Lars Galow (Management, Information Security Officer)

Christoph Wilken (Consultant)

Thorsten Kamp (Officer, Deputy Information Security Officer)

Visitor address

Ecological Centre ÖCO, 3rd floor Uhlhornsweg 99a 26129 Oldenburg

Postal address

Carl von Ossietzky Universität Oldenburg 
Stabsstelle Datenschutz- und Informationssicherheitsmanagement
Ammerländer Heerstr. 114-118
26129 Oldenburg

Personal Data

What is personal data?

In order to be able to take the right measures under data protection law, the question must first be asked whether so-called "personal data" will be collected at all in the planned project.

When personal data are collected, the data subjects, i.e. those whose personal data are processed, have certain rights and the controller(s) have certain obligations.

The term "processing" includes

  • collection,
  • the collection,
  • organising,
  • arranging,
  • storage,
  • adaptation or modification,
  • the reading out,
  • the interrogation,
  • the use,
  • disclosure by transmission, dissemination,
  • distribution or any other form of making available,
  • the matching or linking,
  • the restriction,
  • the deletion or destruction

of data.

In the following, we will explain which categories of personal data exist and how they are defined by law, giving some examples.

Personal data in general

The term personal data is legally defined in the General Data Protection Regulation (GDPR) in Article 4 No. 1.

According to Art. 4 No. 1 DSGVO, personal data are

  • any information relating to an identified or identifiable natural person ("data subject").

(an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to that person).

  • which are an expression of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Since the GDPR speaks of "any information" about a person, the term "personal data" is to be interpreted very broadly.

For example, written performances of examinees are also personal data if an inference can be drawn about the identity of the examinee on the basis of the further information provided in the context of the examination (e.g. via the matriculation number) (ruling of the European Court of Justice of 20.12.2017, ref.: C-434/16).

Thus, even an indirect assignment does not exclude the characteristic of "personal identity". For this reason, so-called "pseudonymisation" does not lead to the elimination of the personal reference.

Personal reference can also exist by means of a combination of different data that would not in itself have any personal reference.

For example, the date "president" does not refer to a person because there is more than one person who holds this function or office title. However, if the respective institution is added, in this example "University of Oldenburg", the data combination "President, University of Oldenburg" results. There is therefore a reference to a person due to the combination of the data records. This is because a person can now be identified from the data. It is identifiable by merely googling or one's own knowledge. Therefore, in this example, the GDPR and the Lower Saxony Data Protection Act (NDSG) would have to be observed and complied with.

Typical personal data includes

  • Name
  • Address
  • Telephone number
  • Date of birth
  • Gender
  • E-mail contact details
  • Personnel number
  • Patient number
  • Matriculation number
  • Tax identification number
  • Account details
  • Photographs
  • Video recordings
  • X-ray images
  • Tape recordings
  • IP addresses
  • Location data
  • Testimonials

Categories of data may include, for example:

  • Contact data (name, address, email address, telephone numbers).
  • general personal data (name, date of birth, age, place of birth, address, email address, telephone number, photograph, education, occupation, marital status, nationality, holiday plans, etc.)
  • identification numbers (national insurance number, tax identification number, health insurance number, identity card number, matriculation number, etc.)
  • Demographic data (age, gender)
  • Bank details
  • Student data (attendance at events, grades)
  • Online data (IP address, websites accessed, documents downloaded, time of access, access duration, terminal device used, operating system, browser, etc.)
  • Ownership characteristics (ownership of a property, vehicle owner/holder, vehicle registration number, chassis number, etc.)
  • Value judgements (school report, employer's reference, etc.)
  • Factual circumstances (income, salary group, assets, debts, etc.)


Special categories of personal data

Furthermore, Article 9 of the GDPR refers to so-called "special categories" of personal data. These special categories of personal data are particularly sensitive and therefore subject to much stricter protection than "general" personal data.

These include data on:

  • racial and ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership

Particularly noteworthy because of the significant increase in sensitivity:

  • Data on sexual life or sexual orientation.

This data concerns information about the sexuality of the person concerned. In other words, whether a person is heterosexual, homosexual, bisexual, transsexual or asexual. This also includes questions about the frequency of sexual intercourse of the person concerned, whether and which contraceptives the person concerned uses, or even about the marital status of the person concerned.

  • Genetic data

According to Art. 4 No. 13, this is understood by the GDPR to mean personal data relating to the inherited or acquired genetic characteristics of a natural person which provide unambiguous information about the physiology or health of that natural person and have been obtained in particular from the analysis of a biological sample of the natural person concerned.

  • biometric data

According to Art. 4 No. 14, the GDPR understands this to mean personal data which have been obtained by means of special technical procedures and which enable or confirm the unambiguous identification of the person by means of physical, physiological or behavioural characteristics of that person.

This includes in particular facial images or dactyloscopic data.

  • Health data

According to Art. 4 No. 15 of the GDPR, these are personal data relating to the physical or mental health of a natural person - including the provision of health care services - and from which information about his or her state of health is obtained.

Such health data includes, in particular, information about:

  • Diseases
  • chronic illnesses
  • previous illnesses
  • weight
  • body fat values
  • Blood sugar levels
  • Allergies
  • Intolerances
  • Diagnoses
  • Therapies and their course
  • Interventions
  • Vaccination status
  • Medication
  • X-rays
  • Emergency data
  • Living will
  • Medical bills, medical appointments, insurance status

Dealing with special categories of personal data

The processing of these special categories of personal data is generally prohibited under Article 9 (1) of the GDPR.

Exceptions to this are provided for in the catalogue of Art. 9 (2) DSGVO. According to this, these special personal data may be processed in particular if

  • an explicit declaration of consent has been given
  • the processing is necessary to protect the vital interests of the data subject or another person
  • the personal data processed has obviously been made public by the data subject.

Furthermore, § 13 NDSG, which is applicable via Art. 6 para. 1 lit. e / Art. 9 para. 2 lit. j DSGVO in conjunction with. § Section 3 NDSG, provides for an exception in the event that the purpose of the data processing is a specific scientific or historical research project.

Internetkoordinator (Changed: 29 May 2024)  | 
Zum Seitananfang scrollen Scroll to the top of the page