Skip to main content

Art. 9 RODO -- Sensitive Data Detection

Article 9 of the RODO (General Data Protection Regulation / GDPR) defines special categories of personal data that require additional protection. VaultProxy detects references to these categories in prompts and flags them for your application to handle.

What Is Art. 9?

Art. 9 RODO prohibits the processing of certain categories of personal data unless specific legal grounds apply. These categories are considered particularly sensitive because their misuse could lead to discrimination or significant harm.

info

Unlike standard PII (PESEL, names, phone numbers), Art. 9 data is flagged, not anonymized. This is because Art. 9 data is often contextual and integral to the meaning of a prompt. Anonymizing it could make the prompt meaningless.

Detected Categories

VaultProxy detects all 8 categories defined by Art. 9 RODO:

1. Health Data (Dane dotyczące zdrowia)

Information about a person's physical or mental health, including medical history, diagnoses, treatments, and disabilities.

Example keywords: choroba, diagnoza, leczenie, szpital, lekarz, rak, cukrzyca, depresja, insulina, operacja, recepta, niepełnosprawność

Example input:

Pacjent ma cukrzycę typu 2 i jest leczony insuliną od 3 lat.

Result: Request proceeds. Response includes flag: art9_categories: ["health"]

2. Religious or Philosophical Beliefs (Przekonania religijne lub światopoglądowe)

Information about a person's religion, faith, spiritual beliefs, or philosophical worldview.

Example keywords: katolik, muzułmanin, protestant, ateista, wierzący, religia, wyznanie, kościół, meczet, synagoga, modlitwa

Example input:

Pracownik jest praktykującym katolikiem i potrzebuje wolnego w święta.

Result: Request proceeds. Response includes flag: art9_categories: ["religion"]

3. Political Opinions (Poglądy polityczne)

Information about political party membership, voting preferences, or political views.

Example keywords: partia, polityczny, lewica, prawica, głosować, wybory, poseł, senator, członek partii, sympatyk

Example input:

Klient jest sympatykiem partii opozycyjnej i uczestniczy w demonstracjach.

Result: Request proceeds. Response includes flag: art9_categories: ["political"]

4. Trade Union Membership (Przynależność związkowa)

Information about membership in trade unions or labor organizations.

Example keywords: związek zawodowy, związkowiec, NSZZ, Solidarność, strajk, działacz związkowy, członek związku

Example input:

Pracownik jest członkiem NSZZ Solidarność od 2015 roku.

Result: Request proceeds. Response includes flag: art9_categories: ["union"]

5. Sexual Orientation (Orientacja seksualna)

Information about a person's sexual orientation or sex life.

Example keywords: orientacja seksualna, heteroseksualny, homoseksualny, biseksualny, LGBT, partner życiowy, związek jednopłciowy

Example input:

Pracownik poinformował o swojej orientacji seksualnej w formularzu.

Result: Request proceeds. Response includes flag: art9_categories: ["orientation"]

6. Racial or Ethnic Origin (Pochodzenie rasowe lub etniczne)

Information about a person's racial or ethnic background.

Example keywords: pochodzenie etniczne, rasa, narodowość, Romowie, mniejszość, etniczna, imigracja, uchodźca

Example input:

Osoba deklaruje przynależność do mniejszości romskiej.

Result: Request proceeds. Response includes flag: art9_categories: ["ethnic"]

7. Genetic Data (Dane genetyczne)

Information derived from genetic testing or analysis.

Example keywords: DNA, genetyczny, genom, mutacja, badanie genetyczne, dziedziczny, kariotyp, sekwencjonowanie

Example input:

Wynik badania genetycznego wykazał mutację w genie BRCA1.

Result: Request proceeds. Response includes flag: art9_categories: ["genetic"]

8. Biometric Data (Dane biometryczne)

Data resulting from specific technical processing of physical or behavioral characteristics that allows unique identification.

Example keywords: odcisk palca, biometryczny, rozpoznawanie twarzy, skan siatkówki, biometria, dane biometryczne

Example input:

System wymaga weryfikacji biometrycznej za pomocą odcisku palca.

Result: Request proceeds. Response includes flag: art9_categories: ["biometric"]

Detection Method

VaultProxy uses keyword matching with Polish inflection to detect Art. 9 categories:

  1. Keyword lists -- Each category has a curated list of Polish keywords and phrases.
  2. Inflected forms -- Polish is a highly inflected language. VaultProxy matches keyword stems and common declensions (e.g., cukrzyca, cukrzycę, cukrzycą, cukrzycy).
  3. Context awareness -- Keywords are matched in context to reduce false positives. For example, "kościół" (church) alone may refer to a building, but "chodzi do kościoła regularnie" (goes to church regularly) indicates religious belief.
  4. Multi-category detection -- A single prompt can trigger multiple Art. 9 categories.

Response Format

When Art. 9 data is detected, the response includes additional metadata:

{
  "choices": [...],
  "usage": {...},
  "_pii_warnings": {
    "art9_detected": true,
    "art9_categories": ["health", "genetic"],
    "message": "Sensitive data categories detected per Art. 9 RODO. Review your legal basis for processing."
  }
}

Configuration

Control Art. 9 detection behavior through the PII settings API:

curl -X PATCH https://api.vaultproxy.ai/v1/settings/pii \
  -H "Authorization: Bearer vpx_live_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "art9_detection": true,
    "art9_action": "flag"
  }'

Available art9_action values:

ActionBehavior
flagRequest proceeds; warning added to response (default)
blockRequest is rejected with a 400 error
ignoreNo Art. 9 detection performed
warning

Disabling Art. 9 detection (ignore) means your application will not be warned about sensitive data in prompts. Ensure you have other compliance measures in place if you choose this option.

Processing Art. 9 data requires a specific legal basis under RODO, such as:

  • Explicit consent of the data subject (Art. 9(2)(a))
  • Employment and social security obligations (Art. 9(2)(b))
  • Vital interests (Art. 9(2)(c))
  • Legitimate activities of certain organizations (Art. 9(2)(d))
  • Data made public by the data subject (Art. 9(2)(e))
  • Legal claims (Art. 9(2)(f))
  • Substantial public interest (Art. 9(2)(g))
  • Healthcare purposes (Art. 9(2)(h))
  • Public health (Art. 9(2)(i))
  • Archiving, research, or statistics (Art. 9(2)(j))

Consult your Data Protection Officer (DPO) or legal counsel to determine the appropriate legal basis for your use case.