Introduction
The GDPR requires organisations to handle personal data responsibly, which makes it important to understand what qualifies as personal data.
Everyday you process personal data, whether dealing with customers, colleagues or partners. Being able to identify personal data when these are processed helps ensure compliance with the data protection principles of the GDPR.
Definition
Lets start this by taking a look at how the GDPR defines "personal data" in Article 4(1):
“..Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
Put simply, personal data is any information that relates to an individual and either identifies them directly or contributes to their identification.
Identifiability
Identifiability is key when determining whether information is personal data. If any data can be linked back to an individual, directly or indirectly, it qualifies as personal data.
Direct Identification
Data directly identifies an individual if it’s unique to them. For instance, a national ID number is an example of such data.
A full name might also directly identify someone, but this depends on uniqueness—e.g., there are hundreds of people named “Michael Smith”, so a name alone might not always suffice.
Indirect Identification
An individual can also be identified through a combination of non-unique details.
Example - Police Appeals
Police might issue a description of a wanted person, including their height, gender, clothing, and last known location. None of these details, in isolation, are unique, but combined, they can uniquely describe a person. So, while the person's name isn’t known, the combination of details makes them identifiable.
Example - Addresses
A street address isn’t automatically personal data as it could belong to a business with thousands of employees. However, a single-occupancy residence (e.g., a dormitory room) could qualify, as it links directly to one individual. If additional details like a first name (“Peter”) are added, even shared addresses may become identifying.
Means of Identification
You don’t need to personally identify someone for data to be considered personal information. If someone else, such as an internet service provider or an authority, has the means to identify the individual based on the data, it is still classified as personal data.
Example: National ID
If you have someone’s national ID number but no access to the registry, you might not be able to identify them yourself. However, since others can use the ID number to do so, it remains personal data.
Example: IP Address
An IP address serves as a unique identifier for internet users. Even if you cannot directly link an IP address to an individual, their internet service provider likely can.
Internet service providers keep a record of the IP addresses it assigns to its customers, meaning they can link an IP address to a specific individual. For this reason, an IP address is considered personal data under GDPR. However, if you have a list of IP addresses from visitors to your website, you wouldn’t be able to directly identify those individuals. Despite this, IP addresses are still classified as personal data because they could be traced back to a person if accessed by the internet service provider or relevant authorities.
Categories of Personal Data
Having knowledge of the different categories of personal data is important, as each category may require its own legal basis for processing. Before starting any new data processing activities, employees must make sure they have the appropriate legal basis in place.
Non-sensitive Personal Data
Non-sensitive personal data refers to any personal data that doesn’t fall under the categories of sensitive personal data (officially known as “special categories of personal data”), national ID numbers, or criminal records. Processing this type of data must have its legal basis under GDPR Article 6(1). In the following we will go into more detail on what non-sensitive personal data could be.
Other Types of Identification
There are several identification numbers that directly relate to an individual but don’t fall under the category of national identification numbers, which are treated separately. Examples include:
- Passport numbers
- Driver’s licence numbers
- ID numbers
- Patient numbers (e.g., medical record numbers)
- Licence plate numbers
- Vehicle identification numbers
Digital footprints
Digital footprints are made up of data created through an individual’s use of digital devices and the internet. This information can provide insights into a person’s online behaviour and preferences. Examples of digital footprint data include:
- Video recordings
- Browser fingerprints
- Device fingerprints
- Cookies
- IP addresses
- MAC addresses
- Operating system (OS) details
- Location data (including GPS)
- Browser history
- User IDs or login names
- Passwords
- Online aliases
- Social media profiles
- VoIP usernames (e.g., Skype)
- Logs
- Device IDs (e.g., IMEI, ICCID, IMSI)
- Tracking IDs (e.g., UDID, IDFA, IDFV)
- Referring websites
- Search history
Under GDPR, these types of data are considered personal data when they can directly or indirectly identify an individual.
Property Information
Property information relates to data about an individual’s assets, such as their home, vehicles, or other valuables. This data may include details about ownership, value, and location, and can potentially be used to identify a person or understand their financial situation and lifestyle.
Family Information
Family information would be data about a person’s marital status, family relationships, and close connections. Examples include:
- Marital status
- Family details
- Divorce records
- Information about adoptions
- Adoption records
- Family disputes
- Emergency contact details
Photographs/Videos
Photographs and videos hold visual data that can identify individuals and provide information about their appearance, behaviour, environment, social interactions, and the time and location of a recording. This combined data offers a glimpse into a person’s life and activities.
Contact Information
To contact and communicate with someone, it’s usually necessary to have their name or, for example, a username, along with a method of communication. Examples of contact information include:
- Name
- Address
- Email
- Phone number
- Aliases
- Birth name
- Postcode
- Customer number
- Initials
Customer Information
Customer information refers to data about an individual’s interactions with a business. Examples include:
- Bank account details
- Services provided to the individual
- Transaction details
- Purchase history
Employee Information
Employee information pertains to data about a staff member’s role, experience, and work-related incidents. Examples include:
- Job title
- Workplace warnings
- Employee surveys
- Details of harassment incidents
- Workplace accidents
- Position or seniority level
Financial Information
Financial information covers data about an individual’s income, assets, debts, and overall financial situation. This includes details such as bank accounts, salaries, pensions, and expenses. Examples of financial data include:
- Account number
- Salary
- Income and assets
- Bonuses and other benefits
- Recipients of social benefits
- Early retirement information
- Pension savings
- Debts
- Credit card details (including credit card number)
- Registration in a debtors' registry (e.g., RKI)
- Tax information
Personal Characteristics
Personal information covers data that describes an individual’s characteristics and life circumstances, such as their age, gender, nationality, interests, and residential history. Examples include:
- Age
- Gender
- Citizenship
- Place of birth
- Dietary preferences (e.g., vegan, vegetarian, pescatarian)
- Long-term unemployment
- Homelessness
- Conscientious objection to military service
- Hobbies and interests
- Other identifiable images of a person
- Immigration status
- Previous citizenships
- Residential history
- Military service history
Education and CV
Education and CV data refers to information about an individual’s academic background, qualifications, and achievements. Examples include:
- Education details
- Diplomas and certificates
- Transcripts
- Grades
- Student ID number
- School attendance
- Absences or suspensions
- Discontinued studies
- Repeated attempts (e.g., courses or academic years)
- Expulsions
- Completed courses
- CV (Curriculum Vitae)
- Honours or awards
- Prizes
National Identification Number
A national identification number uniquely identifies an individual and is primarily used for administrative purposes within the public sector to ensure accurate identification or as a reference number. It may also be used in the private sector if allowed by law or with explicit consent.
Processing a national identification number must comply with relevant national laws. In Denmark, for instance, this is regulated under §11 of the Danish Data Protection Act.
Criminal Offences and Convictions
Processing personal data about criminal convictions or offences requires a legal basis under GDPR Article 6(1) and must also have a legal basis in Article 10.
Data related to criminal convictions and offences includes information about an individual’s past or current criminal activities, such as:
- Convictions
- Fines
- Probation
- Imprisonment
This type of data can significantly impact a person’s employment prospects, social relationships, and public reputation. Therefore, it must be handled with the utmost care to comply with GDPR and minimise the risk of misuse or harm to the individual.
Sensitive Personal Data
Under GDPR, sensitive personal data must not be processed unless there is a specific legal basis for doing so. The regulation explicitly states that processing such data is “prohibited” unless strict conditions are met. This makes it important for everyone in an organisation to understand what qualifies as sensitive personal data to ensure compliance with the law.
To process sensitive personal data, a legal basis under GDPR Article 6(1) is required, along with an additional legal basis specified in Article 9(2).
Personal data are classified as sensitive because their misuse could result in negative consequences for the individuals concerned, including persecution or discrimination. Factors such as ethnicity, political or religious beliefs, or health status are often the basis for such harm, restricting individuals' ability to live freely.
When you consider the list of sensitive personal data, it’s clear that improper handling can cause significant personal harm. This is why processing such information without a lawful basis is strictly regulated under GDPR.
GDPR Article 9(1) provides a specific list of the types of data classified as sensitive personal data, which will be reviewed in the following.
Biometric Identification
Biometric data refers to personal data derived from specific technical processing of an individual’s physical, physiological, or behavioural traits. This type of data is used to enable or confirm the unique identification of a person—for example, facial images or fingerprint information.
Examples of Biometric Personal Data:
- Fingerprints
- Iris scans
- Photos (used for facial recognition or other identifiable features)
- Blood vessel patterns in the hand
- Retina scans
- Keystroke dynamics
- Gait (the way a person walks)
- Voice
- Handprints
- Hand geometry
- Brainwave patterns (via ultrasound)
- Heart rhythm (via ultrasound)
- Voice recognition
- Scent
- Handwriting
- Facial features
Trade Union Membership
Information about trade union membership is classified as sensitive personal data under GDPR. This includes details such as:
- Membership in a trade union
- Participation in union activities
- Contributions to the union
- Roles or functions within the union, such as acting as a union representative or board member
Philosophical Beliefs
Data about an individual’s philosophical beliefs is also considered sensitive personal data. Examples include:
- Affiliation with philosophical organisations
- Donations to such organisations
- Participation in their activities
- Other similar forms of involvement
Genetic Information
Genetic data, such as DNA and RNA information, is classified as sensitive personal data because it contains highly specific details about an individual’s biological traits. These data can reveal:
- Hereditary diseases
- Health risks
- Unique biological characteristics
Health Information
Health information includes all personal data related to an individual’s physical or mental health, offering insights into their past, present, or future health conditions. Examples include:
- Physical health
- Mental health
- Resignation due to illness
- Information about suicide attempts
- Disability benefits
- Stays in psychiatric facilities
- Medication use
- Substance abuse (e.g., drugs or alcohol)
- Disabilities
- Long-term sick leave
- BMI (Body Mass Index)
- Complicated pregnancies
- Hereditary illnesses in immediate family
- Allergies
- Health tests
- Drug tests
- Pregnancy
- Blood type
- X-rays
- Height
- Weight
- Saliva tests
- Heart rhythm
- Sleep patterns
- Blood pressure
- Use of medical devices
Political Opinions
Information about a person’s political opinions includes their views, perspectives, and affiliations with political parties or movements. Examples include:
- Membership in political organisations
- Participation in political activities
- Donations to political campaigns
- Statements on political issues
This information can reveal an individual’s values, beliefs, and ideological stance, which could impact their privacy or public reputation. Political opinions are classified as sensitive personal data under GDPR.
Race/Ethnicity
Data about race and ethnicity pertains to an individual’s cultural background, origin, or affiliation with specific ethnic groups. Examples include:
- Skin colour
- Language
- National or cultural traditions
- Family heritage
This data is considered sensitive personal information as it can be used to discriminate or treat individuals unfairly.
Religious Beliefs
Religious beliefs involve data about a person’s faith, religious affiliation, or practices. Examples include:
- Membership in a religious community
- Participation in rituals or observances
- Personal religious beliefs
This data is sensitive under GDPR due to the potential for misuse or discrimination.
Sexual Life
Information about an individual’s sexual life includes details about their intimate relationships and behaviours, such as:
- Information on sexually transmitted diseases
- Contraceptive choices
- Sexual activities
This is highly sensitive personal data that requires strict protection under GDPR to safeguard against misuse or harm.
Sexual Orientation
Sexual orientation data refers to a person’s emotional and romantic attraction, such as being attracted to the same gender, the opposite gender, or multiple genders. This data reflects an individual’s identity and is sensitive because it may lead to stigma or discrimination. As such, it is categorised as sensitive personal data under GDPR.
Summary
In this article, we’ve defined personal data and explored the various categories of personal data as outlined in the GDPR.
It’s essential that all colleagues are able to recognise personal data in their work. This helps ensure, for instance, that no new processing activities involving personal data are undertaken without a lawful basis under the GDPR.
.jpg)
.jpeg)
.jpg)
.jpg)
.jpg)
-1.png)
.jpeg)
.jpg)
