Share This Post
The meaning of “personal data” under the GDPR.
The GDPR applies to the processing of personal data that is wholly or partly by automated means or the processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.
But what is the “personal data” under the GDPR?
The definition of “personal data”
According to Article 4(1)of the GDPR personal data means:
“any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier […]”
Simply stated, personal data is any information that relates to a natural person who:
- Can be identified or who are identifiable directly from the information in question or;
- who can be indirectly identified from that information in combination with other information, meaning that, different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Sensitive personal data.
Personal data may also include special categories of personal data such us:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- the processing of genetic data
- biometric data for the purpose of uniquely identifying a natural person
data concerning health or data concerning a natural person’s sex life or sexual orientation.
Further personal data include criminal conviction and offences data, as well.
The aforementioned personal data are considered to be more sensitive and a controller or a processor may only process them in more limited circumstances.
Identifiers and related factors.
An individual is identified or is identifiable if a controller or a processor can distinguish him from other individuals.
Whether any potential identifier actually identifies an individual depends on the context. Note that a combination of identifiers may be needed to identify an individual.
The GDPR provides a non-exhaustive list of identifiers, including:
- identification number
- location data
- online identifier such as IP address and cookie identifiers.
Identified or identifiable directly
If, a controller or a processor can distinguish an individual from other individuals, only from the information they are holding, that individual will be identified or identifiable. A combination of other identifiers may be sufficient to identify the individual.
If an individual is directly identifiable from the information or from a combination of identifiers, this may constitute personal data.
Identified or identifiable indirectly
If, a controller or a processor hold information that indirectly can identify an individual that could constitute personal data.
Even if a controller or a processor need additional information to be able to identify someone, individual may still be identifiable. That additional information may be information that a controller or a processor already hold, or it may be information that a controller or a processor need to obtain from another source.
The meaning of “relates to”
Information must “relate to” the identifiable individual to be considered as a personal data. This means that the information must concern the individual in some way.
Pseudonymised and anonymous personal data.
Pseudonymised data can help reduce privacy by making it more difficult to identify individuals, but it is still a personal data. Personal data that has been rendered de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and fall within the scope of the GDPR.
Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
How can we help?
Our law firm can advise your business on GDPR issues or assist you draft the necessary policies and manuals. For more information contact email@example.com