GDPR: What Is Personal Data? 

The General Data Protection Regulation (GDPR) defines personal data in Article 4(1) as follows: 

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.  

The GDPR’s requirements can be broad in definition and are not industry-specific, thus it is up to organizations to recognize what may constitute personal data and ensure their business operations align with data protection regulations. For example, an organization might have data that does not directly identify an individual, but that data can constitute personal data if it can identify an individual when it is combined with other personal data. In addition, the collection and processing of special categories of personal data require additional protection as they constitute sensitive information.

If an organization is processing personal data and is operating in the EU, it must comply with the GDPR requirement to process personal data lawfully and avoid violating individuals’ rights and freedoms. This is also essential since an audit or an investigation may be conducted by data protection authorities to ensure that your organization is complying with the GDPR. 

Keep in mind that most data protection laws only apply where the personal data is processed by automated means or as part of some other sort of non-automated organized filling system Article 4(2). For example, the GDPR does not apply to unstructured handwritten notes that contain personal data. 

Examples of Personal Data 

Personal data does not have to be in a written form, it can also be information about a data subject’s physical appearance or voice, such as the information contained in photos and video recordings. Other examples of personal data include: 

  • First and last name 
  • Home address 
  • National identity number 
  • Passport number 
  • Email address 
  • Purchase history 
  • IP address 
  • Social media posts 
  • Newsletter sign ups 
  • Drug test results. 

Collection and Processing of Personal Data 

It is important to provide data subjects (individuals) with the necessary details during the collection and processing of their personal data to guarantee lawful, fair, and transparent processing. This ensures that their rights are respected and safeguarded. 

Processing of Personal Data 

The GDPR requires organizations to have a lawful basis for processing personal data. Organizations may process personal data only in reliance on one of the bases in Article 6:  

  1. Consent was obtained from the data subject 
  2. Performance of a contract 
  3. A legal obligation 
  4. To protect the vital interests of the data subject 
  5. The performance of a task carried out in the public interest.  

Direct and Indirect Personal Data Collection 

When collecting personal data from data subjects, an organization needs to ensure that all necessary privacy information is presented to individuals to ensure fair and transparent processing. This information should (if applicable) include: 

  • The identity and the contact details of the organization and the organization’s representative 
  • The contact details of the data protection officer 
  • The purposes of the processing 
  • The legal basis for processing 
  • The legitimate interests pursued by the organization 
  • The recipients or categories of recipients of the personal data 
  • Whether the organization intends to transfer personal data to a third country or an international organization 
  • The period for which the personal data will be retained or criteria used to determine the period 
  • The right to request access to, modify, or erase personal data 
  • The right to lodge a complaint with a supervisory authority 
  • Whether the provision of personal data is a statutory or contractual requirement, or necessary to enter into a contract, and whether the data subject is obliged to provide the personal data and what will happen if they do not provide it 
  • The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 

When personal data is not obtained directly from the data subject, the privacy information must be provided to the data subject at the latest within one month after collection. The information should (if applicable) include: 

  • The identity and the contact details of the organization and the organization’s representative 
  • The contact details of the data protection officer 
  • The purposes of the processing 
  • The categories of personal data concerned 
  • The recipients or categories of recipients of the personal data 
  • Whether the organization intends to transfer personal data to a third country or international organization 
  • The period for which the personal data will be stored or the criteria that will be used to determine the period 
  • The legitimate interests pursued by the organization 
  • The right to request access to or modify or erase personal data 
  • The right to lodge a complaint with a supervisory authority 
  • The source from which the personal data originated 
  • The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 

My Personal Data Was Collected. What Rights Do I Have? 

The GDPR allows data subjects to exercise certain rights in certain circumstances. These rights include: 

  1. The right to be informed: Data subjects have the right to receive information relating to the processing of their personal data. This must be provided in a concise, transparent, and easily accessible form, using clear and plain language. 
  2. The right to access: Data subjects have the right to access their own personal data and obtain a copy. 
  3. The right to rectification: Data subjects have the right to request correction of inaccurate personal data and to have incomplete personal data updated. 
  4. The right to erasure: Data subjects have the right to request for their personal data to be erased. This is also known as the “right to be forgotten”. 
  5. The right to restrict processing: Data subjects can restrict the processing of their personal data in certain circumstances. For example, if the data is processed unlawfully or the data subject is contesting its accuracy. 
  6. The right to data portability: In certain circumstances, data subjects have the right to receive in a structured, commonly used, and machine-readable form personal data which they have provided to the controller. 
  7. The right to object: In some circumstances, data subjects have the right to request an organization to stop the processing of their personal data. 

If you need assistance with GDPR compliance, you can book a free consultation call with our top privacy professionals. 

Related topics: GDPR, EU Privacy Laws

You may also like:
Special Categories of Personal Data Under the GDPR
Picture Perfect: Photographs and the GDPR’s Special Categories of Personal Data
GDPR Data Breach Notification: What You Need to Know as a Data Controller

Contact VeraSafe to discuss your data security management and privacy program today.

Get a Quote Now

Recent Posts