Zurück

Data Categorization

What is Data Categorization? Data categorization is the process of classifying personal data into different categories either based on its sensitivity and potential risks associated …

Zurück

What is Data Categorization?

Data categorization is the process of classifying personal data into different categories either based on its sensitivity and potential risks associated with it or based on its identifiability.

Personal data means any information relating to an identified or identifiable natural person (‘data subject’).

What is the purpose of data categorization?

The purpose of data categorization is to facilitate the protection of personal data and ensure its lawful processing. The GDPR emphasizes the need for organizations to categorize personal data based on its sensitivity, potential risks, and the rights and freedoms of data subjects.

Sensitivity and risk based Data Categorization

The GDPR identifies three categories of personal data:

  • personal data relation to criminal convictions
  • special categories of personal data (“sensitive data”)
  • general data

Personal data relating to criminal convictions and offences

The first category is personal data relating to criminal convictions and offences according to Article 10 of the GDPR. The processing of this data category is prohibited unless carried out under the control of official authority or when authorized by Union or Member State law in consideration of the rights and freedoms of data subjects.

Special categories of personal data (“sensitive data”)

Then, there are special categories of personal data (“sensitive data”) according to Article 9 of the GDPR. This category includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. The processing of sensitive data is generally prohibited. However, the following exceptions lead to the processing being legal:

  • explicit consent
  • rights and obligations in the field of employment and social security and social protection law
  • protection of vital interests
  • processing based on appropriate safeguards
  • data manifestly made public by the data subject
  • processing for the establishment, exercise, or defense of legal claims, or when courts are acting in their judicial capacity
  • processing necessary for reasons of substantial public interest
  • processing of personal data in the healthcare and social sector
  • processing of personal data for public health purposes
  • processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Georgine Berger

“Remarkably, financial data and data related to an individual’s job are not considered sensitive data under GDPR. This is surprising, as one might expect data of such importance to fall under the category of sensitive data.”

General data

Finally, there is general data according to Article 6 of the GDPR. The processing of this data category is lawful provided one or more of the following cases applies:

  • explicit consent
  • rights and obligations in the field of employment and social security and social protection law
  • protection of vital interests
  • processing based on appropriate safeguards
  • data manifestly made public by the data subject
  • processing for the establishment, exercise, or defense of legal claims, or when courts are acting in their judicial capacity
  • processing necessary for reasons of public interest
  • processing of personal data in the healthcare and social sector
  • processing of personal data for public health purposes
  • processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Data Categorization based on its identifiability

Another way of data categorization is to differentiate data based on its identifiability. There is pseudonymized data and anonymous data.

Pseudonymized data

Pseudonymized data means data that is processed in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. This additional information is kept separately and protected to ensure that personal data cannot be attributed to a specific person. Pseudonymized data are personal data according to the GDPR and fall under its rules.

The GDPR requires appropriate technical and organizational measures, one such measure is the pseudonymization of data. However, there is often a misjudgment as to whether data is pseudonymous. It is important to have this verified in order not to violate one’s obligations under the GDPR.

Anonymous data

Anonymous data is such personal data that makes the identification of a natural person impossible. This category of data does not fall under the scope of the GDPR.

Peter Harlander

“The requirements for data to be considered anonymous are exeedingly high. Today’s technical means are often surprisingly sophisticated, even for huge amounts of data, making it easy to identify individuals.”

FAQs

What is a data category?

A data category refers to a classification of personal data based on certain characteristics or attributes.

One way to group personal data is to differentiate based on its sensitivity. There is personal data relating to criminal convictions, special categories of personal data (“sensitive data”), and general data.

Another way of data categorization is to differentiate data based on its identifiability. There is pseudonymized data and anonymous data.

What are the three data categories?

The three data categories are personal data personal data relating to criminal convictions, special categories of personal data (“sensitive data”), and general data.

What are examples for personal data?

Name, phone number, home address, email address, location data, IP address, cookie ID, phone number and so on.

What are examples for sensitive data?
  • data revealing racial or ethnic origin such as skin color, type of hair, form of eyes or nose
  • data concerning political opinions such as the membership in a specific political party
  • data revealing religious or philosophical beliefs: e.g., membership of a specific church, participation in a specific religious event
  • data regarding trade union membership such as the inclusion in a specific trade union
  • genetic data such as genetic test results indicating susceptibility to specific diseases or information about an individual’s inherited genetic traits
  • biometric data such as fingerprints, facial recognition data, DNA profiles, way to walk
  • data concerning health such as personal health records, medical history or prescriptions
  • data concerning a natural person’s sex life or sexual orientation such as details about an individuals’ sexual activities or preferences
What are examples for data relating to criminal convictions and crimes?

All data concerning criminal convictions and offences or related security measures such as criminal records, court judgements or imposed measures.

Why are there different data categories?

The GDPR divides data into different categories to ensure appropriate protection and management of personal data. The categories help in defining the level of sensitivity and potential risks associated with different types of personal information. Depending on the data category, different technical and organizational measures must be used. The legal basis for data processing also depends massively on the data category.

What does not fall under sensitive data?

There is data that, because of its significance, one would expect to be sensitive data. Examples for such data are job data, credit card information, and other financial data. These types of data are personal data under the GDPR, but do not fall under the category “sensitive data”.

How are sensitive data to be protected?

Sensitive data must be considered as particularly worthy of protection. This is data whose processing is associated with particularly high risks. The processing of sensitive data is generally prohibited. However, there are exceptions to this general prohibition, such as the existence of the data subject’s consent or if, for example, processing is necessary to protect vital interests. In the case of sensitive data, it is not sufficient to argue that the processing is necessary due to the performance of a contract or because there is a legitimate interest in the processing.

Is an IP address personal data?

Whether or not an IP address qualifies as personal data under the GDPR depends on whether it can be linked to an identifiable individual.

If an IP address is associated with additional information or if it can be used in connection with other data to identify an individual, then it is considered personal data. For example, if an IP address is connected to a specific user account or if it is processed in a way that allows the identification of an individual, then it falls under the scope of personal data.

Recommended Readings

Data Protection

Software distributor, Dedalus Biologie faced a 1.5 million fine for data breach and other GDPR violations.

The French Data Protection Authority had identified multiple GDPR infringements...

Data Protection

The EU-U.S. Data privacy Framework is here: U.S. companies can now self-certify to participate in cross-border transfers of personal data.

On July 10, 2023, the European Commission announced the adoption of its adequacy decision under the EU-U.S. Data Privacy Framework (DPF)...

Data Protection

Five-digit fine for unlawful use of GPS tracking software in company vehicles

The Data Protection Authority of Bremen, Germany has imposed a five-digit...

Data Protection

The Italian data protection authority has imposed a fine of EUR 1.4 million on Douglas Italia S.p.a., a European beauty and cosmetics retailer for various GDPR violations.

Douglas asked their customers to give their consent to the privacy notes, the cookie policy, and the General Terms and Conditions all at once. The Data Protection Authority considered this a violation ...

Wo We Are

Savvy humans - good to know

Mariella Stubhan

Co-Founder/CEO

Georgine is specializing in data protection law and law with regards to new technology. She studied law at the University of Salzburg and at the University of the Pacific, McGeorge School of Law (California).

Peter Harlander

Co-Founder/CEO

Peter Harlander is registered attorney both in Austria and Germany. He has dedicated his professional career as a lawyer for 20 years entirely to the legal aspects of data protection, IT, the internet, and marketing.

Sebstian Riedlmair

Co-Founder/CEO

Sebastian Riedlmair is specializing in various legal aspects, including data protection law and the legal implications of new technologies. As data protection attorney he brings a wealth of legal expertise to our team.

Matthias Redl

Co-Founder/CEO

Matthias is an experienced software architect and CEO of legal web GmbH, a company that implementing a legally compliant CMP. His expertise supports us in the areas of software architecture and development with regard to compliance and implementation of legal requirements.

Schedule a Free Video Call

Pick your preferred time-slot directly

legalweb.io
Privacy
Thank you for visiting dataprotectionofficer.io, the website of Formamentum Technology GmbH in Austria. We use technologies from partners (1) to provide our services. These include cookies and third-party tools to process some of your personal data. These technologies are not strictly necessary for the use of the website, but they do enable us to provide a better service and to interact more closely with you. You can adjust or withdraw your consent at any time.
asd as asd