What is personal data?

Personal data is any kind of information that can be related to an identifiable person.

Personal data may, for example, include information on name, address, e-mail address, personal identification number, registration number, photo, fingerprints, diagnostics, biological material, when it is possible to identify a person from the data or in combination with other data. It is said that the information is “personally identifiable”.

Although information about a name or address has been replaced by a code, such as AB123, it is still a personal data if the code can be traced back to the original personal data. This is the case as long as someone can make the information readable and identify the person involved. This is often called pseudonymised information, and such information remains subject to data protection rules. On the other hand, information made anonymous so that no natural person can be identified from the data or in combination with other information is no longer protected by the data protection rules.

Personal information (non-sensitive personal information)

Personal information includes all information that is not classified as special categories of information (sensitive personal information). This can be, for example, identification information such as name, address, age and education. This also applies to financial matters such as taxes and debts. Information in the form of photo, sick days, family relationships, housing, car, exam, job applications, CV, date and position of employment, work area and work telephone - are also personal information.

Special categories of personal data (sensitive personal data)

Sensitive personal data is explicitly mentioned in the Data Protection Regulation, and the possibility to process such data is narrower than in the case of ordinary personal data. Sensitive information is information on:

  • Race and ethnic origin
  • Political beliefs
  • Religious or philosophical beliefs
  • Trade union affiliation
  • Genetic data
  • Biometric data for unique identification (e.g. fingerprints)
  • Health information
  • Sexual relationships or sexual orientation.

Only the information mentioned above is sensitive personal information.

Information on criminal offenses - Article 10 of the Data Protection Regulation and Section 8 of the Danish Data Protection Act

Information on criminal offenses is considered personal data under the Data Protection Regulation and is separately regulated in the Danish Data Protection Act. A very broad understanding of the concept of criminal offenses must be applied. The term thus includes not only information on breaches of legislation without having triggered or may trigger an actual criminal liability, but also any other sanctions, such as disqualification. However, not all information about a possible criminal offense, including any report to the police, can be considered covered. A report to the police must thus in some form be assumed to be substantiated before it comes to information about criminal offenses.

Confidential information - section 152 of the Danish Criminal Code in conjunction with section 27 of the Danish Public Administration Act

Confidential information is a special category of information that is not explicitly mentioned in the data protection rules, but where special protection may be relevant in the application of the data protection rules. Furthermore, confidential information will often be subject to special regulation in other legislation. Social security number (CPR number) is a confidential information that is separately regulated in the Data Protection Act. The decisive factor for whether information is to be considered confidential will be an assessment of whether the information should, in the general opinion of society, be required to be withheld from the public, cf. section 152 of the Criminal Code in conjunction with section 27 of the Public Administration Act. Conversely, confidential information is not always sensitive. Non-sensitive personal information may be confidential in certain situations. Depending on the circumstances, this applies to information on income and wealth conditions, employment, education and employment conditions. The same applies to information about internal family relationships, including information about, for example, suicide attempts and accidents. Information that can be attributed to certain persons and that cannot be refused disclosure under the Public Access to Information Act will not be of a confidential nature. This applies to e.g. information of a purely objective nature, such as information on the issuance of passports, driving licenses, hunting licenses, etc.

Pseudonymisation and anonymization of personal data

The notion of pseudonymisation is defined in the GDPR as processing of personal data in such a way that personal data can no longer be attributed to a particular data subject without the use of supplementary information, provided that such supplementary information is stored separately and subject to technical and organizational measures to ensure that the personal data is not assigned to an identified or identifiable natural person.

Similarly, summary processing of data on multiple individuals that have been collected and combined without focus on the individual is anonymous only if no one can recognize the individuals from the information or in combination with other information. This is often called aggregated information, and it will depend on a specific assessment of whether such information is covered by data protection rules or not.

Information made anonymous so that no natural person can be identified from the data or in combination with other information is no longer protected by the data protection rules. This is because data protection rules apply only as long as the data can be traced back to an identifiable or identified natural person. It is a condition that anonymization is irreversible.

It is not a question of an absolute boundary between anonymized data and personal data. It must be assessed in concrete terms whether anonymization is sufficient or whether the person is still identifiable. In this assessment, account shall be taken of all aids which can reasonably be used to identify the person concerned. It must also be kept in mind whether others are in possession of information enabling the individual to be identified.