You might have read a lot about the General Data Protection Regulation (GDPR) and its territorial scope. No? Then highly recommend going through our guide to GDPR. GDPR’s terrestrial scope is so broad that many organizations, in or outside the EU, that deal with EU residents and citizens (data subjects) must comply with it. However, not all of them have to. Only organizations that collect and process “personal” data of data subjects are obliged to follow the Regulation standards. However, personal data covers a lot of things. This article will try to break it down for you and also discuss the special category of personal data.
Definition of Personal Data
Article 4 of GDPR defines personal data as:
"[...] any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"
Personal data refers to any information that can identify a data subject, alone or with other data. For example, name, age, phone number, bank details, email addresses, login credentials, IP addresses, cookie identifiers, location, identification numbers, etc. Thus, it has a broad classification.
An important point to consider here is that information related to a deceased person is not subject to the GDPR.
You can only process personal data if they satisfy one of the six lawful bases of the processing.
Special Categories of Personal Data
Special categories, also known as ‘sensitive personal data,’ are those that require special and higher levels of protection. These include data related to:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data;
- sex life; or
- sexual orientation.
Processing of sensitive data is allowed only under the following conditions:
- You have explicit consent from data subjects to process the data.
- For carrying out obligations relating to employment, social security, or social protection law.
- To protect the vital interests of a data subject who is incapable of consenting.
- To carry out the processing by a not-for-profit body. But, there must be no disclosure to a third party without consent.
- Data made public by the data subject.
- Necessary for the establishment, exercise or defense of legal claims or judicial acts.
- Necessary for reasons of substantial public interest based on Union or Member State law.
- For health or social care or treatment or management of health or social care systems and services based on Union or Member State law or a contract with a health professional.
- For public health, such as to protect against threats to health or ensure high standards of healthcare and medicinal products or medical devices.
- Necessary for archiving in the public interest, or scientific and historical research or statistical purposes per Article 89(1).
You must consider all factors to determine whether the information you have could constitute personal data. Details, such as the content of the data, the purpose of processing, and the result or effects on data subjects from processing the data, must be analyzed to decide. Anything that will contribute to identifying a natural person is personal data.
Disclaimer: The purpose of this article is to share general information with the readers. It does not represent legal advice. Therefore, for any legal counsel, please contact your legal team.