What are the different types of data in the GDPR

Table of contents

• What are personal data in the GDPR
• Special or sensitive data
• Genetic and biometric data
• Health data
• Data made manifestly public
• When special category data can be processed
• The role of consent
• Without consent: permitted cases
• The responsibilities of data controllers

When talking about the GDPR (General Data Protection Regulation), one of the first questions that arises is: what are the different types of data cited in the GDPR?

The European regulation, which came into effect in 2018, does not merely regulate the processing of personal data in general but distinguishes between different categories, with varying levels of protection.

Understanding these differences is crucial for businesses, public authorities, associations, and even individuals, because the rules change depending on the type of data being processed.

In this article, we will analyze in detail the data cited in the GDPR, clarifying what the different types of data are, what characterizes them, and under what circumstances they can be processed.

We will explore the concepts of special category data, sensitive data, health data, biometric data used to uniquely identify a natural person, and see when explicit consent is required or when the law allows processing without consent for public health, scientific or historical research or statistical purposes, or to establish, exercise, or defend legal claims, or whenever judicial authorities carry out their judicial functions.

What are personal data in the GDPR

The GDPR defines personal data as any information relating to an identified or identifiable natural person. Identification may occur directly (for example, through name and surname) or indirectly (through tax code, IP address, geolocation, etc.).

Personal data, therefore, are any information that makes it possible to uniquely identify a person or that, combined with other data, enables such identification. Examples include:

• First and last name.
• Phone number.
• Email address.
• Tax code.
• Location data.
• Online identifiers (such as cookies and IP addresses).

This first category includes information that, although seemingly harmless, can be used to trace activities back to a specific individual.

Special or sensitive data

Alongside “basic” personal data, the GDPR provides a subcategory of information requiring greater protection: special category data, often referred to as sensitive data.

According to Article 9 of the regulation, this category includes personal data that reveal:

• Racial or ethnic origin.
• Political opinions.
• Religious or philosophical beliefs.
• Trade union membership or membership in another nonprofit body pursuing political, philosophical, religious, or trade union aims.
• Genetic data.
• Biometric data used to uniquely identify a natural person.
• Health data.
• Sex life or sexual orientation.

This information is particularly sensitive because, if disclosed or misused, it can lead to discrimination or serious violations of fundamental rights.

Genetic and biometric data

Among the different types of data cited in the GDPR, special attention is given to genetic data and biometric data.

Genetic data concern a person’s hereditary characteristics, obtained through the analysis of biological samples. They can reveal health status, predisposition to diseases, or even family relationships.

Biometric data used to identify involve unique traits of the individual, such as fingerprints, facial recognition, iris scans, or voice patterns. They are used to uniquely identify a natural person, for example in security systems or access controls.

Both categories, although useful in medical, workplace, or security contexts, require additional safeguards because they can be exploited for discriminatory or invasive purposes.

Health data

Health data are one of the most protected categories under the GDPR. These are all pieces of information that describe a person’s physical or mental health status, past, present, or future. Examples include:

• Medical reports.
• Patient records.
• Disability information.
• Ongoing treatments.
• Test results.

The law establishes that such data can only be processed under specific conditions, such as the explicit consent of the data subject, or without consent when it involves public health reasons or processing carried out by healthcare professionals bound by professional secrecy.

Data made manifestly public

An interesting aspect concerns data that the person has made manifestly public. In such cases, the GDPR allows information to be processed even without explicit consent, if the data subject has voluntarily disclosed such data.

Practical example: an individual spontaneously shares their health condition on a social network. Technically, that sensitive data is made public and, while still protected, may be processed under less stringent conditions compared to undisclosed data.

When special category data can be processed

The general rule of the GDPR is that special category data cannot be processed without a specific legal basis. However, the regulation provides exceptions.

The main cases in which processing is lawful are:

• With the explicit consent of the data subject.
• For reasons of substantial public interest, such as public health.
• When the data have been made manifestly public by the data subject.
• For purposes of scientific or historical research or statistics, provided adequate safeguards are in place.
• To comply with obligations in the field of labor law or social protection.
• To establish, exercise, or defend legal claims or whenever courts are acting in their judicial capacity.

These scenarios show that, while protected by reinforced safeguards, sensitive data are not completely untouchable: there are situations where their processing is not only possible but necessary.

The role of consent

One of the cornerstones of the GDPR is explicit consent. Unlike simple consent (which may be implicit or generic), explicit consent must be:

• Freely given.
• Specific.
• Informed.
• Unequivocal.

For example, a patient must sign a form that clearly explains how their health data will be processed. A pre-ticked box or vague information notice is not sufficient: the user must know exactly what they are consenting to.

Without consent: permitted cases

In some circumstances, however, the processing of sensitive data is permitted even without the consent of the data subject. For example:

• Health emergencies requiring data management to protect public health.
• Judicial investigations needing to collect data to establish, exercise, or defend legal claims.
• Scientific or historical research or statistical activities, with adequate anonymization and security measures.

These exceptions demonstrate how the GDPR seeks a balance between protecting privacy and the need to pursue collective or legal interests.

The responsibilities of data controllers

Anyone processing the data cited in the GDPR—businesses, public authorities, associations, or other nonprofit bodies pursuing political, philosophical, religious, or trade union aims—must be aware of their responsibilities.

The data controller must:

• Clearly define the purposes.
• Minimize the data collected.
• Ensure adequate security measures.
• Allow the exercise of data subject rights (access, rectification, erasure, restriction).

Conclusion

Understanding what the different types of data cited in the GDPR are means going beyond the simple distinction between personal data and sensitive data. The European regulation has introduced specific categories such as genetic data, biometric data used to identify, health data, and data made public by the data subject, each with precise rules.

The fundamental principle always remains the same: data must be processed with transparency, minimization, and security, and can only be processed if there is a valid legal basis, with explicit consent or in cases provided for by law.

The challenge for businesses and organizations is to ensure the highest level of protection, not only to meet regulatory requirements but also to build trust with users and citizens.

Questions and answers

1. What are the different types of data cited in the GDPR?
   The GDPR distinguishes between common personal data and special category or sensitive data, such as genetic, biometric, and health data.
2. What is meant by special category data?
   Data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic, biometric, or health information.
3. Which sensitive data cannot be processed without consent?
   Health, genetic, biometric, and other special category data generally require a legal basis, often explicit consent.
4. Do data made manifestly public have fewer protections?
   They are still protected, but may be processed more easily if the person voluntarily disclosed them.
5. When is explicit consent mandatory?
   Always when processing sensitive data such as health, religion, genetic, or biometric information.
6. Is it possible to process data without consent?
   Yes, in specific cases such as public health, scientific research, or judicial purposes.
7. What are genetic data?
   Information derived from biological samples revealing hereditary characteristics or predispositions to diseases.
8. What are biometric data used to identify a person?
   Physical or behavioral traits uniquely used to identify a natural person, such as fingerprints or facial recognition.
9. What responsibilities do companies have regarding data?
   They must ensure security, data minimization, and respect for data subject rights.
10. What does the GDPR provide for scientific or statistical research?
    It allows sensitive data processing without consent, provided adequate safeguards and anonymization measures are in place.