On 25 May 2018, the General Data Protection Regulation (GDPR) came into force across the European Union. The new Regulation provides a broader definition of personal data with respect to its predecessor, the Data Protection Directive (DPD), and has rapidly become a standard for the processing of personal data not only in Europe but on a global scale.
The new scope offered to the concept of “personal data” reaffirms one of the GDPR main objectives: protecting fundamental rights and freedoms of natural persons, particularly their right to the protection of personal data. In this sense, to ensure every establishment that processes personal data in the Union, either as a data controller or as a data processor, comply with the provisions established in the Regulation, stiffer fines have been established to infringers.
For example, Article 83(6) states that “non-compliance with an order by the supervisory authority… shall be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher”.
Thus, it is not surprising that, to this day, the amount of GDPR fines have reached a total of 144 866 145 EUR, in accordance with Privacy Affairs’ GDPR Fines Tracker & Statistics tool.
Understanding the definition of personal data is, therefore, the first step organisations should follow to comply with the Regulation and avoid being subject to a costly mistake. In this regard, Article 4(1) of the GDPR defines personal data as any information related to an identified or identifiable natural person. But what does “identifiable” mean here?
The same article goes on to point out that an identifiable natural person is one who can be identified, directly or indirectly, by reference of an identifier, by an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The Article 29 Working Party, replaced on 25 May 2018 by the European Data Protection Board, accurately addresses the situation of identifiable individuals via Opinion 4/2007. So, let’s get a better understanding of this.
Through Opinion 4/2007, the Article 29 Working Party continuously reiterate the intention of the lawmaker for a wide notion and interpretation of personal data. From Article 29 Working Party standpoint, choosing the term “any information” to refer to what can fall under the scope of personal data, signals the willingness of the legislator to design a broader concept of personal data. Moreover, with the aim of providing a better understanding of personal data, Opinion 4/2007 addresses it from different viewpoints.
From the point of view of the nature of the information, personal data covers both objective information such as the presence of certain substances in the blood, and subjective information like opinions or assessments. If we consider the format or the medium on which information is contained, personal data can perfectly include information available in whatever form, e.g., alphabetical, numerical, etc.
In addition, as explained in Recital 15 and in Article 2(1) of the GDPR, the protection of natural persons should be technologically neutral, meaning that the Regulation must apply to the processing of personal data by automated and manual means, as long as the personal data is contained or is intended to be contained in a filing system.
Lastly, from the point of view of the content of the information, the concept of personal data includes data providing any sort of information. This information must not necessarily be limited to the individual’s private and family life to fall under the scope of personal data, and here is where “identifiers” come into play.
Identifiers, as the name suggests, are pieces of information from which an individual can be identified, as they hold a privileged and close relationship with the data subject. One aspect that must be emphasised is that Article 4(1) of the GDPR does not offer a restrictive list of identifiers but a series of examples, e.g., name, identification number, location data, etc., that could serve to identify an individual, i.e., a natural person.
Likewise, Recital 30 of the GDPR refers briefly to online identifiers as those provided by devices, applications, tools and protocols such as internet protocol addresses and cookies identifiers that could also lead to the direct or indirect identification of an individual.
Following this logic, the Article 29 Working Group has proven right when indicating that the extent to which some identifiers are sufficient to identify an individual depends on the context of the particular situation, at least most of the time. This highlights the importance of contextualisation for data protection compliance.
Now that the concept of personal data has been explained, it is important to address personal data categorisation. In this respect, Article 9(1) of the GDPR on the processing of special categories of personal data refers to personal data, which are particularly sensitive in relation to the risk they pose to the fundamental rights and freedoms of data subjects. Those personal data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic and biometric data, and data concerning a natural person’s sex life or sexual orientation. A presentation of these can be found in the figure below. It is worth mentioning that processing such data is prohibited unless specific consent has been given by the data subject or under a series of circumstances that are out of the scope of the present article.
Keeping the above in mind, Article 9 (1) of the GDPR is the only article of the Regulation that provides a closed categorisation on personal data, but this article only refers to personal data which are particularly sensitive, as explained before. Doctrine, on the other hand, has not agreed on a proper categorisation. Yet, what is possible is to extract some categories that are from the General Data Protection Regulation (GDPR) as well as from Opinion 4/2007 of the Article 29 Working Group, such as “data concerning private and family life”, “working relations”, “economic behaviour”, “living traits”, “physical characteristics among others”, etc.
Following this line, some additional examples of categories of personal data could be the following ones: “knowledge and beliefs”, “personal preferences”, “life history”, “ownership information”, “credit information”, “identification information”, “ethnicity”, “sexual information”, “behavioural”, etc. But it is not possible to consider a fixed and closed categorisation of personal data that could be taken as a reference, except in the case of sensitive personal data provided in Article 9 (1) of the GDPR.
The information that could be included in one of the mentioned categories (or other categories) will be only considered as personal data if it can be linked to an identified or identifiable person. In many cases, one single word, e.g., blonde, that could be included in the “physical characteristics” category, cannot identify alone a person, but different pieces of information when collected together can lead to the identification of a particular person.
For further details about the main aspects regarding the General Data Protection Regulation (GDPR), we invite you to refer to our deliverable D5.1 – Data Protection and GDPR Requirements.
- ICO: What is personal data
- IAPP: Categories of personal data
- Bird & Bird: Sensitive data and lawful processing
- I-Scoop: Personal data protection: data subject, personal data and identifiers explained
Legal specialist and Project Manager at Rooter
Legal Consultant at Rooter
Developer survey: Since you are here and interested in our project, could you please spare a moment to share your concerns and answer 12 questions related to developing voice-enabled apps.