Differences between personal data and sensitive data (for GDPR)

Share on linkedin
Share on email
Share on whatsapp
Share on facebook
Share on twitter

GDPR aims to modernize the European legal system related to sensitive data. It also aims to strengthen the rights of individuals, and improve clarity and coherence of European regulation.

This is why some types of data must be treated with more stringent treatments than others.

Not all personal data is equally important.

Sensitive data or specially protected data has be treated differently.

The GDPR makes a clear distinction between sensitive and non-sensitive personal data.

What is “personal data” according to GDPR?

Personal data refers to everything that contains:

  • Direct identification information such as first name, last name, phone number.
  • Pseudonymized data or non-direct identification information that allows individualizing behaviours.

GDPR makes a clear distinction between direct identification information and pseudonymized data. GDPR encourages the use of pseudonymized information and expressly states that:

The use of pseudonymization in personal data may reduce the risk associated with data management and help controllers and processors to comply with their data protection obligations“.

Pseudonymization does not imply a complete anonymization or complete dissociation of the data or the impossibility of reversion of the same. This is because there is always the possibility of identifying the party concerned through additional information. Unlike anonymization, it is considered as personal data by GDPR.

This process is intended to ensure greater privacy for those affected, since controller limits the access to certain authorized persons, and therefore minimizes risk of processing.

What is sensitive data?

The regulation establishes in Article 9 the special categories of data that refer to sensitive data that require special protection, since by their nature or by the relation they have with the rights and fundamental freedoms of individuals, and they are subject to specific provisions when their processing could imply high risk in data protection.

What is considered sensitive data under GDPR

  • Racial or ethnic origin
  • Political views
  • Religious or philosophical beliefs
  • Union membership
  • Genetic data
  • Biometric data in order to uniquely identify an individual
  • Those data related to health or sex life and/or sexual orientation

Prohibition to process sensitive data

GDPR establishes the prohibition of processing of these categories of sensitive data with specific exceptions:

  • In case the party concerned has given his or her explicit consent.

As we said in GDPR after Brexit, consent is the pivotal issue with regards to data protection.

  • Within the framework of legitimate activities performed by associations or foundations whose objective is to enable the exercising of fundamental freedoms.
  • When there is a public interest based on the current legislation of every EU country. For example, in a work environment, social protection, pensions, health and other serious threats for health.

This links heavily to an extremely hot topic, Data protection and coronavirus, and what changes there are in regards to privacy and crisis information sharing.

GDPR is a difficult and complex issue, failure to be compliant can, and will result in fines, we spoken about before with regards to international data transfers in GDPR after Brexit. It doesn’t matter if your company is a behemoth with billions in revenue or a small startup with only a few employees, failure to comply does result in penalties.

It sounds stressful, and to be honest, it can be, so we’ve put together a free pack for you to use, it does much of the work for you and provides useful guidance to help you ensure compliance whether you’ve been doing this for a while, or are new to data protection and don’t know the difference between data mapping and recording processing activities. Try the pack for free, and immediately make your life easier by saving yourself time and money.

Download my free GDPR compliance starter pack.

As always, if you’ve got any questions about GDPR, want a demo of how the software can help you, or maybe there’s something in the article you’re not quite sure about, feel free to contact us and one of our data protection experts will answer your query.

Share this article


Share on linkedin
Share on email
Share on whatsapp
Share on facebook
Share on twitter

Article written by

Lisa Hofmann

Chief of Legal Operations de Pridatect | Especialista legal certificada en protección de datos por la institución alemana de servicios relacionados con la seguridad TUEV. Con amplia experiencia en ayudar a empresas en el cumplimiento de la privacidad.

Related articles


Would you like to receive regular updates on data protection and GDPR? Subscribe to our newsletter and you will be the first to receive our new blog articles, webinars and ebooks.

Free Webinars