What is Personal Data? The European Commission answers this question
The General Data Protection Regulation (or GDPR), which comes into effect on 25 May 2018, is an EU Regulation on the protection of natural persons with regard to the processing of personal data. But what is personal data – you would think an easy question to answer, perhaps not so, and the European Commission has now put together a set of FAQs in respect of the reform of EU data protection rules, in order to provide further clarity on what is considered to be personal data.
Under the GDPR, personal data means any information relating to “an identifiable living individual who can be directly or indirectly identified, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.” So are you clear? Yes / No?
The European Commission’s answer highlights that when a combination of separate pieces of information can lead to the identification of a particular individual, those separate pieces of information will be deemed to be personal data. The answer also provides illustrative examples of data considered and not considered to be personal data. Some of the examples reflect the definition outlined above, for example:
- name and surname;
- an identification card number;
- location data (e.g. the location data function on a mobile phone).
However, the European Commission have provided further clarity by stating that an e-mail address in the form email@example.com such as firstname.lastname@example.org and data held by a hospital or doctor which could be a symbol that uniquely identifies a person, will also be considered to be personal data.
In contrast, and as expected, an e-mail address in the form email@example.com or a company registration number are examples of data not considered to be personal data since such data would identify a company and not an identifiable living individual.
The answer also considers the position in relation to pseudonymised and anonymised data. Data which has been pseudonymised, but which can be used to “re-identify” an individual, continues to fall within the definition of personal data. For example, a symbol held by a hospital or doctor which uniquely identifies a person, as mentioned above. Only where data has been de-identified in such a way that the individual can no longer be identified (i.e. where the anonymisation is irreversible) will it no longer be deemed to be personal data.
If you require advice, assistance or representation in relation to the upcoming General Data Protection Regulation obligations or any other compliance and regulatory matters, contact our team today for expert advice tailored to your needs and/or sign up to our newsletter to keep up to date with the latest GDPR news and developments.
This article was co-written by Rhea McKenzie (firstname.lastname@example.org).