GDPR information
Subjective or objective personal data
Personal data can be either subjective or objective personal data, i.e. personal data of a subjective or objective nature. Companies and organisations subject to the GDPR need to know what may constitute personal data, including if it is subjective or objective personal data, in order to ensure proper processing.
What is the definition of personal data?
According to the GDPR, personal data is any information about a natural living person that can be identified by the data in question. This applies regardless of whether it is possible to link the data to the individual directly or indirectly, alone or in combination with other data.
There are also different categories as well as groups of personal data, and some need to be processed with higher security. In other words, the more important the personal data, the greater the security requirements.
Does the GDPR cover the personal data of deceased persons?
No, the GDPR does not cover the personal data of deceased persons, according to Recital 27 of the GDPR. This means that only the personal data of living people is covered by the GDPR. On the other hand, it is for each Member State to lay down its own national rules on the processing of the personal data of deceased persons.
Are there categories of personal data that are privacy sensitive or sensitive?
Yes, there are different groups of subjective or objective personal data, some of which are more privacy sensitive than others. It is possible to divide privacy-sensitive personal data into four (4) groups. These include:
Subjective privacy-sensitive personal data
One of the four groups is subjectively privacy-sensitive personal data, such as bank account data, private communication data, social security numbers and location data. In other words, this group refers to personal data that the individual may feel is inconvenient or invasive of privacy for someone else to process. It may therefore be objective personal data, which is subjectively privacy-sensitive.
Special categories of personal data
There are specific provisions in the GDPR concerning the processing of special categories of personal data, also known as “sensitive personal data”. According to the general rule in Article 9 of the GDPR, the processing of these categories of personal data is prohibited. However, there are some exceptions, and most companies process sensitive personal data of their employees. For example, information about employees' sick leave, diagnoses and blood type. Some other examples of sensitive personal data are data that reveals information about an individual's religious beliefs, political opinions and biometric data.
What is personal data of an objective nature?
Personal data of an objective nature, that is to say, objective personal data, is primarily what many people directly perceive as clear personal data. For example, a first name, telephone number, postal address, bank account number, etc. Usually, personal data of an objective nature is such data that can directly identify a natural living person.
This type of personal data is often based on facts, measurable and verifiable. Objective personal data can also be proven to be false or true. For example, date of birth, bank account number, date of employment. In short, objective personal data reveals fact-based information about an individual.
What is personal data of a subjective nature?
Information about an individual that is based on impressions, judgments, opinions or assumptions, is personal data of a subjective nature. That is, subjective personal data. In other words, this means that different people can have different subjective judgments based on the personal perception of an individual.
Subjective personal data are also those that describe a characteristic of an individual, or consist of an assessment of a person. It is common for personal data of a subjective nature to be more privacy sensitive than personal data of an objective nature, and should be processed with a higher degree of security to protect them against the risks posed by the processing. This is because personal data of a subjective nature are often perceived as privacy sensitive to the data subject.
Examples of personal data of a subjective nature
When a doctor gives a diagnosis to a patient.
When a person wants to take out a bank loan and the bank assesses the financial situation and creditworthiness of the person.
When teachers grade students.
When an employer is a reference to an employee and gives its opinion on the employee.
Learn more
Anonymised data
By anonymising personal data, companies can continue to process data that may be good for them to have. Once data has been anonymised in accordance with the three criteria of the European Data Protection Authorities, the data no longer constitute personal data. As a result, the anonymised data is no longer covered by the GDPR. On the other hand, the anonymisation process itself constitutes a processing of personal data covered by the GDPR. This means, among other things, that data subjects have the right to receive information about the process. Please note that pseudonymised personal data is not the same as anonymised data.