Personal Data

According to Art. 4 (1) of the GDPR, personal data is information relating to an identified or identifiable natural person. Personal data include an individual’s name, a picture, a phone number, even a professional phone number, a code, a bank account number, an e-mail address, a fingerprint, etc.

Please visit:

Special Category of personal data

According to Art. 9 of the GDPR special category data includes:

  • personal data revealing racial or ethnic origin,
  • personal data revealing political opinions, religious or philosophical beliefs, or trade union membership
  • genetic data
  • biometric data
  • data concerning health
  • data concerning a natural person’s sex life or sexual orientation.

The processing of this type of data is prohibited unless one of the conditions in Art. 9 (2) applies.

The processing of sensitive personal data is allowed where the processing is carried out with the explicit consent of the data subject. Explicit consent should be ‘freely given, informed and specific’. Written opt-in can be considered as explicit consent of the data subject. Explicit consent may also be indicated orally or by behaviour: it requires an affirmative action from the data subject accepting that his/her personal data are being processed. 

The UAVG provides for some specific national derogations – it allows processing of special category of personal data under specific conditions, including:

  • processing of data necessary for scientific or historical research purposes or statistical purposes;
  • processing of data revealing racial or ethnic origin;
  • processing of data revealing political opinions in a public capacity;
  • processing of data revealing religious or philosophical beliefs for purposes of mental care; or
  • processing of genetic data if such processing is related to the person from which these data are obtained from.

The UAVG also allows the processing biometric data for authentication and security purposes (e.g. biometrics-based access systems to computers and buildings).



The GDPR, Art. 4 (11) defines ‘consent’ of the data subject as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. 

Children’s age

The UAVG does not provide for a different age limit and the age at which a child can provide a valid consent, so the age limit is 16 years old.