Differences between personal data and sensible data for GDPR purposes

Differences between personal data and sensible data for GDPR purposes

The GDPR aims to modernize the European legal system related to data protection, strengthen the rights of individuals, and improve clarity and coherence of the European regulation.

That is why it is important to highlight that there are data that due to their relevance and importance for privacy should be treated and stored with greater care and fulfilling a series of requirements. Not all personal data are equal before the regulation.

This data is known as sensitive or specially protected data. The GDPR makes a clear distinction between sensitive and non-sensitive personal data.

What are “personal data” according to the GDPR?

Let’s explain what are “personal data” in terms of law. Personal data refer to everything that contains:

  • Direct identification information such as first name, last name, phone number, etc.
  • Pseudonymized data or non-direct identification information that does not allow the direct identification of users, but allows individualizing behaviors

The GDPR makes a clear distinction between direct identification information and pseudonymized data. The GDPR encourages the use of pseudonymized information and expressly states that “the use of pseudonymization in personal data may reduce the risk associated with data management and help controllers and processors to comply with their data protection obligations”.

Pseudonymization does not imply a complete anonymization or complete dissociation of the data or the impossibility of reversion of the same, since there is always the possibility of identifying the party concerned through additional information. Unlike anonymization, it is considered as personal data by the GDPR.

This process is intended to ensure greater respect to privacy of those affected, since despite personal data considered, the controller limits the access to certain authorized persons, and therefore minimizes the risk in the processing.

What are sensitive data?

The Regulation establishes in Article 9 the special categories of data that refer to sensitive data that require special protection, since by their nature or by the relation they have with the rights and fundamental freedoms of individuals, and they are subject to specific provisions when their processing could imply high risk in data protection.

This new European regulation considers sensitive data those referring to:

  • Racial or ethnic origin
  • Political views
  • Religious or philosophical beliefs
  • Union membership
  • Genetic data
  • Biometric data in order to uniquely identify an individual
  • Those data related to health or sex life and/or sexual orientation

Prohibition to process sensitive data

The GDPR establishes by default the prohibition of processing of these categories of sensitive data with specific exceptions:

  • In case that the party concerned has given his or her explicit consent.
  • Within the framework of legitimate activities performed by associations or foundations whose objective is to enable the exercise of fundamental freedoms.
  • When there is a public interest based on the current legislation of every EU country. For example, in work environment, social protection, pensions, health and other serious threats for health.

Pridatect can help you with the GDPR adaptation of your clients. Contact us for more information!