The notion of personal data is without question the most important component of the GDPR, because it defines if GDPR applies or not. If an organization is processing personal data it is mandatory to ensure compliance with all provisions of the GDPR (99 articles - 100 pages). However, none of these obligations will apply if no personal data is involved. Let’s illustrate that by a diagram :
So understanding what is personal data has real important consequences. Let’s dive into the notion.
The simplest way to understand personal data is :
Any data that allows to identify directly or indirectly a natual person
It’s a simplified version of the legal definition given by article 4, but it has the benefit of being extremely clear.
Here are some practical examples of personal data :
E-commerce orders naturally process personal data :
Personal data is not private data
Personal data is frequently confused with private data - as taken in the sense of “my personal diary” or as data that is intimate to a person. The legal definition is much broader: any data that allows the identification of a person enters the GDPR’s scope.
In real life, personal data are always integrated into personal data processing. For example, a company collects emails for its newsletter. Once we’ve identified that an organization is processing personal data, it’s important to be able to record the fact that there is personal data processing, as this is required by law. Let’s take a few examples of personal data processing.
Here are some classical examples of personal data processing for which organizations will need to ensure compliance:
Let’s now look a bit deeper into the legal definition.
So far, we’ve introduced a simple definition that is great for a first understanding of the concept but that is also imperfect. So let’s take look at its exact definition.
The notion of personal data has been defined in article 4:
For the purposes of this Regulation: (1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Recital 26 also has interesting developments in regard to anonymisation of personal data :
The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.
Recital 30 also has interesting developments :
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
As we said, the main consequence of personal data processing is that GDPR will apply. This also means that each data processing will have to be integrated into a compliance process, as well as recorded into the records of processing activities as required by article 30.
Legiscope helps controllers to automate these obligations and currently reduces the time needed to fill up the records of processings from multiple weeks of work to a few minutes for most standard processing activities. Check us out!