Types of personal data and data subjects

The content on this page was updated in October 2022. Note that we regularly update these pages. 


When processing personal data for your research, you must keep track of:

  • The type of personal data you are processing.
  • Who the data subjects are.
  • The number of data subjects.

Types of personal data

Data protection (GDPR) only applies to personal data.

Personal data is information about a natural person, i.e. a human being. Personal data is information that in itself or in combination with other information could lead (be attributed) to a natural person.

When you are conducting research, it will often be necessary to process personal data in order to complete the research. Data protection regulation distinguishes between different types of personal data. The rules that apply to the processing of personal data depend on the type(s) of personal data being processed.  Some personal data requires a higher level of protection because the processing of such personal data can constitute a special risk to the data subjects. 

Therefore, you will need to clarify which type(s) of personal data you are processing. There are 4 types:

General personal data (non-sensitive personal data)

General personal data is all information that is not 1) information about criminal convictions and offences, and 2) special categories of personal data (sensitive personal data).

  • For example name, age, gender, height, weight, contact information (phone number, email), location data.

Information on criminal convictions and offences

Criminal convictions and offences should be understood broadly. This means that the data listed below is included:

  • Violation of the law (including cases where the violation has not resulted in a penalty).
  • A substantiated report to the police (even if it has not yet led to an actual conviction, after which it would be considered a criminal offence).
  • Criminal record and child protection certificates.

Special categories of personal data (sensitive personal data)

Special categories of personal data, commonly referred to as sensitive personal data, is information that requires special protection under data protection regulations, as the information is more likely to represent a risk to the rights and freedoms of the data subject. Below is an exhaustive list of sensitive personal data. You will also find examples of information that falls under different areas, as well as examples of the consequences that data subjects may be exposed to if their personal data falls into the wrong hands.

Information that says something about one of the following areas is considered a special category of personal data (sensitive personal data):


Racial or ethnic origin

  • For example, information pertaining to whether a data subject belongs to an ethnic minority.
  • Special protection considerations apply because in some countries/contexts, this information can pose a special risk to the data subject. Information about ethnic minorities may pose a special risk to data subjects if their data falls in the hands of a state that discriminates against minority populations.

Political, religious or philosophical beliefs

  • For example, information pertaining to which political party the data subject is a member of or votes for.
  • Special protection considerations apply because information about political beliefs can in many parts of the world constitute a risk to the data subject. For example, the data subject may be subjected to persecution, exclusion, discrimination.

Trade union membership

  • For example, any information about a person’s trade union membership.
  • Special protection considerations apply because information about trade union membership can in many parts of the world constitute a risk to the data subject. For example, the data subject may be subjected to persecution, exclusion, discrimination.

Processing genetic data and/or biometric data for the purpose of uniquely identifying a natural person

  • For example, DNA, iris scans, fingerprints, facial recognition, etc.
  • Special protection considerations apply because any use of the data to uniquely identify/authenticate someone poses an increased risk to the data subject. For example, if biometric data is exploited for authentication involving particularly high level of security. 

Health data

  • For example, information about a physical or mental disorder or disability such as Covid-19, cancer, a broken leg, PTSD, dyslexia, etc. 
  • Special protection considerations apply because information about a person’s health can lead to discrimination in the form unfair job rejection, denied insurance coverage, etc.

Data concerning a natural person’s sexual relationship or sexual orientation

  • For example, information about a person’s homosexuality, transgenderism, including information that could disclose a person’s sexual relationship/sexual orientation, e.g. a registered partnership between two women.
  • Special protection considerations apply because this information can constitute a risk to the data subject in many parts of the world. For example, the data subject may be subjected to persecution, exclusion, discrimination.

Confidential personal data

Confidential information is not defined in the General Data Protection Regulation (GDPR). Nevertheless, the concept of confidential information is used in a Danish context to refer to data that requires greater protection without necessarily being a special category of personal data (sensitive personal data).

  • For example, CPR numbers, information subject to a duty of confidentiality, information about income and financial situation, work, education and employment conditions or internal family affairs.

Anonymisation and pseudonymisation of personal data

Take particular note of the difference between anonymised data and pseudonymised personal data. Processing pseudonymised personal data constitutes processing of personal data. However, anonymised data is not covered by the general data protection regulation.

Read more about the different concepts:

Did you know that...

  • the person whose data is being processed is called the data subject in the Danish data protection law? Perhaps you call the person a research participant, informant, patient, landowner or something completely different.
  • information regarding geographical locations can be personal data if it can be attributed to a natural person or e.g. a business owned by one individual? For instance, a title number can be looked up in the land register.
  • a photograph or a sound recording is also personal data if the voice or the photograph can be attributed to one or more specific data subjects?
  • as a starting point, a shoe size is not personal data? But if only one person in a village wears size 49 then that information can be attributed to a specific person, which makes it general personal data.

Who are the data subjects?

Data subject is the term used in Danish data protection law to describe natural persons whose data is being processed. Data subjects have many aliases within research, e.g. informant, research subject, research participant, patient, etc.

The purpose of determining the category of data subjects is to ensure that AU, as data controller, is aware of any special conditions that apply.

If the data subject is a child, a patient, an elderly person, etc., they may be considered members of a particularly vulnerable group of people. This will place demands on how you communicate when carrying out your duty of disclosure, on any special aspects you need to take into account in your risk assessment, on whether you can obtain valid consent pursuant to data protection law, etc. 

The category of data subject can be specified in many ways, e.g.

  • Adults
  • Children
  • Young people
  • Elderly
  • Patients
  • Landowners
  • Danes aged 40-60 years

How many data subjects are there?

When processing personal data, you must consider the number of people you are processing data on.

The purpose of assessing the number of data subjects is partly to ensure that you have an overview of your processing, and partly that number of data subjects may be important in relation to assessing the risks associated with processing and the obligations under data protection law.

By default, you should therefore specify the exact number of persons whose data you are processing. Sometimes it is not possible to give an exact number. Instead, consider how to describe the number of data subjects, e.g. 'All Danes aged 15-25 years in the period 1989-2003'.