Skip to main content

In the digital age, personal data is a valuable asset. It’s also a potential liability.

The General Data Protection Regulation (GDPR) has set new standards for data protection. It has reshaped the way organisations handle personal data.

But what exactly is classed as personal data under GDPR? The answer is not as straightforward as you might think.

This article aims to shed light on this complex issue. We will delve into the definition of personal data as per GDPR.

We will also explore the rights of individuals and the obligations of data controllers and processors.

By the end of this article, you will have a clearer understanding of what constitutes personal data under GDPR.

Understanding Personal Data Under GDPR

GDPR defines personal data as any information relating to an identified or identifiable individual. This is also known as a ‘data subject’.

An identifiable individual is someone who can be identified, directly or indirectly. This can be through identifiers such as a name, an identification number, or location data.

It can also include factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

In essence, if it can be used to identify a person, it’s likely to be personal data under GDPR.

Examples of Personal Data

The range of what can be considered personal data under GDPR is vast. It includes, but is not limited to:

  • Names
  • Addresses
  • Email addresses
  • Phone numbers
  • IP addresses
  • Location data
  • Biometric data
  • Racial or ethnic data
  • Political opinions

Even data that has been pseudonymised can be considered personal data if the pseudonym can be linked to any individual.

Sensitive Personal Data: A Special Category

GDPR identifies certain types of personal data as ‘sensitive’. These require a higher level of protection due to their nature.

Sensitive personal data includes:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data for uniquely identifying a person
  • Health data
  • Data concerning a person’s sex life or sexual orientation

Processing of these sensitive data categories is generally prohibited, unless a specific exemption applies. This highlights the importance of understanding what constitutes personal data under GDPR.

The Importance of Protecting Personal Data

In today’s digital age, personal data is a valuable asset. It’s used by businesses to understand their customers, tailor their services, and drive growth.

However, the misuse of personal data can lead to privacy breaches, identity theft, and other serious consequences. This makes the protection of personal data a critical concern for individuals and businesses alike.

GDPR’s Role in Data Protection

The General Data Protection Regulation (GDPR) was introduced by the European Union to strengthen data protection for all individuals within the EU. It sets out the principles for data management and the rights of the individual.

GDPR not only applies to organizations located within the EU but also to organizations outside the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It’s designed to harmonize data privacy laws across Europe and reshape the way organizations approach data privacy.

Rights of Individuals Under GDPR

Under GDPR, individuals, also known as data subjects, have several rights to ensure their personal data is handled responsibly. These rights give individuals more control over their personal data and ensure transparency in its processing.

The rights include:

  • The right to be informed: Individuals have the right to know how their data is being used.
  • The right of access: Individuals can request access to their data.
  • The right to rectification: Individuals can have inaccurate data corrected.
  • The right to erasure: Also known as the ‘right to be forgotten’, individuals can request their data to be deleted.
  • The right to restrict processing: Individuals can request that their data is not used for processing.
  • The right to data portability: Individuals can ask for their data to be transferred to another service provider.
  • The right to object: Individuals can object to the processing of their data.
  • Rights in relation to automated decision making and profiling: Individuals have the right not to be subject to a decision based solely on automated processing.


Obligations of Data Controllers and Processors

Data controllers and processors have specific obligations under GDPR. A data controller is the entity that determines the purposes and means of processing personal data. A data processor is responsible for processing personal data on behalf of a controller.

Their obligations include:

  • Ensuring data is processed lawfully, fairly, and transparently.
  • Collecting data for specified, explicit, and legitimate purposes.
  • Ensuring data is accurate and up-to-date.
  • Implementing appropriate security measures to protect data.
  • Reporting data breaches to the relevant supervisory authority and the affected individuals.


Penalties for Non-Compliance

Non-compliance with GDPR can result in severe penalties. Fines can reach up to €20 million or 4% of the company’s global annual turnover, whichever is higher. It’s crucial for businesses to understand and adhere to GDPR to avoid these penalties.

GDPR Compliance: Steps for Businesses

Businesses must take proactive steps to ensure GDPR compliance. This involves understanding the scope of personal data and implementing appropriate data protection measures.

Key steps include:

  • Conducting a data audit to identify what personal data is held and where.
  • Implementing data protection by design and by default.
  • Ensuring clear, transparent communication about data use.
  • Regularly reviewing and updating data protection policies and procedures.


Impact of GDPR on Marketing and International Data Transfers

GDPR has significant implications for marketing activities and international data transfers. For marketing, explicit consent is required for data collection, making opt-in a standard practice.

For international data transfers, GDPR imposes strict rules. Data can only be transferred outside the EU to countries with adequate data protection measures. This impacts how businesses operate globally, particularly those relying on cloud services or third-party data processors.

Conclusion: The Continuous Evolution of Data Protection

In conclusion, GDPR has redefined the landscape of personal data protection. It emphasizes transparency, accountability, and individual rights. As data protection continues to evolve, businesses must stay updated on GDPR developments and maintain a proactive approach to ensure ongoing compliance and protect individuals’ privacy.