Here you can find information about the 3 categories of personal data: general personal data, sensitive personal data (also known as special categories of personal data) and details of criminal offences.
It is important that you know which categories of personal data you process, as there are differences between whether and how you may process the different categories of personal data.
The following information is sensitive/special categories of personal data:
Information of criminal convictions and offences can be information that a person has committed a particular offence, but it can also be that a persons has an address is in a prision.
In other words, information about criminal offences is defined as information that it can be inferred that a person has committed a criminal offence. Rules on the processing of information concerning criminal convictions and offences are not laid down in the GDPR, but will be laid down in each country (source: Danish Data Protection Agency).
Personal data that does not constitute 'sensitive personal data' and (as the case may be) information about 'criminal offences' is called ’general personal data'.
General personal data may, for example, be identification information such as name and address. It can be customer relations, finances, tax, debt, sick days, work-related circumstances, family circumstances, housing, car, exams, applications, CVs, date of employment, position, area of work, work phone, master data: name, address, date of birth, IP address, cadastral no. and other similar non-sensitive information (source: Danish Data Protection Agency)
Please note that AU regards some of this information as confidential (see AU's data classification). You can read more about 'confidential information' below.
There are no rules on confidential information in the GDPR. Confidential information is information which is to be regarded as confidential under Danish law, or where the general perception of the information is that it must be treated confidentially. Confidential information is not necessarily a sensitive personal data, but most often needs to be protected just as well. You may consider the following when assessing whether information is confidential:
There are special considerations to take regarding the processing of children’s personal data. The GDPR and the Danish data protection act contain some rules that specifically target the processing of children's personal data, for example; processing of children's personal data through the use of information society services, such as social media. In addition, you should be aware that it will often require consent from the custodial parent to process the child's personal data. The processing of children's personal data also places special requirements on, for example, language used to provide information (information duty).
As a rule, the custodial parent must consent to the processing and have information about the processing if the child is under the age of 15. You can read more about consent in the Danish Data Protection Agency's guidelines (in Danish).