Personal data under the GDPR

What is personal data?

Personal data or personal information is a piece of information that relates to or can be related to a natural person, that can be directly or indirectly identified via that information. The GDPR applies to the processing of personal data that is both automated and non-automated (partially or fully).

Personal data only includes information related to:

✅ an individual who can be identified or who are identifiable, directly from that information
✅ an individual who can be indirectly identified from that information in combination with other information

Example of personal information is name and surname; a home address; identification number, an Internet Protocol (IP) address; a cookie ID, etc.

There are also special categories of sensitive personal data, that require special attention and can be processed in limited circumstances.

Examples of special categories of personal data are: criminal records, personal data related to racial or ethnic origin, medical records, religious or philosophical beliefs. trade-union membership, political stands and so on.

what is considered personal data, special category of personal data and what is not considered personal data

What is not considered personal data?

✅ information about legal entities such as companies or public authorities. An exception is if the information is related to an individual (partners, company employees, stakeholders, managers) if the individual can be identified as and the information is related to that individual

✅ company registration number

✅ the email address that does not contain personal data (info@company.com)

✅ information related to a deceased individual

Personal data according to the GDPR

According to the GDPR, pseudonymized data is still considered to be personal data because the process can be reversed.

Anonymized data, however, is not covered by the GDPR, because the individual can not be identified and the process can not be revered.

In order to consider information personal data, it has to be related to an individual. Meaning you should also consider, the purpose of the processing, the content of the information, and the impact on an individual.

Also, consider if there is other information that you are processing, that if put together can identify the individual.

For example, the name is considered personal data, however, can you really identify an individual just by his name? Probably not, since there are many individuals that this particular piece of personal information can be related to.

However, in combination with another piece of personal data, like surname or address, you can most certainly identify an individual.

Take into account, that even if you need additional information to be able to identify someone, they may still be identifiable, therefore the information you are processing may be personal data.

For example, you may not have the first name of the individual, but if you have his identification number you can still identify the individual.