What does the GDPR mean by personal data?

Updated 12 November 2022

Personal data is at the heart of the EU General Data Protection Regulation (GDPR), but many people are still unsure exactly what ‘personal data’ refers to. There’s no definitive list of what is or isn’t personal data, so it all comes down to properly interpreting the GDPR’s definition:

Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’).

In other words, any information that is clearly about a particular person. But just how broadly does this apply? The GDPR clarifies:

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

That’s an awful lot of information. In certain circumstances, someone’s IP address, hair colour, job or political opinions could be considered personal data.

The qualifier ‘certain circumstances’ is worth highlighting, because whether information is considered personal data often comes down to the context in which data is collected. Organisations usually collect many different types of information on people, and even if one piece of data doesn’t individuate someone, it could become relevant alongside other data.

For example, an organisation that collects information on people who download products from their website might ask them to state their occupation. This doesn’t fall under the GDPR’s scope of personal data, as, in all likelihood, many people have that occupation. Similarly, an organisation might ask what company they work for, which, again, couldn’t be used to identify someone (unless they were the only employee).

However, when collected together, these pieces of information could be used to narrow down the number of people to such an extent that in many instances you could reasonably establish someone’s identity.

Of course, that’s not always the case. For example, knowing that someone is a barista at Starbucks doesn’t narrow things down much. In that instance, the data would need to be combined with more information, such as the person’s name.

You might think that someone’s name is always personal data, but it’s not that simple, as the UK’s Information Commissioner’s Office explains:

By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.

However, it also notes that names aren’t necessarily required to identify someone:

Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them.

read the full article here: https://www.itgovernance.eu/blog/en/the-gdpr-what-exactly-is-personal-data

Aegir Digital is registered with the Information Commissioner’s office (ICO) and its registration number is ZA905214.

Published 10 June 2018
Category: Blog

Leave a Reply