Simone Lawson
The General Data Protection Regulation (GDPR) defines 'personal data' as any information relating to an identified or identifiable natural person. This includes data that can be used to directly or indirectly identify an individual, such as their name, identification number, location data, or online identifier. Personal data also includes special categories of sensitive data, such as genetic, biometric, and health data, as well as information revealing racial or ethnic origin, political opinions, and religious convictions. The processing of personal data is subject to the GDPR's privacy and security requirements, with organizations collecting, using, or storing personal data of individuals in the EU needing to comply with the regulations.
| Characteristics | Values |
|---|---|
| Objective information | Height, weight, etc. |
| Subjective information | Employment evaluations, creditworthiness, work performance, etc. |
| Direct identifiers | Name, identification number, location data, etc. |
| Indirect identifiers | Online identifiers, IP addresses, telephone numbers, etc. |
| Special characteristics | Physical, physiological, genetic, mental, economic, cultural, or social identity |
| Data format | Video, audio, numerical, graphical, photographic, etc. |
| Data source | Natural persons (not legal persons) |
| Data status | Alive (not deceased) |
| Data impact | Any information that can impact an individual |
| Data processing | Collection, recording, organisation, structuring, storage, etc. |
| Data protection | Encryption, pseudonymisation, etc. |
| Data sensitivity | Racial or ethnic origin, political opinions, religious convictions, trade union membership, etc. |
Explore related products
What You'll Learn
Direct and indirect identification
The General Data Protection Regulation (GDPR) defines 'personal data' as any information relating to an identified or identifiable natural person. This means that data is classified as personal data when an individual can be identified directly or indirectly. Direct identification is when an individual is clearly known, named, recognised, singled out, or discovered. Indirect identification, on the other hand, is when an individual can be identified relatively easily through additional means, such as by using online identifiers or other identifiers.
Online identifiers include IP addresses, internet usernames, social networking data, and login information. Other identifiers refer to elements that enable identification, such as a name, identification number, location data, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person. For example, information related to a person's job, hair colour, or political opinions could be classed as personal data, depending on the context in which the data was collected and whether the individual could be directly or indirectly identified.
It is important to note that the definition of 'personal data' should be interpreted broadly. This means that even less explicit information, such as work times, test answers, and examiner remarks can be considered personal data if the individual can be theoretically identified. Additionally, data that has been encrypted, de-identified, or pseudonymised but can still be used to re-identify an individual is still considered personal data.
Furthermore, the GDPR distinguishes between general personal data and special categories of personal data, also known as sensitive personal data. These include genetic, biometric, and health data, as well as data revealing racial and ethnic origin, political opinions, religious or ideological convictions, or trade union membership. This sensitive personal data is subject to a higher level of protection.
Aristotle's Guide to Excellent Character Traits
You may want to see also
Objective and subjective information
Personal data, as defined by the EU's General Data Protection Regulation (GDPR), refers to any information that can be used to directly or indirectly identify a natural person. This includes both objective and subjective information. Objective information pertains to factual details about an individual, such as their height, date of birth, health status, salary, or biometric data. On the other hand, subjective information encompasses opinions, judgments, evaluations, and estimates related to an individual, including employment evaluations, creditworthiness assessments, and work performance estimates.
Objective information, as a subset of personal data under the GDPR, includes factual and measurable attributes associated with an individual. This can encompass a wide range of data points, from basic biographical information to more specific details. For instance, objective data can include an individual's date of birth, height, and other physical characteristics. It may also cover health-related information, such as medical history, genetic data, and biometric data, which pertains to unique physiological traits like fingerprints or facial recognition scans. Objective information can further extend to financial details, such as salary or bank statements, and even digital identifiers like IP addresses or online cookies.
Subjective information, on the other hand, refers to personal data that involves opinions, evaluations, or judgments about an individual. This type of information is more interpretive and may vary depending on the context and the person providing the information. For example, a performance evaluation by an employer, an assessment of creditworthiness by a financial institution, or a teacher's remarks on a student's exam answers are all forms of subjective data. Subjective information can also include opinions or gossip, demonstrating that personal data under the GDPR does not need to be factual or proven true.
The distinction between objective and subjective information is important in the context of the GDPR because it underscores the breadth and inclusivity of the regulation. Personal data is not limited to factual or easily verifiable information; instead, it encompasses a wide array of data points that can be used to identify and profile individuals. This means that organisations must be mindful of the subjective information they collect, use, or store about individuals, as it falls under the same privacy and security requirements as objective data.
Furthermore, the impact of data processing on individuals is a key consideration under the GDPR. Information that is processed in a way that could have an impact on an individual is considered personal data, regardless of whether that was the primary intention. For example, data collected for one purpose could be used by another organisation for a different purpose, influencing decisions made about specific individuals. Therefore, both objective and subjective data can have significant implications for individuals, and organisations must ensure they handle all personal data in accordance with the GDPR's guidelines.
The Constitution and Annual Budgeting: A Requirement?
You may want to see also
Special categories of personal data
The General Data Protection Regulation (GDPR) applies to the processing of personal data. Personal data is defined as any information relating to an identified or identifiable natural person.
Some personal data is considered more sensitive and requires higher protection. This is referred to as "special categories of personal data" or "sensitive personal data". This includes information about an individual's:
- Genetic and biometric data
- Health
- Racial or ethnic origin
- Political opinions
- Religious or ideological convictions
- Trade union membership
The processing of special categories of personal data is generally prohibited unless specific conditions are met. For example, the data subject must give explicit consent for the processing of their sensitive personal data. Additionally, the processing must be necessary for substantial public interest or vital interests and must be carried out by a foundation or association with appropriate safeguards.
It is important to note that personal data relating to criminal offences and convictions is not included in the special categories. However, separate processing safeguards are in place for this type of data.
The Road to the Constitutional Convention of 1875
You may want to see also
Explore related products
$8.6
Data protection and consent
The General Data Protection Regulation (GDPR) has reshaped how consumer data is handled in the European Union (EU) and worldwide. The GDPR elevates personal data protection standards, mandating explicit and informed consent for processing personal data.
Personal data is defined in Article 4 of the GDPR as any information relating to an identified or identifiable natural person. This includes data that can be used to directly or indirectly identify an individual, such as a name, identification number, location data, or online identifier. It also includes "objective" information, such as an individual's height, and "subjective" information, like employment evaluations. Personal data is not limited to a particular format and can include video, audio, numerical, graphical, and photographic data.
Consent must be freely given, specific, informed, and unambiguous. This means that individuals must have a genuine choice and be provided with clear and concise information about the data processing activities. Consent should be obtained through a clear affirmative action, such as a written or oral statement, and should not be assumed through pre-ticked boxes or inactivity. Organisations must keep records of consent and allow individuals to withdraw consent at any time.
In some cases, explicit consent, which goes beyond standard consent, is required. Explicit consent must be given in words (written or spoken) and is necessary for processing certain types of personal data, specifically 'special category' or 'sensitive' data, and for conducting personal data processing involving automated decision-making with a significant effect on the individual.
By ensuring valid consent, organisations can not only comply with legal requirements but also build trust and enhance their reputation.
Constitution Party: Core Beliefs Explored
You may want to see also
Anonymisation and pseudonymisation
Pseudonymisation is the process of replacing identifying information with pseudonyms or random codes, which can be linked back to the original person with extra information. It is a reversible process that de-identifies data but allows for the possibility of re-identification later on if necessary. This technique is highly recommended by the GDPR as it reduces the risk of exposing sensitive data to unauthorised personnel. Pseudonymised data is still considered personal data under the GDPR and is subject to its regulations.
Anonymisation, on the other hand, is the irreversible process of rendering personal data non-personal. It involves removing all personal identifiers from the data and ensuring that individuals cannot be identified from any remaining non-sensitive data fields. Fully anonymised data does not meet the criteria to qualify as personal data and is therefore not subject to the restrictions placed by the GDPR.
It is important to note that data protection law does not prescribe any specific technique for anonymisation. Organisations are responsible for ensuring that the anonymisation process they choose is sufficiently robust and secure.
The distinction between pseudonymisation and anonymisation is crucial for safeguarding individuals' personal data. Confusing the two can lead to unnecessary restrictions on data use or exposure to privacy risks.
Bail Denial: Is it Unconstitutional?
You may want to see also
Frequently asked questions
Any information that can lead to either the direct or indirect identification of an individual is considered personal data. This includes subjective information like opinions and evaluations, as well as objective information such as height.
Personal data includes information such as name, identification number, location data, online identifiers, IP addresses, and more. Even information such as work times and test answers can be considered personal data if the individual can be identified.
Yes, data that has been de-identified, encrypted, or pseudonymised but can still be used to re-identify an individual is considered personal data and falls under the scope of the GDPR.
No, the GDPR specifically refers to "natural persons," excluding data about companies, institutions, and other legal entities, which are sometimes considered "legal persons."
No, the GDPR only applies to information relating to living individuals. Data concerning deceased persons is generally not considered personal data under the GDPR.
