GDPR: What are the categories of personal data?

by

According to the GDPR, there are 3 different categories of personal data and an organization may only process one category of personal data. The introduction of the same European privacy legislation in the EU countries has led to the implementation of the General Data Protection Regulation (GDPR) in the Dutch government. A consequence is that an organization may only process someone’s personal data if one of the GDPR principles applies and it also concerns the processing of the types of ‘normal’ personal data. It is prohibited for organizations to process ‘special’ personal data. The processing of ‘criminal’ personal data is also prohibited.

GDPR: What are the categories of personal data?

  • What is ‘personal data’ according to the GDPR?
  • Types or categories of personal data
  • Ordinary personal data
  • Examples of ordinary personal data
  • Special personal data
  • Examples of special personal data
  • Criminal personal data
  • Examples of criminal personal data
  • Prohibition on processing ‘special’ and ‘criminal’ personal data

 

What is ‘personal data’ according to the GDPR?

Personal data is all data that:

  • relate to the identity of a person, and;
  • the data with which the identity of a person can be traced .

 

Types or categories of personal data

It goes without saying that an organization may not process all data about a person. The GDPR therefore distinguishes three different categories of personal data. Each category of personal data has different bases that an organization needs to process personal data. An organization may process personal data from only one category of personal data: the types of ‘ordinary personal data’ . In addition, this is only allowed if (at least) one of the GDPR principles applies. Data belonging to one of the other categories of personal data, the types of ‘special personal data’ and the types of ‘criminal personal data’, are prohibited for an organization to process, unless there is an exception. The reason for this is that one of the purposes of the GDPR is to protect the privacy rights of persons from the EU.

The GDPR distinguishes between 3 categories of personal data:

  1. ordinary personal data
  2. special personal data
  3. criminal personal data

 

Ordinary personal data

Source: Geralt, Pixabay

The first category of personal data are the types of ‘ ordinary personal data’ . Ordinary personal data are the only data that an organization is allowed to process if there is a basis for this in the GDPR. In other words: an organization may only process someone’s personal data if it belongs to the category of ‘ordinary personal data’ and one of the 6 principles of the GDPR applies.

Examples of ordinary personal data

Examples of ‘ordinary personal data’ of a person are data about someone:

  • name
  • address
  • residence
  • date of birth
  • e-mail address
  • phone number

 

Special personal data

Source: Geralt, Pixabay

Data that concerns personally sensitive information belongs to the category ‘special personal data’ and is generally prohibited for organizations to process. The GDPR describes in Article 9 how the processing of special personal data should take place. Examples of special personal data are a person’s genetic data, or information about a person’s religious and political preferences. Data about someone’s health, someone’s medical data, are also types of special personal data. An organization may not simply process special personal data; Because it concerns highly personally sensitive information , one of the purposes of the GDPR is to provide extra protection for the processing of special personal data. There are a number of exceptions where an organization is permitted to process special personal data. This is, for example, the case if a person gives explicit permission to the organization to process his/her special personal data. Another example is when there is a compelling medical interest . In all cases, the processing of special personal data may not conflict with provisions of Union or Member State law.

Examples of special personal data

Examples of ‘special personal data’ of a person are data about someone:

  • racial or ethnic origin
  • political views
  • religious beliefs
  • philosophical beliefs
  • membership of a trade union
  • health (medical data)
  • sexual preference
  • sexual behavior
  • genetic data
  • biometrics for the purpose of unique identification

 

Criminal personal data

Source: Memed Nurrohmad, Pixabay

The third category of personal data is ‘criminal personal data’ about a person. These are the types of data that provide information about a person’s criminal history . The GDPR describes in Article 10 how the processing of criminal personal data should take place. Just like the processing of ‘special personal data’, the processing of ‘criminal personal data’ is prohibited . There are a number of exceptions to this, such as when this takes place under government supervision and the processing is permitted under the provisions of Union or Member State law. The GDPR applies the prohibition on the processing of criminal personal data much more strictly than the prohibition on the processing of special personal data, as a result of which criminal personal data forms a separate category.

Examples of criminal personal data

Examples of ‘criminal personal data’ of a person are data about someone:

  • criminal convictions;
  • criminal offenses of which the person is suspected;
  • security measures (imposed by the court) regarding criminal offenses or convictions of the person;
  • ban (imposed by the court) due to annoying or unlawful behavior of the person.

 

Prohibition on processing ‘special’ and ‘criminal’ personal data

It is (usually) prohibited for an organization to process personal data that belong to the categories or types of personal data from special personal data or criminal personal data . If an organization still processes data from one of the categories of special personal data or criminal personal data, it may be fined by the personal data authority (AP).

Accountability of organizations

The ‘responsible organization’ must be accountable to the European privacy supervisor for the manner in which personal data is processed in connection with the so-called ‘accountability obligation’ of organizations. If an organization does not process personal data in accordance with the GDPR, the organization may be fined up to millions of euros. Only if there is an exceptional case: this means that an organization can rely on a specific exception laid down in a law, an organization may process data that belongs to special personal data or criminal personal data.

read more

  • GDPR: the principles for processing personal data
  • GDPR: What privacy rights when processing personal data?
  • General Data Protection Regulation (GDPR) in short

Leave a Comment