
A GDPR Guide That Gives You The Overview

A GDPR guide that gives you the overview
November 26, 2024
Introduction
At ComplyCloud, a detailed GDPR guide has been developed to help organizations and employees navigate the complex rules of data protection in a more practical way. The purpose is to translate legal requirements into everyday actions that can be applied in real work situations.
This article builds on the key ideas from that guide and highlights the most important concepts you need to understand when working with personal data - especially in relation to handling, sharing, and redacting information.
At Cleardox, we mainly focus on identifying and removing personal information in both structured and unstructured data, so understanding GDPR categories is a key part of ensuring proper and secure redaction.
What counts as personal data under GDPR?
Under GDPR, personal data is any information that can be linked to an identifiable person - either directly or when combined with other information.
To make this easier to work with in practice, personal data is typically grouped into three categories:
1. Normal personal information such as:
This includes basic information that can identify a person in everyday contexts, such as:
- Name and address
- Email address
- Phone number
- Age and gender
- Images or video of a person
These types of data are common and often appear in standard business documents.
2. Classified information
This category includes more sensitive but not strictly special-category data, such as:
- CPR or social security numbers
- Financial information
- Information about criminal offences or legal matters
This type of data typically requires stronger protection measures and stricter handling procedures.
3. Sensitive information
This is the most protected category under GDPR and includes information such as:
- Health-related information
- Ethnic origin or race
- Political, religious, or philosophical beliefs
- Trade union membership
- Genetic and biometric data
- Sexual orientation
Sensitive data is generally prohibited from being processed unless specific legal conditions are met, such as explicit consent or legal obligation.
Why this matters in practice
GDPR applies the moment you process personal data - meaning any form of handling, storing, sharing, or editing information.
In everyday work, this often includes:
- Receiving or sending documents with personal information
- Searching in files or databases
- Handling emails with sensitive content
- Storing customer or employee data in systems
Because of this, organizations must always ensure that data is handled responsibly and only used for legitimate purposes.
Sharing documents with third parties
A key principle in GDPR is that personal information should not be shared with third parties unless it is necessary and legally justified. This is where redaction becomes essential.
Before sharing documents externally, organizations must ensure that all personal data is either removed or properly anonymized. Once information is fully anonymized, it no longer falls under GDPR regulation.
However, it is important to understand that anonymization only applies when individuals can no longer be identified - even when combining the document with other available information.
Practical takeaway for redaction
In practice, working with GDPR-compliant documents requires more than just removing obvious identifiers.
It involves understanding:
- What constitutes personal data
- How different data types can be combined to identify someone
- When information is truly anonymized
Tools like Cleardox are designed to support this process by helping identify and remove personal data more efficiently, especially in large or complex documents.
Final note
GDPR is not just about rules - it is about ensuring that personal information is handled responsibly throughout its entire lifecycle.
Understanding the different categories of personal data is a strong first step toward better compliance, fewer risks, and more secure document handling in everyday work.
Get the whole GDPR guide from ComplyCloud here
What is personal data under GDPR?

Personal data is any information that can identify a person, either directly or indirectly. This includes both standalone data, like names, and combinations of information that together can point to an individual.
What are the three main categories of personal data in GDPR?

GDPR typically divides personal data into three categories: ordinary personal data (like names and contact details), confidential data (like CPR numbers and financial information), and sensitive data (like health, political views or biometric data).
Why does personal information need to be redacted before sharing documents with third parties?

Personal information must be redacted before sharing documents with third parties to prevent unauthorized access to sensitive data. GDPR requires that only necessary and relevant information is shared, and redaction ensures that personal details are removed or hidden before distribution, reducing compliance risks.
What does it mean for data to be fully anonymized under GDPR?

Data is fully anonymized when it is no longer possible to identify a person, even when combining it with other available information. Once anonymization is achieved, the data is no longer subject to GDPR.
Does GDPR still apply to documents after they have been properly redacted?

No. If a document has been properly and fully anonymized through correct redaction, it is no longer considered personal data under GDPR. However, this only applies when re-identification is truly impossible, even with additional information from other sources.
















