Categories of data in GDPR


1. Categories of (sensitive) Personal Data under the GDPR

The entire General Data Protection Regulation (GDPR) revolves around the protection of personal data, how personal data can be used and so forth. We will go over what “personal data” is according to the GDPR.

'Personal data’ means any information relating to an identified or identifiable natural person. This person is called 'data subject' (see further). In other words, any information that is clearly about a particular person. But just how broadly does this apply?

According to examples mentioned in the GDPR, the following are considered privacy-related Personal Data:

NameHome addressPersonal e-mail address
Personal phone numberWork phone numberBirthday/age
LanguagesPlace of birthNationality
National ID card detailsPassport details, copy of passportCopy of ID card
Social security number or other national identifiersDriver’s license details, Copy of driver’s licensePersonal information about spouse/partner/children
SexReligionMarital status
Work permit (foreign employees)InsurancesWage/salary
Bank accountCredit card detailsEducation level/diplomas
CV/résumé/work experience(Labour) union membershipTraining during employment
Evaluation/annual appraisalRegistered work hours/badging logLeave/holidays
Sick daysPersonal health/medical infoCriminal convictions/offences
Video images from security camerasBiometrics (finger print, retinal scan)Pictures/images
Data re monitoring of internet useData re monitoring of work e-mail useData re monitoring of private e-mail use
Electronic identification data: IP address, log-in data, cookies, ...Electronic localization data: cell phone, GPS, ...Function grid
Data on retirement/pensionDate of entry into servicePlace of work
Working conditionsSound recordings (e.g. recorded telephone conversations, ...)Physical data: height, weight, and so on
Family composition: information on partner, children, …Leisure time activities and interests: hobbies, sports, …Data revealing racial or ethnic origin
Political opinionsData of sex life or sexual orientationMemberships

2. Categories of Data Subjects

Next to the different types of 'Personal Data' in GDPR, it's also important to get insights on the Data Subject. We will go over what “Data Subjects” are according to the GDPR.

With Data Subjects, GDPR means 'the natural person which the data enable to identify'.
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier,... 

Data Subjects in the context of GDPR exist in different categories:

Current personnel

Potential personnel (job applicants)

Former personnel


Temporary agency workers





Employees’ family members


Public officers


Website end-users

Application end-users

Customers (contact persons/representatives)

Prospects (contact persons/representatives)

Suppliers (contact persons/representatives)




3. Categories of recipients of Personal Data

Next to the different types of 'Personal Data'  and 'Data Subjects' in GDPR, it's useful to know which are the potential recipients of Personal Data. Here's a list about what 'Recipients of Personal Data' are according to the GDPR.

Potential recipients of Personal Data include:

  • Management
  • Employees
  • Temporary Staff
  • Sub-contracted processor
  • Other recipients in international organisation (...)
  • Other recipients within the EU (...)
  • Other recipients outside the EU (...)


Want to learn more?

You can find information on the implementation guidelines of the GDPR, like processing principles, security measures, preparations and operations and much more by clicking on the button below.
You can also download our full implementation guide 'A free quick-start guideline for your GDPR implementation' as a PDF document.

GDPR implementation guidelines


Share this insight