What is personal information really and when should we process it? With growing awareness of data protection and privacy online, it is necessary to be aware of how, as a business, you become compliant with the personal information you collect.
What is personal information?
In short, personal information is a type of information that can help identify a person. Personal data is divided into two categories: regular personal data and sensitive personal data / sensitive personal information.
The two categories can be similar and difficult to separate. But from a legal point of view, they are completely different.
Regular personal data
What is that?
Sensitive personal data
What is that?
Personally sensitive information or sensitive personal data – as it is legally called – is the type of information that is particularly focused on in the GDPR legislation. This means that companies and authorities must comply with even more stringent requirements if they collect and have access to this type of information about their customers, employees, citizens and so on.
So there are many instances that hold personal sensitive information about you:
- Your doctor knows, for example, which diseases you have been treated for. And that information will probably be in the doctor’s database
- If you have informed a company about your ethnicity or sexual beliefs, that company will now have sensitive information about you.
- If you are a member of a trade union, it will include personal sensitive information about you.
Types of sensitive personal information
If we dive a step further, sensitive personal data can be divided even further. This we have chosen to illustrate with the help of The Data Man below.
The Data Man consists of all the types of sensitive personal data available. Here we have divided the personal data into another 5 categories:
When should I process personal data?
In general, it is first and foremost important that there is a reason why you should have access to personal data.
Processing of ordinary personal data
According to , there are 5 points where personal data can be processed without consent:
- A contract with the data subject
- Legal obligations of the data controller
- The registered person or another physical person’s vital interests
- A task in the interest of the community or the exercise of public authority
- A legitimate interest which is not exceeded by the interests or rights of the data subject
Processing of sensitive personal information
When dealing with sensitive personal data, you must pay extra attention to the handling of them. In principle, it is prohibited to process this type of information.
But no rules without exceptions. The following 7 points can be dealt with exceptionally if necessary for the following reasons:
- The data controller or the data subject’s labour, health and social obligations and rights
- The registered or another physical person’s vital interests, if it is impossible to give consent
- A political, philosophical, religious or trade union non-profit organization’s processing of member information or regular contact information (Does not include transmission outside the organization)
- Determination or treatment of a legal requirement
- Essential public interests
- Treatment of health-related character in the health sector
- Processing for archival, scientific or historical research purposes or for statistical purposes
In other words, it is sometimes necessary to process personal data. Therefore, it is also very important to do so in a safe and confidential way. An example could be that you have a system that ensures you have a . And by being transparent you also send a strong signal that you handle the personal data of your customers and employees securely.
This creates trust in a company!
Do you have any doubts about how you can process sensitive personal information? That’s understandable, and no one blames you. It is a relatively new area where best practices are still being shaped.