You are currently viewing Personal Data: The Basics

Personal Data: The Basics

  • Post category:Personal Data
  • Reading time:22 mins read

Welcome to Tilderist’s series of guides! Here you will find all the necessary information for any subject you might be interested in. Today we will focus on the concept of personal data. Have a good read!

What will we touch on in this post?

What is personal data?

Any information relating to a person, the data subject, through which the person can be identified or identifiable is considered personal data.

It is, however, possible that the data have been anonymised or pseudonymised. In this case, if it’s possible to re-identify the person through them, they continue to be considered personal data and are protected as such.

Examples of personal data:

  • Name and surname
  • Home address
  • E-mail address such as name.surname@company.com
  • National identification number
  • Bank account details
  • Location data (GPS on a mobile phone)
  • Financial details (VAT identification number, SSN, accounting information etc.)
  • Internet Protocol (IP) address
  • Data held by a hospital or doctor, which could be a symbol that uniquely identifies a person

Besides these data, there is another category of personal data, which are related to fundamental freedoms and rights of people who merit specific protection by law; they are called “sensitive personal data” and contain the following:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade-union membership
  • Genetic and Biometric data (processed solely to identify a human being)
  • Health-related data
  • Data concerning a person’s sex life or sexual orientation
  • Criminal convictions and offences, when authorised by EU or national law

You can read more in our specialized “Sensitive Personal Data” article.

Information not considered personal data

  1. Company registration number
  2. Anonymised data (that cannot re-identify a person)
  3. E-mail address such as info@company.com

What is personal data processing and who is responsible for it?

According to Article 4 of the GDPR, personal data processing is any operation that wholly or partially relates to:

  • collection, which can be done by creating a profile or signing up to your company’s website or newsletter or else by expressing a preference for certain products or services while browsing the website. It is important to remember that personal data can be collected only when there is a legitimate reason or purpose, which is connected to the services your company provides to the user (e.g. when the company asks for the subject’s e-mail and some basic information for their registration on the company’s or organisation’s website)
  • recording (e.g. recording a call with a customer)
  • organisation, structuring (e.g. creating a folder with personal data organized in categories, creating a file with recorded calls alphabetically organized)
  • storage (e.g. storing IP or MAC addresses)
  • adaptation
  • alteration (e.g. discovering a mistake in the e-mail of a customer)
  • retrieval (e.g. retrieving a former customer’s data from an electronic database in order to promote offers)
  • consultation
  • use (e.g. to improve customer experience, to develop effective marketing strategy for the company, to secure data against theft and hacking into the user’s account, to facilitate payroll administration for a company’s employees)
  • disclosure by transmission, publication of data, in other words, to third parties in the case of an emergency (e.g., sharing information with the police). Primarily, only employees of the enterprise have access to personal data, in particular the controller or the processor. In general, however, sharing can be allowed to any person users have given consent to. As a company, you should follow some best practices when publishing data, in order for the sharing to be lawful. Learn more about these practices in our article about posting personal data
  • dissemination or otherwise making available (e.g. posting a person’s picture on a website)
  • alignment
  • combination
  • restriction (e.g. limiting the processing to specific data for specific purposes)
  • erasure (e.g. when the data subject deletes their account on your company’s website)
  • destruction of data (e.g. from files related to former customers)

All the operations above can be done either automatically or manually. To learn more about this subject, head over to our article on data processing.

It should be noted here that processing sensitive personal data is strictly prohibited, unless some specific conditions apply.

The processing is done by the data controller, who determines the purposes for which and the means by which personal data is processed, and the data processor, who protects and processes data only under the controller’s guidance.

One more obligation the data controller has is making sure the parent or guardian has given explicit consent to the processing of a minor user’s data.

This consent is required when a minor’s personal data is used for marketing purposes or for creating a user/visitor profile and also when children are directly provided services that collect their personal data.

Without the parent or guardian’s consent, processing of a minor user’s personal data under 16 years old will not be lawful.

You can find more details in our articles “Minors in the Internet” and “Minors and GDPR”.

Under which conditions can personal data be processed?

Whether your company can process personal data or not and to which extent is determined by the reason and purpose of this processing. In any case, you should always keep in mind the principles governing the processing:

  1. Principle of lawfulness, fairness and transparency: Personal data needs to be processed lawfully and transparently, while the data subject must be kept informed in a clear and understandable manner.
  2. Principle of purpose limitation: Specific, explicit and legitimate data processing purposes are required, while no further processing, incompatible to these purposes, should be done.
  3. Principle of data minimisation: Only the data necessary for achieving the pursued aim should be used during the process.
  4. Principle of data accuracy: Your company is required to verify the accuracy and clarity of the data. If these cannot be verified, the data must be corrected, erased or updated.
  5. Principle of storage limitation: The data should be stored by the company only for the time period necessary for achieving the processing purpose.
  6. Principle of integrity and confidentiality: Your company should take the organisational and technical measures necessary for the protection of data against unlawful processing, destruction or damage.
  7. Principle of controller’s accountability: The controller is responsible for implementing all the principles above during the processing.

You can read more about these principles in Article 5 of the GDPR.

Example

Your company/organisation owns a travel agency. The moment it gains access to its users’ personal data, you must keep them informed about why you are collecting their personal data, how you will use it and for how long you plan to store them, all in a simple and easy to understand language.

In other words, the data processing must be done in a way that implements all the necessary principles above.

The six principles of personal data
Principles for Personal Data

Is processing always lawful or do certain requirements need to be met?

One of the following statements must be true for the processing to be allowed:

  • The data subject has given consent

According to the GDPR, consent is defined as the freely given, specific, informed and unambiguous agreement of the data subject to the processing.

The request for consent should be formulatedclearly, accurately, and simply so that the subject fully understands what kind of processing he or she consents to. Consent may be given by a written statement, including by electronic means, or by anoral statement.

It is equally important to keep in mind that the data subject has the right to withdraw their consent to the processing of their data at any given moment.

For example: Your company/organisation has created a music app and asks for its users’ permission to access their music preferences in order to recommend similar songs and live shows to them (for more information on this subject, check out our article about GDPR consent requirements).

  • Processing is necessary for executing an obligation related to the data subject that the company has undertaken

For example: Your company/organisation sells a variety of products on the internet. For this reason, it has gained access to the users’ data necessary for providing services before entering a contract or for forming a personalized obligation for each customer. It can, therefore, have access to their name, the delivery address of the product, the credit card number (if payment by card was selected), etc.

  • Processing is necessary for the controller’s compliance with an obligation which is required by law

For example: Your company/organisation needs to provide data, such as the weekly payroll of its employees (which is considered their personal data), to the relevant department in order to receive the necessary social security.

  • Processing is necessary in order to protect the vital interests of the data subject

For example: A hospital has a patient who has just been in a very serious car accident. The hospital doesn’t need their or their closest relative’s consent for obtaining the patient’s medical history in order to ensure their best recovery.

  • Processing is necessary for exercising official authority or for performing a task carried out by the controller in the public interest

For example: A trade association, e.g. the chamber of medical professionals, has been entrusted by an official authority with the initiation of disciplinary proceedings against some of its members.

  • Processing is necessary for pursuing the legitimate interests of the controller or a third party, to whom the data is being published

In this case, the interest outweighs the data subject’s personal data, as long as the fundamental rights and freedoms of your subject are not significantly affected.

For example: Your company/organisation guarantees a level of security within it by monitoring the websites visited by its employees.

Your company/organisation can lawfully process personal data for these purposes only when it chooses the least intrusive way which respects the privacy and protects its employees’ data, e.g. by restricting the accessibility of employees to certain websites.

Of course, this doesn’t apply to EU member states whose laws usually set stricter limits on processing in the workplace. This is why particular attention is required when data is transferred outside of the European Union.

In this case, the company should consult the Official Journal of the European Union, where a list is published of the third countries, territories and specific sectors within a third country or an international organisation that the EU has decided whether an adequate level of protection is ensured.

Learn more in our article “Data transfer to third countries”.

If at least one of the above conditions doesn’t apply there is a risk for a personal data breach.

In broad terms, we could define a data breach as inability to show the required respect for someone’s right to keep their personal data (such as their name, age, address, profession, etc.) secret and to manage it in an exclusive manner and at their discretion.

This infringement could result in the loss, destruction or disclosure of the data to third parties. For this reason, it’s deemed necessary for a company to take some security measures. These measures will be described in the security policy, a document designed by the controller, which will include all security objectives and corresponding procedures to be followed in order to achieve these objectives.

Read more about security measures in the relevant article.

As users, we can also protect ourselves from an infringement of our personal data, for example by using strong passwords or checking the privacy settings on our profiles.

Learn more about how you can protect yourselves in our article “Protection and Infringement of Personal Data”.

The six lawful bases for processing personal information
Processing of personal information

Providing information about processing to the users

Your company must provide its users with specific information about the processing in a transparent and comprehensible way, in clear and plain language, creating a privacy policy.

It’s a legal document that defines how the personal data of both customers and employees of your company/organization is collected, processed and used.

More specifically, a privacy policy should contain:

  • your company’s identity
  • the legitimate reason
  • the data processing purpose
  • the data controller’s details
  • the legitimate purpose pursued by the processing
  • the data subject’s rights. Some of these rights include the right to erasure or the right to be forgotten, the right to rectification of personal data and the right to restriction of processing. You can find out more about each right in our article “Rights of the data subject”.
  • the means of withdrawing the subject’s consent (when it’s necessary for processing)
  • the period for which the data is stored

The purpose of the privacy policy beyond protection is to limit the collection of personal data to the information necessary for the fulfillment of their activities, which must be covered by a legitimate purpose.

For more information about privacy policy, take a look at our article about privacy policy.

To conclude…

Having read this guide, you now have all the necessary information regarding personal data. If you’d like to know more about your online presence, you only have to read our other guides about privacy policy, terms of use and cookies!

Author

Eleni-Kostakoglou
Eleni Kostakoglou
Lawyer