
3. Archive For Research Purposes
GDPR also allows for processing special category data when it's related to archiving in the public interest or for statistical purposes to enable researchers and statisticians to conduct their work without undue interference from businesses (including scientific and historical research). This type of processing must be based on Union or Member State law. It must also have strict protections in place to ensure the rights and interests of data subjects are respected.
4. Consider Public Interest and Health
Special category data can be processed when absolutely necessary for reasons of substantial public interest or to protect public health. This includes cases where it's required for disease control or prevention and monitoring of medical products or devices.
5. Assess the Ability to Work, Rehabilitation, or Treatment
Finally, processing special category data may be necessary to carry out preventive or occupational medicine, assess a person’s work ability, or provide rehabilitation or treatment. Conclusion Overall, special category data is highly sensitive and requires careful handling to protect the rights and interests of data subjects. As a business owner, it's important to be familiar with GDPR related to special category data and the best practices for implementing appropriate safeguards and obtaining consent from your data subjects. Developing strong data processing policies and conducting risk assessments can help protect your business while ensuring compliance with GDPR and avoiding GDPR fines↗. » Worried about GDPR compliance? Explore PieEye's GDPR compliance solution↗
Where eCommerce Brands Collect Special Category Data Without Realizing It
Your Shopify store probably collects special category data more often than you think. When customers fill out product recommendation quizzes, answer health-related questions during checkout, or use your chat feature to describe medical conditions, you're handling special category data.
Meta Pixel and Google Analytics tracking can also capture special category data indirectly. If a customer visits your store after searching for diabetes management products or mental health services, and your pixel fires, you're potentially processing health-related behavioral data linked to that person.
Even your email marketing platform (like Klaviyo) can inadvertently collect special category data. Customer support conversations, abandoned cart recovery messages referencing specific health products, or segmentation based on product categories hint at sensitive information.
The issue: many eCommerce brands don't have consent mechanisms in place for these touchpoints. Your cookie banner might cover analytics tracking, but does it separately ask permission for health-related product data collection? If a customer answers "I have celiac disease" in a product filter, have you obtained explicit consent to store and process that answer?
Audit your entire data flow—from website forms to email integrations to third-party apps. Document where special category data enters your system. You may discover gaps where you're processing sensitive information without the proper legal basis or consent structure.
Building a Consent Framework for Your eCommerce Platform
Your consent process needs to be specific and separate for special category data. A generic "accept all" button on your cookie banner won't satisfy GDPR requirements for explicit consent.
Here's what works for eCommerce brands: create a tiered consent model. Your standard cookie banner handles analytics and marketing cookies. But when a customer provides special category data—whether through a health questionnaire, product reviews mentioning conditions, or customer service interactions—trigger a separate consent request that clearly explains what data you're collecting and why.
For Shopify stores, this means using consent management apps that let you conditionally display consent forms based on user behavior. If someone adds a medical device to their cart, they should see a consent prompt explaining that you're storing this purchase history and how you'll use it (or won't use it for marketing).
Document your consent records. When a customer provides explicit consent to process their health data, keep a timestamped log. This proof matters during audits or if someone files a DSAR (data subject access request).
Train your team on what triggers a special category consent requirement. Support staff should know that certain customer conversations need to be flagged as containing sensitive data. Email marketers should understand they can't segment lists based on inferred health conditions without consent.
Your consent framework should also include withdrawal mechanisms. If a customer consents today, they must be able to withdraw that consent easily—ideally with a single click in their account settings or email preferences.
Handling DSARs When Special Category Data Is Involved
When a customer submits a DSAR (data subject access request), special category data demands extra care. You must retrieve and deliver their information within 30 days, but the process is more complex when sensitive data is involved.
Start by identifying all systems where this customer's special category data lives. If they've interacted with your store over years, their data might be scattered across your Shopify database, email platform, analytics tools, third-party review sites, and customer support tickets. Pull records from everywhere.
Before you send the DSAR response, scrub it for data of other people. If a customer review mentions someone else's health condition, redact it. If a support chat references family members, remove those details.
Consider how you'll deliver the data. Some eCommerce brands send DSARs as CSV exports, but special category data warrants extra security. Use encrypted file transfers, password-protected links that expire after 48 hours, or secure portals. Never email raw data containing health information, religious beliefs, or other sensitive attributes.
eCommerce platforms sometimes struggle because they lack visibility into third-party data flows. If you use a review app that displays customer photos tagged with health conditions, or an analytics tool that infers sensitive attributes, you need to know this when responding to DSARs. Your DSAR response must include data held by vendors on your behalf.
Document your DSAR process. Keep records of when requests arrived, what data you retrieved, and how you delivered it. This audit trail protects you if a regulator questions your compliance.
Minimizing Risk by Collecting Less Special Category Data
The safest approach: don't collect special category data unless your business absolutely requires it. Many eCommerce brands gather sensitive information out of habit rather than necessity.
Ask yourself: do you actually need customers to tell you their health conditions? If you sell general wellness products, product descriptions and customer education work better than medical questionnaires. If you sell dietary supplements, filtering by allergen (which can hint at health conditions) might be necessary—but storing the inferred health data longer than needed creates unnecessary risk.
Implement data minimization practices. Set retention schedules. Health-related customer service conversations don't need to live in your CRM forever. Archive them after one year, or delete them once the issue is resolved. Product purchase data (someone bought a pain relief cream) is less sensitive than medical history, so handle retention differently.
Review your third-party integrations. Some Shopify apps request access to customer data they don't need. Before installing a recommendation engine, review what data it captures. Does it track health-related product views? Can you disable that feature?
Your privacy policy should list what special category data you collect and why. Be honest. If you're inferring health information from purchase behavior or product searches, say so. Customers can then make informed choices about shopping with you.
By narrowing what you collect, you reduce consent management overhead, lower DSAR response complexity, and shrink your exposure if a breach occurs. Less special category data in your systems means less to protect.