Hi everyone. This week’s topic is on the nature of personal data. When your company starts working towards GDPR compliance, you must begin with mapping your data estate. What kind of personal data does your company possess? How sensitive is this data? And on what grounds are you processing it? To answer these questions, you must know how personal data is defined in the GDPR.
How is ‘personal data’ defined under the GDPR?
The exact definition in the GDPR of personal data can be found in Article 4(1):
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What is new about this definition is that three new identifiers are added to it: names, location data (data with a geographic position attached to it), and online identifiers (IP addresses, mobile device IDs, etc). Many companies have already treated these types of data as personal data, but under the GDPR these types of data are officially part of the definition of personal data.
When is personal data considered sensitive under the GDPR?
In article 9(1), the GDPR mentions a few types of personal data that should be prohibited to process, unless specific conditions have been met:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade-union membership
- Genetic or biometric data
- Health or sex life
These types of personal data can only be processed if specific conditions have been met, and should be processed with extra caution and safety measures. What’s new about this definition is that the GDPR includes genetic and biometric data (gene sequences, fingerprints, facial recognition, etc.).
On what grounds can personal data be processed? To process personal data, a data controller must meet at least one of the conditions found in article 6 of the GDPR:
a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) Processing is necessary for compliance with a legal obligation to which the controller is subject;
d) Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
A, b, and f are the conditions that most companies use to process personal data. Processing sensitive personal data, or what the GDPR calls ‘special categories of personal data’ in article 9, is prohibited unless more specific conditions have been met. These specific conditions can be found in article 9(2). In a later blog post we will elaborate further on the conditions of the processing of personal data and sensitive personal data.
Thank you for having read this entire blog post, as it was a bit a dry read. But it is an important aspect of the GDPR that will help you put our next blog posts in perspective. More (and fun to read) blogs will follow!