You process personal data constantly – in every email you send, every sale you record, and in interactions with customers. Handling personal data is the cornerstone of trust between you and your customers. It is the fabric of your business relationships and a legal requirement of the GDPR.
Every piece of personal information you manage carries weight, and the slightest slip in handling personal data can shake that trust and have broader consequences than you might imagine.
So, what is personal data? This is a central question, and all employees in your organisation must know the answer if you want to uphold this trust and comply with the GDPR.
The Definition of Personal Data in the GDPR
The concept of personal data is defined in the GDPR Article 4(1) as follows:
“…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
The definition consists of four key elements: “any information,” “relating to,” “an identified or identifiable,” and “natural person.”
These components are interrelated and collectively contribute to understanding what constitutes personal data. We will, therefore, explore these concepts further in the following.
1) Any Information
Personal data includes any information about an individual and could be ‘sensitive data’ or more general information about an individual.
Personal data is any information related to an identifiable individual, regardless of accuracy. So, inaccurate data concerning an individual is also considered information about that individual. This fact is enshrined in the GDPR, which grants individuals the right to rectify, allowing them to correct their inaccurate personal data.
The term ‘personal data’ includes any information relating to the individual’s private and family life and whatever type of activity is undertaken by the individual, e.g. working relations or economic or social behaviour. It includes information on individuals, regardless of their position or capacity, e.g., consumer, patient, employee, customer, etc.
Formats of Personal Data
Personal data encompasses any form of information that could be stored, whether alphabetical, numerical, graphical, photographic, or acoustic. This includes personal data stored on paper, digitally, on tape, or otherwise.
Any file containing identifiable information about a person is classified as personal data. This extends to texts within electronic documents, which are also considered personal data when they have identifiable details about an individual and meet the general criteria for personal data.
Example: Telephone Instructions to the Insurance Company
When a customer calls the insurance company and gives instructions regarding their insurance policies, the insurance company could record these instructions, which would be considered personal data.
Example: Video Surveillance
Images of individuals captured by a video surveillance system can be personal data when these individuals are recognisable, which would almost always be true.
Example: Hand Drawing
A drawing made as part of a psychological evaluation could reflect the person’s feelings, e.g. about family, work, or similar and therefore qualifies as personal data.
2) Relating to
Information can be considered to relate to an individual when it is about that individual.
Generally, information can be about an individual when the information has a content-, purpose or result element.
Content
It is often evident that the content of concern is clearly about a specific individual.
Information in an employee’s personnel file is clearly information relating to their status as an employee. Similarly, the results of a patient’s medical test found in their medical records directly relate to them.
Purpose
The same piece of information can relate to different persons simultaneously. The same piece of information can display different personal data depending on the purpose of our evaluation.
Example of Medical Records
A patient’s medical record displays the patient’s health status, the evaluation performed by the medical staff and their corresponding actions.
Example of Customer Support
A company’s Customer support emails reflect customers’ questions and the agents’ responses. IT security staff might also monitor and examine these emails, making them personal data relevant to multiple parties — customer support, customers, and IT staff.
Result
When the outcome of data processing impacts an individual, it could be considered personal data, even if this wasn’t the purpose of the processing.
Example: Geographic Location of Cars
Consider the case where a taxi company uses GPS to find the location of its available cars. The purpose is to improve the service and save fuel by sending the closest car to the customer’s location. However, the system can monitor whether drivers obey speed limits, choose efficient routes, or actively drive or take a break. A result of this processing is personal data about the drivers.
3) Identified or identifiable
Personal data must be about an identified or identifiable individual.
A person is “identified” when they are distinguished from all other group members within a group of persons.
Identification can occur directly through explicit identifiers like a name or indirectly through elements such as a telephone number, social security number, or passport number. Additionally, an individual can be identified by combining various criteria – like age, occupation, and place of residence – which narrows down and distinguishes an individual within a group.
The person’s name is the most common identifier, and, in practice, the notion of “identified person” implies most often a reference to the person’s name. However, additional details like date of birth or address might be needed to avoid confusion, as persons may share the same name, e.g., James Smith would not be a unique identifier as thousands of persons share the name.
A person is ‘identifiable’ if there’s a potential to identify them, even if they haven’t been identified yet. Therefore, any information that could be used to identify an individual, identified or not, is considered personal data.
Identifiable by Any Means
To determine if a person is identifiable, you must consider all reasonable methods that could lead to identification, not just those controlled by the data controller. This includes means available to other parties, like data processors.
However, a theoretical possibility of identification alone does not qualify someone as identifiable‘. After considering all practical identification methods accessible to the data controller and others, if the likelihood of identifying the individual is low or non-existent, they are not ‘identifiable.’ As a result, the information does not count as ‘personal data.’
When assessing if an individual can be identified, factors like the cost of identification, the controller’s purpose for data processing, potential benefits, individual interests, and data breach risks are important.
The assessment of identifiability should be an ongoing process that takes into account not only current technological capabilities but also potential future advancements.
Data unlikely to lead to identification during its storage period isn’t deemed personal data. For instance, data stored for a month without feasible identification isn’t personal data. However, suppose data is retained for ten years. In that case, the possibility of identification in the ninth year becomes relevant.
In video surveillance cases, companies often argue that only a fraction of the footage leads to identification, suggesting it is not personal data processing. Yet, if the purpose of the surveillance is to identify individuals as needed, then the entire activity is considered as processing personal data, even if some individuals remain unidentifiable.
Pseudonymised
Pseudonymisation conceals an identified individual by substituting personal identifiers with random and unpredictable pseudonyms. This allows for collecting additional data related to an individual without revealing their identity.
Pseudonymised data is considered indirectly identifiable. The pseudonym creates a link back to the individual, enabling their identification under specific and controlled conditions.
Imagine a list of names paired with their medical records. Replacing the names with random codes obscures and pseudonymsises the direct connection to individuals. However, a separate, secure list correlates these codes to the actual names and is accessible only to authorised personnel. This ensures data security while allowing identification in case this should be necessary.
Anonymous Data
Anonymous data cannot be used to identify a person, even when considering all reasonable identification methods available to the data controller and others.
Anonymised data is a specific type of anonymous data that was initially identifiable but has been processed, so identification is no longer possible.
Data protection principles do not apply to anonymised data to the extent that the subject becomes unidentifiable, as should be the case with anonymised data.
Whether data is anonymous is contextual and should be analysed case-by-case. This is especially important in statistical contexts, where aggregated data may still allow for individual identification if the sample size is small or other information is available, which could help to identify the otherwise anonymous person.
4) A Natural Person
Personal data must concern a natural person, an individual human being, as opposed to a legal person, which refers to entities like companies, government institutions, NGOs, and similar organisations. These entities are recognised by law as capable of rights and duties.
In the context of personal data, it regards information about natural persons, not organisations. However, data related to a business, such as in a sole proprietorship, is still considered personal information, as it is directly linked to the individual owner.
A Legal Person
Personal data primarily concerns information about individuals. However, in certain instances, business-related details can be considered personal data if they indirectly pertain to individuals.
For instance, when a company’s name includes an individual’s name or when a specific employee consistently uses a corporate email address, this information becomes linked to that individual. Additionally, data about a small business may closely reflect the personal dealings of its owner and data related to a business, such as in a sole proprietorship, is also considered personal information, as it is directly linked to the individual owner.
To simplify compliance with data protection standards, some companies treat all data, including business-related information intermingled with individual data, as personal data. This approach eliminates the need for specific data categorisation and aligns with privacy regulations.
Categories of Personal Data
It’s widely recognised that some personal information is more sensitive than others.
This understanding is formally captured in the GDPR by having different categories of personal data, such as special categories of personal data (commonly known as sensitive personal data) and non-sensitive personal data.
The GDPR also considers data about children a distinct category that must be treated with greater care, as children generally have less awareness of how their data is processed.
Information about a person’s criminal offences and convictions must also be processed with greater care as the GDPR limits how this data can be processed and by whom.
Finally, some personal data, such as information about your wealth, you wouldn’t want to be public. This kind of personal data is typically categorised as confidential personal data.
Non-sensitive Personal Data
Non-sensitive personal data is information not specifically classified under GDPR’s Article 9 ‘special categories.’ This would include the following examples:
- Full name
- Address
- Phone number
- Date of birth
- Social media profiles
- Driver’s license number
- Employee ID
- IP address
Despite calling this data non-sensitive, it can pose risks if misused. For example, a phone number could lead to phishing attacks. At the same time, somebody might exploit a birth date for unauthorised account access.
This personal information is widely used or generated in every interaction online or when doing business, and you could categorise an endless amount of personal information as non-sensitive.
Sensitive Personal Data
The GDPR lists all sensitive personal data categories in Article 9, including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, and data concerning a person’s sex life or sexual orientation.
Historically and currently, such information has been misused for discrimination or harm. For example, a person’s political affiliations might lead to job discrimination, or in extreme cases, such as under a dictatorship, personal health information like allergies could be used against an individual to cause harm.
Due to these risks, processing sensitive personal data is strictly regulated and can only be processed under the conditions mentioned in Article 9 (2), e.g. a hospital is allowed to process patient health data.
Children
Under the GDPR, ‘children’ typically refers to individuals under 16. However, EU Member States may set this age of consent between 13 to 16 years.
In contexts where consent is the basis for processing children’s data, it must be given by the child’s legal guardian when the child is below the member state’s consent age. For instance, Spain, France, and Portugal have set their consent ages at 14, 15, and 13, respectively.
The regulation aims to protect children from data misuse online, ensuring that digital services targeting them safeguard their privacy and communicate clearly and understandably how their data is processed.
Criminal offences or convictions
The GDPR imposes strict restrictions on processing personal data related to criminal offences or convictions. This category includes, e.g.:
- Criminal records showing past convictions.
- Details from court proceedings indicating criminal behaviour.
- Information from police reports about arrests.
- Legal judgments or sentences related to illegal activities.
- Records suggest an individual is under investigation for a suspected offence.
Processing this data is allowed only under specific conditions, such as for carrying out official duties or when the law authorises it. This approach mirrors the protection of sensitive personal data under the GDPR. The goal is to prevent misuse and discrimination.
For example, imagine the risks if companies could process criminal offence data without restrictions. It could lead to privacy intrusions and unfair discrimination against individuals. These rules are in place to safeguard individuals from such potential misuse of their personal information.
Confidential Personal Data
Confidential personal data is not explicitly categorised in the GDPR but is a critical concept. This category includes information like wealth, salary, or national identification numbers—details typically not intended for public disclosure.
Recognising and classifying confidential personal data is important for thorough data mapping, risk assessments, and GDPR compliance. It also guides the implementation of appropriate safeguards in data processing, ensuring enhanced protection for personal data when it should remain confidential.
Other Data Categories
To clarify the concept of personal data, it is helpful to consider other categories, such as business data, and their relation to personal data.
Business Data
Business data refers to information about a company’s operations, like financial records, market activities, sales figures, and customer demographics. It focuses on business performance and provides insights into market trends and customer behaviour.
While primarily business-oriented, this data often intersects with personal data. For instance, customer and employee data are an essential part of marketing strategies and human resource management and, therefore, fall within the scope of GDPR compliance.
Special attention must be given to the personal data aspect within their business operations to ensure GDPR compliance. Effective data mapping, as part of the records of processing activities mandated by Article 30 of the GDPR, helps accurately identify, document and handle this overlap of personal and business data.
Aggregate Data
Data aggregation involves merging individual data points to identify patterns or trends while obscuring personal details, for instance, calculating a region’s average income from many individuals’ earnings results in data that reflects trends without revealing specific contributions.
National statistics offices often use aggregate data to depict a country’s demographics or economic status. Although starting with personal data, the final aggregated form is anonymised and shouldn’t disclose personal details.
In contrast to personal data, which details identifiable individual attributes, aggregate data focuses on broader group patterns. Its applications range from market analysis to demographic studies, differing from individual-focused usage in targeted advertising or customer service.
While typically not a privacy concern, aggregate data can pose risks if the dataset lacks diversity or the population size is small, potentially allowing for the identification of individuals.
The GDPR doesn’t regulate aggregate data per se due to its non-identifiable nature. Still, the initial personal data must be handled correctly during aggregation to prevent possible re-identification.
Common Misconceptions
There are many misconceptions about what personal data is or is not. In the following, you will find some examples of personal data, which are often mistaken for not being personal data.
Voice recordings from customer service interactions or through virtual assistants are classified as personal data because they can reveal the identity of the person speaking.
Notes with handwriting that include personal remarks or styles unique to an individual are personal data due to their identifiable nature.
Business registration numbers are considered personal data when they link directly to sole proprietors. A business registration number is also personal data where the business name includes the owner’s name.
Personal details listed in public registers maintain their status as personal data despite their public availability due to the identifiable information they contain.
Email addresses provided to employees for work-related communication hold personal data status, regardless of whether the address includes the individual’s name if the employee can be identified. A work email address is usually tied to a person. Therefore, communication via that email address is considered personal data.
Images of individuals displayed on company websites are recognised as personal data because they allow for identifying those pictured.
Biometric information for securing workplace access, such as fingerprints or facial recognition, is considered sensitive personal data.
Security footage showing identifiable individuals is treated as personal data even when it captures scenes in public areas.
Information about employees gathered for administrative purposes is personal data, even if it appears to be a routine business record.
Responses on feedback forms carry the label of personal data when they contain details that can identify the individual providing the feedback.
Case Study: Consultancy Company
To illustrate that personal data is processed in many different ways and by many kinds of companies, let us look at a regular consultancy business as an example.
Personal Data in Consultancy
In consultancy, personal data can be processed in many ways, which you might not think of from the outset:
Consultants keep a list of client contact information like names, addresses, and ways to get in touch. This helps them stay connected and reach out when needed.
Consultants would compile client profiles, capturing their business requirements and relevant personal preferences to fulfil their service to the client.
The skills and qualifications of the consultancy’s staff are matched with the right client projects, which means they must handle employees’ professional information carefully.
A detailed history of conversations with clients, through emails, calls, or meetings, is maintained to keep improving how they work with each client.
Consultants document the sales and client acquisition processes in their CRM system, from initial contact to successful onboarding, noting any individualised interactions or modifications requested by the client.
Client feedback is kept in the CRM system to ensure the consultancy’s service meets the client’s needs.
Notes from meetings and site visits are taken to build a better connection with the client and help plan for the future.
Information from customer research is analysed and helps understand what different people like and do, which consultants use to make strategies that speak to their clients.
Summary
The basics of being GDPR-compliant is to identify when you process personal data in your work.
Your knowledge of what constitutes personal data will enable you to act against the incorrect processing of personal data, help your company progress towards compliance, and improve the trustworthiness of the company.
In this article, we have thoroughly covered the definition of personal data and the different categories of personal data, and it serves as a resource you can come back to whenever you need clarification on what personal data is.
In our awareness training “What is personal data?”, you will find an easily accessible training of 5 videos suitable for colleagues without prior knowledge of the GDPR.