Even the lawful processing of personal data poses risks for the persons concerned, e.g. the processing of address lists, shopping behaviour, communication at the workplace or membership lists of a sports club. There, the severity of the damage and the probability of its occurrence in combination can thus reach a medium level for the risk of the person concerned.
When processing special types of personal data, i.e. sensitive data, the risk is not always to be classified as high. The risk level "normal" can therefore also be achieved there, e.g. with information on religious affiliation "Roman Catholic" in Bavaria or the diagnosis of a "cold" by the family doctor.