The General Data Protection Regulation applies to Personal Data. But do we know what exactly defines Personal Data? The UK ICO recently published a clarification document.
First limitation, it does not include legal personalities. Natural person, are living people in contrast with legal entities or organisation. They are technically labelled “Data Subject’.
‘That individual must be identified or identifiable either directly or indirectly from one or more identifiers or from factors specific to the individual.’ this is where it gets more complicated and contextual.
The GDPR only applies to information which relates to an identifiable living individual. Consequently, information relating to a deceased person does not constitute personal data and therefore is not subject to the GDPR unless the EU country has opted to include them.
The processing of Personal Data covers a large variety of acts from collect, to copy to store the data.
The processing don’t need to be electronically, there are two majors ways of processing:
- personal data processed wholly or partly by automated means (that is, information in electronic form); and
- personal data processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system’ (that is, manual information in a filing system).
The ICO further adds : “The GDPR does not cover information which is not, or is not intended to be, part of a ‘filing system’. However, under the Data Protection Act 2018 (DPA 2018) unstructured manual information processed only by public authorities constitutes personal data. This includes paper records that are not held as part of a filing system. While such information is personal data under the DPA 2018, it is exempted from most of the principles and obligations in the GDPR and is aimed at ensuring that it is appropriately protected for requests under the Freedom of Information Act 2000.”
Further guidance on the provisions of the DPA 2018 is awaited.
Here is more clarification from the EU Commission.
Examples of personal data
- a name and surname;
- a home address;
- an email address such as firstname.lastname@example.org;
- an identification card number;
- location data (for example the location data function on a mobile phone)*;
- an Internet Protocol (IP) address;
- a cookie ID*;
- the advertising identifier of your phone;
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.
Within identifiable data qualified as Personal Data, they are the special categories, previously called ‘Sensitive Data’ tat requires further cautious and a higher level of protection. these will be data with regard to :
- ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data (where this is used for identification purposes);
- health data;
- sex life; or
- sexual orientation.
What about pseudonymised or anonymised Personal Data ?
The GDPR defines pseudonymisation as:
The EU Commission explains :
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.
Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
Here is an example provided by the UK ICO