What is Data Categorization?
Data categorization is the process of classifying personal data into different categories either based on its sensitivity and potential risks associated with it or based on its identifiability.
Personal data means any information relating to an identified or identifiable natural person (‘data subject’).
What is the purpose of data categorization?
The purpose of data categorization is to facilitate the protection of personal data and ensure its lawful processing. The GDPR emphasizes the need for organizations to categorize personal data based on its sensitivity, potential risks, and the rights and freedoms of data subjects.
Sensitivity and risk based Data Categorization
The GDPR identifies three categories of personal data:
- personal data relation to criminal convictions
- special categories of personal data (“sensitive data”)
- general data
Personal data relating to criminal convictions and offences
The first category is personal data relating to criminal convictions and offences according to Article 10 of the GDPR. The processing of this data category is prohibited unless carried out under the control of official authority or when authorized by Union or Member State law in consideration of the rights and freedoms of data subjects.
Special categories of personal data (“sensitive data”)
Then, there are special categories of personal data (“sensitive data”) according to Article 9 of the GDPR. This category includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. The processing of sensitive data is generally prohibited. However, the following exceptions lead to the processing being legal:
- explicit consent
- rights and obligations in the field of employment and social security and social protection law
- protection of vital interests
- processing based on appropriate safeguards
- data manifestly made public by the data subject
- processing for the establishment, exercise, or defense of legal claims, or when courts are acting in their judicial capacity
- processing necessary for reasons of substantial public interest
- processing of personal data in the healthcare and social sector
- processing of personal data for public health purposes
- processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Georgine Berger
“Remarkably, financial data and data related to an individual’s job are not considered sensitive data under GDPR. This is surprising, as one might expect data of such importance to fall under the category of sensitive data.”
General data
Finally, there is general data according to Article 6 of the GDPR. The processing of this data category is lawful provided one or more of the following cases applies:
- explicit consent
- rights and obligations in the field of employment and social security and social protection law
- protection of vital interests
- processing based on appropriate safeguards
- data manifestly made public by the data subject
- processing for the establishment, exercise, or defense of legal claims, or when courts are acting in their judicial capacity
- processing necessary for reasons of public interest
- processing of personal data in the healthcare and social sector
- processing of personal data for public health purposes
- processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Data Categorization based on its identifiability
Another way of data categorization is to differentiate data based on its identifiability. There is pseudonymized data and anonymous data.
Pseudonymized data
Pseudonymized data means data that is processed in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. This additional information is kept separately and protected to ensure that personal data cannot be attributed to a specific person. Pseudonymized data are personal data according to the GDPR and fall under its rules.
The GDPR requires appropriate technical and organizational measures, one such measure is the pseudonymization of data. However, there is often a misjudgment as to whether data is pseudonymous. It is important to have this verified in order not to violate one’s obligations under the GDPR.
Anonymous data
Anonymous data is such personal data that makes the identification of a natural person impossible. This category of data does not fall under the scope of the GDPR.

Peter Harlander
“The requirements for data to be considered anonymous are exeedingly high. Today’s technical means are often surprisingly sophisticated, even for huge amounts of data, making it easy to identify individuals.”
FAQs
What is a data category?A data category refers to a classification of personal data based on certain characteristics or attributes.
One way to group personal data is to differentiate based on its sensitivity. There is personal data relating to criminal convictions, special categories of personal data (“sensitive data”), and general data.
Another way of data categorization is to differentiate data based on its identifiability. There is pseudonymized data and anonymous data.
What are the three data categories?The three data categories are personal data personal data relating to criminal convictions, special categories of personal data (“sensitive data”), and general data.
What are examples for personal data?Name, phone number, home address, email address, location data, IP address, cookie ID, phone number and so on.
What are examples for sensitive data?- data revealing racial or ethnic origin such as skin color, type of hair, form of eyes or nose
- data concerning political opinions such as the membership in a specific political party
- data revealing religious or philosophical beliefs: e.g., membership of a specific church, participation in a specific religious event
- data regarding trade union membership such as the inclusion in a specific trade union
- genetic data such as genetic test results indicating susceptibility to specific diseases or information about an individual’s inherited genetic traits
- biometric data such as fingerprints, facial recognition data, DNA profiles, way to walk
- data concerning health such as personal health records, medical history or prescriptions
- data concerning a natural person’s sex life or sexual orientation such as details about an individuals’ sexual activities or preferences
All data concerning criminal convictions and offences or related security measures such as criminal records, court judgements or imposed measures.
Why are there different data categories?The GDPR divides data into different categories to ensure appropriate protection and management of personal data. The categories help in defining the level of sensitivity and potential risks associated with different types of personal information. Depending on the data category, different technical and organizational measures must be used. The legal basis for data processing also depends massively on the data category.
What does not fall under sensitive data?There is data that, because of its significance, one would expect to be sensitive data. Examples for such data are job data, credit card information, and other financial data. These types of data are personal data under the GDPR, but do not fall under the category “sensitive data”.
How are sensitive data to be protected?Sensitive data must be considered as particularly worthy of protection. This is data whose processing is associated with particularly high risks. The processing of sensitive data is generally prohibited. However, there are exceptions to this general prohibition, such as the existence of the data subject’s consent or if, for example, processing is necessary to protect vital interests. In the case of sensitive data, it is not sufficient to argue that the processing is necessary due to the performance of a contract or because there is a legitimate interest in the processing.
Is an IP address personal data?Whether or not an IP address qualifies as personal data under the GDPR depends on whether it can be linked to an identifiable individual.
If an IP address is associated with additional information or if it can be used in connection with other data to identify an individual, then it is considered personal data. For example, if an IP address is connected to a specific user account or if it is processed in a way that allows the identification of an individual, then it falls under the scope of personal data.