What is personal data under GDPR?
What type of information can be considered personal data?
How do we determine what information is protected and what is not?
In this article, we will break down the notion of “personal data” under GDPR and see how it is defined, what type of information can be considered personal data and see what are the limits of personal data.
Ready to dive in?
Let’s do this.
Table of Contents
What is personal data under GDPR?
Personal data is any information relating to an individual allowing his or her identification, directly or indirectly, from the data gathered or from a combination of data.
Article 4(1) GDPR defines personal data as follows:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
The definition of personal data is interesting as data can be considered personal data if it allows the identification of an individual but also an identifiable person.
Let’s break down this definition into its constituent parts:
- Any information
- Relating to
- Natural person (data subject)
- Identified
- Identifiable
- Directly or indirectly
- Reference to an identifier
We will look at each of these aspects of the definition in this article.
For now, we can gather that we are collecting, processing and storing personal data if it relates to:
- The direct identification of a data subject
- The indirect identification of a data subject
- A directly identifiable data subject using identifiers
- An indirectly identifiable data subject using identifiers
Any information
The definition of GDPR is very broad.
GDPR states that “any information” relating to an identified or identifiable individual can be personal data.
The definition of personal data gives us many examples of what can be considered information about a person, they are:
- Identification number
- Location data
- Online identifier
- Physical factors
- Physiological factors
- Genetic factors
- Mental factors
- Economic factors
- Cultural factors
- Social identity factors
As you can see, the definition of personal data can be interpreted very largely and that was intended by GDPR.
The definition of information will include objective information about a person and subjective information about a person.
Objective information is someone’s age while subjective information is a person’s opinion about a subject.
“Relating to” a natural person
For information to “relate to” a natural person, it must consist of more than just a mere identification of a person.
The information must concern them or have some sort of effect on them even though that was not the primary objective.
It is possible that data may point to an identifiable individual without the data being considered as personal data under GDPR.
Any information you collect, use and process related to an individual that may potentially have an impact on the person is personal information.
How to determine if the information “relates to” a person?
A company must assess whether or not the information they collect, use, process and store actually relates to a person.
What is the content of the data collected?
What is the purpose of the data collected?
By processing the data, what is the impact on the data subject?
Will the processing of data have an effect of any kind on the person?
Difficulty in qualifying data as personal data
Qualifying data as personal data may not be clear in all circumstances.
In some cases, we can clearly reach the conclusion that we are processing personal data.
In other instances, it may not be so straightforward or evident whether or not the data is personal or may allow the identification of a person.
The purpose and reason why data is being processed will have an important impact on determining whether data is personal or not.
If a company cannot ascertain data as personal, the Information Commissioner’s Office of the UK recommends that organizations treat the information with care, determine a clear purpose for processing the data and dispose of it safely.
A natural person (data subject)
When we say personal data, to who does it apply?
For personal data to be relevant under GDPR, it has to be about a data subject.
The term data subject is not specifically defined under GDPR.
We can interpret GDPR’s articles and recitals to assert that GDPR intends to define a data subject as follows:
- Individuals located in the European Union
- Residents of the European Union
- Citizens of the European Union
- Residents and Citizens of EU located anywhere in the world
- Any person having personal data located in the European Union
You can read our article on what is a data subject under GDPR for additional insights on the notion of data subjects.
Identified natural person
When information allows the direct identification of a natural person located in the EU, resident or citizen of the EU or any personal data in the EU, that information is personal data.
This can include information such as:
- Name
- Address
- date of birth
- national identification number
With the information, there is no doubt that a data subject is identified.
When you look at the information you have, if you are able to identify a specific person, then that’s personal data as you can directly identify a natural person.
Identifiable natural person
An identifiable natural person is not directly identified on the basis of the information you have but can be identified by analyzing the data with other data points.
Possibility of identifying a person
Even though a person cannot be directly identified with the information you have, it can still be considered personal data as there’s the possibility that the person may be identified (or is identifiable).
Missing information to identify a person
Incomplete information that does not allow you to immediately identify a person can be personal data if you can get the missing information.
Therefore, it’s not relevant whether or not you have the missing information to directly identify the data subject.
Whether you already have the missing information to identify the data subject or you must get it from another source, the data you have can be personal data.
If you can somehow get the missing data, you may have personal information on hand.
Hypothetical possibility of identifying a person
Can a hypothetical scenario that someone may obtain the missing information be sufficient to qualify the data as personal data?
A hypothetical possibility that someone may reconstruct the data to identify a person is not enough.
A company must consider whether or not a person with sufficient means and knowledge would be able to reconstruct the data and identify a person.
If so, you should treat the data as personal data.
Directly or indirectly
Directly identifying a person is simple.
If you have information about “John”, you have directly identified John.
That’s personal data.
Instead of using his name, you can identify John using other data points such as his location, height, weight and hair colour.
That’s an example when a person can be indirectly identified.
If you hold information allowing you to combine them to identify a person, that’s personal information.
Information that you do not have and you have a reasonable possibility of accessing can also lead to you having personal information.
Reference to an identifier
Information can be personal data if used with identifiers can help identify a natural person or allow the identification of a person.
In Article 4(1) GDPR gives us a list of identifiers:
- Identification number
- Location data
- Online identifier
- Physical factors
- Physiological factors
- Genetic factors
- Mental factors
- Economic factors
- Cultural factors
- Social identity factors
Recital 30 GDPR provides additional information on what can constitute “identifiers”:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
GDPR adds that companies may use online identifiers or other types of identifiers to identify a person, such as:
- Device data
- Application data
- Online tools
- Online protocols such as IP addresses
- Cookie identifiers
- Radiofrequency identifiers
- Other identifiers
Traces left by an individual combined with unique identifiers and server information may allow a company to create profiles on a natural person and identify them.
What is considered personal data?
Any information about a person is personal data and GDPR is designed to protect it.
GDPR defines another class of personal information, the special categories of data, and protects it even further.
This second group contains information GDPR considers much more sensitive.
Special categories of data
What are the “special categories of data”?
Article 9 GDPR defines special categories of data as follows:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (where used for identification purposes)
- Health data
- Person’s sex life
- Person’s sexual orientation
GDPR establishes stricter requirements to process special categories of data so individuals can benefit from additional legal protections.
Pseudonymous data
Pseudonymous data is personal data under GDPR.
When personal data is “de-identified” by an organization, we say that the data has been pseudonymized.
Pseudonymous data is not permanently and irreversibly de-identified.
A company generally will have the technical means to recreate the personal data.
A typical example is data encryption.
When data is encrypted, a person viewing the data will not make out of that data.
However, a company can de-encrypt the data and restore the original information as needed.
Anonymous data
Anonymous data is not personal data under GDPR.
Anonymous data is when data is permanently anonymized.
An individual or person will no longer be identifiable as the process is irreversible.
Business data
Any business data will not be considered personal data under GDPR.
Business data can include:
- Company registry information
- Company address
- Company email address
- Product information
- Service documents
- Software documentation
GDPR intends to protect “natural persons” making it clear that legal entities and corporation data are not protected by GDPR.
Inferred data
Inferred data is data that a company infers or derives from the analysis and assessment of other data.
If a company uses different data points about a person and infers an outcome or makes a prediction, is the inferred data personal data?
Under the guidance of the Working Party on data portability, they indicate that inferred data may be personal but not subject to the portability rights.
This begs the question, if inferred data may be personal data but not subject to the individual rights under GDPR, are companies exempt from the full application and scope of GDPR?
Examples of personal data
Here are some examples of personal data we may see in practice:
- First name and last name
- Home address
- Email address
- Telephone number
- National identification number
- Medical file
- Banking information
- Account data
- Credit card number
- Credit history
- Employee number
- Employee timesheets
- Employee performance
- Exam answers
- IP address
- Cookie ID
- Location data
- License plate number
- The appearance of the person
- Client ID
- Person’s opinion
- Person’s views
It’s nearly impossible to list all possible information potential personal under GDPR.
Every organization must assess the data they collect and obtain from other sources and determine whether or not they can identify a natural person or can the person be identifiable.