The General Data Protection Regulation (GDPR) is a European law on data protection and privacy for citizens of the European Union. It predominantly addresses personal data. However, many people don’t understand what this means under the GDPR. We break it down below, to ensure that you accurately understand what it contains.
Definition of personal data
A section of the GDPR defines what personal data entails. It includes any information that is related to an identified or identifiable person. If a person can be recognised through any identifier it may be considered personal. This includes:
- Name.
- Location data.
- Identification number.
- Online identifier.
In short, if an individual can be identified through any kind of data, it falls within the definition.
How deep does this extend?
The definition includes ‘any information’. Thus, the definition needs to be interpreted broadly. Numerous cases have proven this, considering less explicit information such as recordings of employee’s shift times, break times and IP addresses. It even includes written information on a test.
Personal data doesn’t need to be objective. Subjective information such as opinions, judgements or even personal estimates may constitute personal data.
Does it only extend to people?
Part of the definition includes ‘identified or identifiable persons’. It must be a natural person. Therefore, these laws do not protect information about businesses, corporations or institutions. However, natural people have capacity under the definition from the moment they are born, to the moment they die.
When is data not personal?
Data that has been made anonymous to the extent that an individual is not identifiable is when it ceases to be personal data. There must be no link between the data, and the person it belongs to. If there is even a hint that it belongs to the person, then it may be classed as personal.
Final thoughts
Before understanding how the law operates, it’s necessary to understand what kind of information the law is built to protect. Personal data is any data that may attributed to a natural person. To ensure you meet these requirements, a GDPR Privacy Policy is specifically created to abide with this framework for your business. For further enquiries on the topic, a privacy lawyer may be able to assist.
