General Data Protection Regulation

What is being considered as “personal data” under the General Data Protection Regulation?

According to Article 4(1) of the ‘GDPR’ (General Data Protection Regulation) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). 

  1. In order to define when the information will be considered as personal data, the three elements of nature, content and format noted below, would need to be examined.‘Nature’ includes any type of statement about a person, which can be both objective and subjective.  The information does not need to be true in order to be considered as personal data.
  2. ‘Content’ includes any type of information about an individual’s private life and any activity undertaken by them; both professional and public.  It is important to be noted that a person’s contact information at their place of work will be personal data in the same way as their personal telephone number or home address.  Furthermore, information that constitutes an ‘online identifier’, such as an IP address, or the cookie may be used to form a person’s profile and identify them, and therefore be considered as personal data.
  3. ‘Format’ includes information that such available in any form. The GDPR expressly applies to information processed by automated means as well as by manual means if “for part of a filing system”.

The term ‘relating to’ means that for information to be personal data, it must be about an individual.  Information about objects, processes or events may still be personal data provided that certain conditions are met.

For personal data to be about an individual, one of the below features of ‘content’, ‘purpose’ and ‘result’ must apply: 

  1. ‘Content’ refers to information that is about an individual in the most common sense of the word;
  2. ‘Purpose’ refers to information that is being processed to evaluate, consider, and analyse the individual in a specific way;
  3. ‘Result’ refers to when the processing of certain information has an impact on the individual’s rights and interests.

The term ‘identified or identifiable’ refers to when it is possible to be identified.  A person can be identified directly by name or indirectly, namely by an identification number or IP address.  Also, a person can be identified because the information is put together with other pieces of information, to allow the individual to be distinguished from others.

To determine whether means are reasonably likely to be used to identify the individual, account needs put to all objective factors.  These can be for example the cost of and the amount of time required to identify the individual, taking also into account the technology available at the time of processing and any technological developments.  It is worth noting that a hypothetical possibility would be not sufficient to make the individual identifiable.

SENSITIVE DATA

Special categories of personal data or sensitive data refers to information disclosing “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data and biometric data for the purpose of uniquely identifying a natural person, data concerning health or a natural person’s sex life or sexual orientation”.

It is worth to be noted that photographs will only be covered by the definition of biometric data when they processed through specific technical means that allow the unique identification or authentication of an individual as a natural person. Videos can constitute biometric data if specific technical processing relating to the physical, physiological, or behavioural characteristics of a person allowing or confirming the unique identification of that person.

GENETIC DATA

Genetic data refers to personal data relating to – the inherited or acquired genetic characteristics of a natural person which give unique information about his physiology or the health and which result in particular, from an analysis of his biological sample.

DATA RELATING TO HEALTH

It refers to personal data that relate to the past, current or future physical or mental health status of a natural person, including:

  1. Information collected in the course of the registration form, or the provision of, health care services;
  2. Information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples;
  3. Any information, for example, a disease, disease risk, disability, medical history, clinical treatment, or the physiological or biomedical state of the data subject (independent of its source) from a physician or other health professional, a hospital, or an in vitro diagnostic test;
  4. A number, symbol or particular assigned to a natural person to uniquely identify them for health purposes.

The content of this article is intended to provide a general guide to the subject matter and does not constitute legal advice.

For any additional information, please contact us at [email protected] or at +357 22 42 11 90.