What is GDPR? Definition of personal data.

In today’s digital world, personal data has become a valuable asset and a major concern for both individuals and organizations. As a consequence, European data protection law emerged.

The General Data Protection Regulation (GDPR) is a general data protection regulation introduced on May 25, 2018, by the European Union (EU), and plays a key role in ensuring the privacy and rights of EU residents regarding their personal data. More details about the GDPR and your potential obligations, as well as fines, can be found in our publications. 

The purpose of this article is to shed light on what constitutes personal data under the GDPR, as well as to whom the GDPR applies.

Personal data, as defined by the GDPR, is any information relating to an individual, called the data subject, that allows him to be identified. This information may be directly associated with an individual, such as their name or location, or indirectly associated with them through identifiers such as physical, genetic, or social characteristics.

The broad definition of personal data includes an even broader range of data itself. Although certain information by itself cannot identify a specific person, when combined with additional data elements it can lead to the identification of that person, which allows even seemingly “harmless” information to be classified as personal data.

The GDPR sets out a certain principle that you cannot collect more data than is actually necessary to provide the service and comply with legal requirements. Control over what personal data of subjects is collected, by what methods, the transparency of such methods, as well as the presence of consent and proper notification of the data subject, is checked by competent authorities, a list of which can be found via the link.

What is personal data according to GDPR?

A violation of the duties owed to the data subject will result in liability in the form of a large fine. You can find out more about fines for non-compliance with policies in our article: “GDPR. Scope of application. Who should conform”.

To determine whether the information relates to personal data, the Council for the Protection of Personal Data under Art. 29 GDPR provides specific standards for this determination:

• Definition: Is it possible to identify a person from this data?
• Connectivity: Can data be linked to specific online information related to a person?
• Inference: Is it possible to make a conclusion or inference about whether the data belongs to a particular person?

If the answer to any of the above questions is yes, then the data or data sets will be considered personal data. Essentially, if there is even a slight possibility of identifying an individual with or without the aid of additional data elements, or if there remains a residual risk of re-identification after de-identification, the data set falls under the category of personal data.

Common examples of personal data include names, identification numbers, addresses, IP addresses, phone numbers, email addresses, license plates, internet traffic data, cookies, and even hair color.

More specifically, according to the GDPR, personal data covers various categories of data, such as:

• Basic identifiers: This category includes data such as names, addresses, telephone numbers, and email addresses that directly identify an individual.
• Data with “increased sensitivity”: The GDPR designates certain types of data as particularly sensitive and subject to more stringent protection measures. This includes information about racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of organizations, genetic data, biometric data, health data, and data relating to a person’s sex life or sexual orientation. Disclosure or leakage of such data could cause much greater harm to the subject of such data.
• Online ID: Data collected through cookies, IP addresses, device identifiers, and other online tracking mechanisms is also considered personal data under the GDPR if it can be linked to an identifiable natural person.
• Financial information: Personal data also includes bank details, credit card numbers, and other financial information that can determine a person’s economic status.
• Social media and behavioral data: Information obtained from social networking profiles, browsing history, and online behavior, if associated with an identifiable individual, falls under the concept of personal data.

Who is covered by the GDPR principles?

It is important that data protection principles only apply to individuals. The GDPR emphasizes that for data to be considered personal, it must relate to a person. Thus, the law does not apply to legal entities.

Understanding the breadth of the GDPR’s definition of personal data is critical to complying with data protection rules and respecting individuals’ rights to privacy. Following these guidelines will help organizations ensure that personal data is handled responsibly and build trust in their clients and customers.