In today’s digital world, personal data has become a valuable asset and a major concern for both individuals and organizations. As a consequence, European data protection law emerged.
The General Data Protection Regulation (GDPR) is a general data protection regulation introduced on May 25, 2018, by the European Union (EU), and plays a key role in ensuring the privacy and rights of EU residents regarding their personal data. More details about the GDPR and your potential obligations, as well as fines, can be found in our publications.
The purpose of this article is to shed light on what constitutes personal data under the GDPR, as well as to whom the GDPR applies.
Personal data, as defined by the GDPR, is any information relating to an individual, called the data subject, that allows him to be identified. This information may be directly associated with an individual, such as their name or location, or indirectly associated with them through identifiers such as physical, genetic, or social characteristics.
The broad definition of personal data includes an even broader range of data itself. Although certain information by itself cannot identify a specific person, when combined with additional data elements it can lead to the identification of that person, which allows even seemingly “harmless” information to be classified as personal data.
The GDPR sets out a certain principle that you cannot collect more data than is actually necessary to provide the service and comply with legal requirements. Control over what personal data of subjects is collected, by what methods, the transparency of such methods, as well as the presence of consent and proper notification of the data subject, is checked by competent authorities, a list of which can be found via the link.
A violation of the duties owed to the data subject will result in liability in the form of a large fine. You can find out more about fines for non-compliance with policies in our article: “GDPR. Scope of application. Who should conform”.
If the answer to any of the above questions is yes, then the data or data sets will be considered personal data. Essentially, if there is even a slight possibility of identifying an individual with or without the aid of additional data elements, or if there remains a residual risk of re-identification after de-identification, the data set falls under the category of personal data.
Common examples of personal data include names, identification numbers, addresses, IP addresses, phone numbers, email addresses, license plates, internet traffic data, cookies, and even hair color.
More specifically, according to the GDPR, personal data covers various categories of data, such as:
It is important that data protection principles only apply to individuals. The GDPR emphasizes that for data to be considered personal, it must relate to a person. Thus, the law does not apply to legal entities.
Understanding the breadth of the GDPR’s definition of personal data is critical to complying with data protection rules and respecting individuals’ rights to privacy. Following these guidelines will help organizations ensure that personal data is handled responsibly and build trust in their clients and customers.