What is personal information really and when should we process it? With growing awareness of data protection and privacy online, it is necessary to be aware of how, as a business, you become compliant with the personal information you collect.

What is personal information?

In short, personal information is a type of information that can help identify a person. Personal data is divided into two categories: regular personal data and sensitive personal data / sensitive personal information.

The two categories can be similar and difficult to separate. But from a legal point of view, they are completely different.

Regular personal data

What is that?

This is all personal data that has not been classified as ‘sensitive personal data’.

Regular Personal Data


Sensitive personal data 

What is that?

Personally sensitive information or sensitive personal data – as it is legally called – is the type of information that is particularly focused on in the GDPR legislation. This means that companies and authorities must comply with even more stringent requirements if they collect and have access to this type of information about their customers, employees, citizens and so on.

Sensitive Personal Data

So there are many instances that hold personal sensitive information about you:

  • Your doctor knows, for example, which diseases you have been treated for. And that information will probably be in the doctor’s database
  • If you have informed a company about your ethnicity or sexual beliefs, that company will now have sensitive information about you.
  • If you are a member of a trade union, it will include personal sensitive information about you.


Types of sensitive personal information

If we dive a step further, sensitive personal data can be divided even further. This we have chosen to illustrate with the help of The Data Man below.

The Data Man

The Data Man consists of all the types of sensitive personal data available. Here we have divided the personal data into another 5 categories: 

Internal data

Internal information is what is not immediately visible from the outside. It is information such as attitudes, beliefs and knowledge.

External data

This type of information is the information one can more easily see from the outside. Thus, for example, it could be information about ethnicity, age and health.

Historical data

As the headline indicates, this is information about the person’s history and past.

Financial data

This section deals with the information available about your financial information. This can be bank information, credit information or similar.

Social data

Social data is data that can be compared to other people. It can be in communities, family and friendships.


When should I process personal data?

In general, it is first and foremost important that there is a reason why you should have access to personal data.

In addition, as a rule of thumb, you must always ensure the consent of the person whose information is dealt with. Here it is good to use a template for how and why you collect these data.

Processing of ordinary personal data

According to the Danish Data Protection Agency, there are 5 points where personal data can be processed without consent:

  1. A contract with the data subject
  2. Legal obligations of the data controller
  3. The registered person or another physical person’s vital interests
  4. A task in the interest of the community or the exercise of public authority
  5. A legitimate interest which is not exceeded by the interests or rights of the data subject

Processing of sensitive personal information

When dealing with sensitive personal data, you must pay extra attention to the handling of them. In principle, it is prohibited to process this type of information.

But no rules without exceptions. The following 7 points can be dealt with exceptionally if necessary for the following reasons:

  1. The data controller or the data subject’s labour, health and social obligations and rights
  2. The registered or another physical person’s vital interests, if it is impossible to give consent
  3. A political, philosophical, religious or trade union non-profit organization’s processing of member information or regular contact information (Does not include transmission outside the organization)
  4. Determination or treatment of a legal requirement
  5. Essential public interests
  6. Treatment of health-related character in the health sector
  7. Processing for archival, scientific or historical research purposes or for statistical purposes

In other words, it is sometimes necessary to process personal data. Therefore, it is also very important to do so in a safe and confidential way. An example could be that you have a system that ensures you have a secure mail. And by being transparent you also send a strong signal that you handle the personal data of your customers and employees securely.

This creates trust in a company!

Do you have any doubts about how you can process sensitive personal information? That’s understandable, and no one blames you. It is a relatively new area where best practices are still being shaped.