Disclosure of personal data is considered as one of the main threats for data opening. In this contribution we consider the data that are sensitive in GDPR terms (for example, criminal justice data within the Dutch justice domain) and discuss how they can be opened. According to Dutch laws, such data can be opened if they are without personal information. Subsequently, we distinguish two cases for having no personal information in data sets based on whether the data controller cannot or can revert the data protection process. These two cases are related to two GDPR concepts of data being anonymous or pseudonymized in its GDPR sense, respectively. In this contribution we highlight the need for deciding on which GDPR concept should be adopted for opening sensitive data sets (i.e., whether the opened data should be protected against data controllers or not). For making this decision, we recommend policymakers to consider also the impacts of realizing the prevalent concept on, e.g., data utility.