It is important for all businesses to comply with GDPR rules and the use of personal data. Get an overview of what kind of personal data exists and in which cases you are allowed to process and store personal data.
General information on personal data
The Data Protection Authority defines personal data as "any form of information which can be attributed to a specific individual, even if the individual can only be identified if the information is combined with other information".
Personal data can for example be address, registration number, pictures, payment information, medical records or biological material. When it is possible in practice to identify a natural person from the information or in combination with other information, this constitutes personal data.
In our digital world, it's important to remember the use of AI and techology to process personal data. Be cautious of how you utilize and the potential risks there are by using techologi when handling personal and sensitive data.
We furthermore recommend to have good information security in case of data breaches, so you know how to act and secure the valuable data.
Categories of personal data
The GDPR divides personal data into three types:
- Personal data (non-sensitive data).
- Special categories of personal data (sensitive data).
- Data relating to criminal convictions and offences.
In addition, a distinction is also made between confidential data and social security numbers.
General personal data
General personal data includes all data that is not classified as special categories of data (sensitive personal data).
For example, it may include identifying information such as name, address, telephone number, e-mail and age. It also includes financial matters such as taxes and debts and private matters such as family relationships, housing and diplomas.
You are usually entitled as a business to process personal data about a customer because you are entering into a commercial relationship through an agreement/contract and it is therefore necessary to process the data in order to provide a product or service to the customer.
Sensitive personal data is unambiguously defined in the GDPR and because it is categorised as "sensitive", it requires special considerations when processing it as a business, association or authority. The scope for processing such data is also narrower than for ordinary personal data.
Sensitive personal data is information about:
- Racial and ethnic origin
- Religious or philosophical beliefs
- Political beliefs
- Trade union membership
- Biometric data for unique identification
- Genetic data
- Health data
- Sexual relations or sexual orientation
The list is exhaustive, so all data and only the data mentioned above can be classified as sensitive personal data.
Processing sensitive personal data is in principle prohibited by the Data Protection Regulation. However, there are a number of exceptions that make it legal for companies to process an individual's sensitive data. This is the case, for example, if an individual has given their explicit consent for their sensitive personal data to be processed.
Information about criminal offences
As a general rule, a company may not process data relating to offences or criminal offences. The GDPR considers information on criminal offences as personal data and is therefore regulated separately in the Data Protection Act.
The concept of criminal offences includes not only information on violations of the law, but also other sanctions, such as disqualification.
If it is possible to infer from a data item that a person has committed an offence, then the data item can be classified as a criminal data item.
In some cases, companies may be allowed to process criminal information. This is the case, for example, if:
- An employee has done something illegal and it is necessary to report the employee to the police.
- A criminal record or a child certificate must be obtained when hiring an employee.
Confidential data is a special category of data that is not explicitly described by the GDPR, but where there are specific protection needs that may be relevant for the purposes of the GDPR rules.
Confidential information may include income, employment, education and training data. It can also be information about internal family relationships and accidents.
Whether information is confidential or not depends on whether the information is, according to the general perception of society, something that the public should not be required to know.
Sensitive personal data is always confidential information, but confidential information is not necessarily sensitive information.
Social security numbers are not sensitive personal information, but special conditions apply to personal identity numbers as they are confidential information.
It is tit is not allowed for a company to process a customer's social security number if there is a special law for it, for example if you as a bank or employer have to report the social security number to SKAT.
You must have a legitimate reason
If the company has an objective reason to process the customer's CPR number, then the company can ask for a customer's consent.
A valid reason will typically be that it is important for the service provided to the customer that the customer is correctly identified. Examples might be if the data subject has:
- A gym membership
- A subscription with a mobile phone company
In this case, there is a need to ensure unique identification of the customer, for example in the context of payments. The CPR number must be encrypted if it is transmitted via websites or e-mail.
Processing of personal data
Processing of sensitive data is allowed if the data subject has given his/her consent to the processing.
For consent to be valid, it must be given voluntarily and unambiguously. It is also important that the data subject is informed of the specific purposes for which his or her personal data will be used and how the company will store the personal data.
In addition, a data subject's consent can always be withdrawn. If a company has initiated processing on the basis of consent, it is bound by the stated purpose of which the data subject was informed when the consent was given.
What if you don't have consent?
It is in fact also allowed to process sensitive personal data without consent if the data subject has made the data public beforehand.
In addition, companies may process sensitive personal data if necessary for:
- The data subject's employment, health and social security obligations and rights
- The vital interests of the data subject or another natural person, if consent is impossible
- A political, philosophical, religious or trade union non-profit organisation processing membership data or regular contact data
- The establishment or processing of a legal claim
- Processing for archival, scientific or historical research purposes or for statistical purposes
- Processing of a health professional nature within the healthcare sector
- Essential public interests
Specific rules on children's personal data
Data protection rules provide for special protection of personal data relating to children. This applies in particular to personal data from information society services such as social media.
In these cases, companies must obtain the consent of parental authorities, which must be documented. All information concerning children must be written in a simple way that children can understand.
This post has been updated on 24-07-2023 by Sofie Meyer.
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.View all posts by Sofie Meyer