Term personal data is one of the most important concepts of the General Data Protection Regulation (GDPR).
Understanding what GDPR considers personal data can help you determine if GDPR applies to your data processing activities and introduce you to your set of responsibilities and obligations.
If you are processing personal data, you will have to implement appropriate safeguards and understand your limitations and responsibilities around processing, sharing, and transferring personal data.
What is personal data?
Article 4 defines personal data as any piece of information that relates to or can be related to a natural person that can be directly or indirectly identified via that information.
This includes processing personal information about your employees or conducting direct marketing activities.
The GDPR applies to the processing of personal data that is both automated and non-automated (partially or fully) and includes information related to:
- an individual who can be identified or identifiable, directly from that information
- an individual who can be indirectly identified from that information in combination with other information
In order to consider information personal data, it has to be related to an individual.
You should also consider if there is other information that you are processing that, if put together, can identify the individual.
Even if you need additional information to be able to identify someone, they may still be identifiable. Therefore the information you are processing may be personal data.
Examples of personal data
- First name and last name
- Home address
- Identification number
- Internet Protocol (IP) address
- Location data
- e-mail address (even if it is a company address if it contains personal information about employee: firstname.lastname@example.org)
- location data
Interestingly, you can’t always identify individuals by their full name. For example, the name John Smith can be shared by multiple individuals.
However, more often than not you will process multiple information about individuals. If you combine multiple identifiers that point to a single person (like IP address + full name) then this is personal information because now you can easily identify this person.
Sensitive personal data
There are also special categories of sensitive personal data, that require additional safeguards and can be processed in limited scenarios.
Examples of special categories of personal data are:
- Criminal records,
- Data related to racial or ethnic origin,
- Medical records,
- Data about religious or philosophical beliefs
- Trade-union membership,
- Political stands
- Data related to racial or ethnic origin
- Genetic data
- Biometric data
- Data related to sexual orientation…
The processing of sensitive data is prohibited by the GDPR. Of course, there are certain exemptions. For example, in the field of employment law, social protection law, for health security reasons, or to protect the vital interest of data subject.
What is not considered personal data?
- Information about legal entities such as companies or public authorities. An exception is if the information is related to an individual (partners, company employees, stakeholders, managers) if the individual can be identified and the information is related to that individual
- The email address that does not contain personal information (email@example.com)
- Information related to the deceased individual
- Anonymized data
There might be cases where you will determine that information is not personal data because it does not relate to an individual.
This data will be out of the scope of the GDPR. However, national laws may still apply since the Member States can extend their scope in certain cases.
Pseudonymized data is still personal data
According to the GDPR, pseudonymized data is still considered to be personal data because the process can be reversed.
Anonymized data, however, is not covered by the GDPR, because the individual can not be identified and the process can not be reversed.
Requirements for processing personal data
There are certain principles, preconditions, and steps that need to be taken before processing personal data. When processing personal data you are obligated to
- Process personal data lawfully, fairly, and transparently
- Collect data for a clear and specific purpose
- Make sure that the processing is adequate, limited, and relevant (data minimization principle)
- Keep your data accurate and up to date
- Keep data in a form that permits identification of data subjects for no longer than is necessary (storage limitation, anonymization)
- Implement appropriate security measures
- Implement adequate technical and organizational data protection measures
4 building blocks of the definition of personal data
The WP29 opinion n 4/2007 on the concept of personal data from 2007 (and still relevant) recognizes 4 main building blocks of the definition:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1. “Any information”
The concept includes any type of information about the person and includes:
- objective and subjective information
- or assessments
GDPR does not care if the information is true or false, proven, or disputable, it treats all that information the same.
Personal data includes sensitive information, but also all kinds of general information about private and family life, and any type of activity by the individual.
Personal data also includes any formate or medium on which the information is contained, including photographic, numerical, alphabetical, or acoustic. It can also be stored in computer memory, paper form, videotape, or in any other way.
2. “Relating to”
Information is considered relating to an individual if it is about the individual.
This is a critical element of the definition since the links between the data and the individual will sometimes be difficult to establish and define.
If information relates to an object, events, or processes sometimes it can be considered personal information.
In order to establish if that data is related to an individual, a “content” element OR a “purpose” element OR a “result” element should be present. This means the data is:
- about the individual (content)
- assessment or evaluation of the individual (purpose)
- or when the processing has an impact on an individual’s rights and interests (result)
3. “Identified or identifiable”
A natural person is considered “identified” when you can distinguish this person from other people within the group. The individual is “identifiable” when, although the individual has not been identified yet, it is possible to identify this person.
4. “Natural person”
The protection of personal information applies to natural persons. However, in general, GDPR does not apply to the personal data of deceased persons or information relating to legal persons.
Of course, there are exemptions, and Member State can also extend the scope of the GDPR regarding this subject.