Do you process personal data? Distinguishing personal data is key to determine whether the GDPR applies to your processing activities, reveal which categories are processed and commence the implementation of the Regulation.
What are personal data?
The GDPR refers to personal data in Article 4 as “any information relating to an identified or identifiable natural person”, thus maintaining the definition given by the Directive 95/46/EC of the European Parliament and of the Council, of 24 October 1995.
A highly recommended Opinion to comprehend the concept of personal data was given by the Article 29 Working Party WP136. In this paper, the Art. 29 WP broke down the concept of personal data established by the Directive in four elements (“any information”, “relating to”, “natural person”, “identified or identifiable”) and analyzed them separately.
It is an expression that should be construed as a broad concept. The Art. 29 WP analyses it from 3 different perspectives: (i) the nature, (ii) the content and (iii) the format or support.
- From the nature’s: the expression includes any sort of statements about a person, whether objective (e.g., a physiological data) or subjective (e.g., an opinion).
- From the content’s: it includes any data regardless of its information.
- From the format or medium’s: it includes the information available in whatever form, be it alphabetic, numerical, graphical, photographical or acoustic, for example.
Generally, information relates to an individual when it is about that individual, though the information can be also about an object or a process and only indirectly about an individual. The Art. 29 points out that in order to deem that the data “relates to” an individual, there must be a “content” element or a “purpose” element or a “result” element:
- Content: the content element is present when it is given information about a particular person, a circumstance which must be assessed on a case-by-case basis, regardless of the purpose that the controller or a third party may have, or the impact on the data subject.
- Purpose: Whereas the element “content” can exist indistinctly of the processing that controller or a processor have foreseen, the same does not apply to the element of “purpose”, which does depend on the specific processing, considering that it exists “when the data are used or are likely to be used, taking into account all the circumstances surrounding the precise case, with the purpose to evaluate, treat in a certain way or influence the status or behaviour of an individual”.
- Result: Finally, the information also “relates to” an individual in those situations whereon “their use is likely to have an impact on a certain person’s rights and interests, taking into account all the circumstances surrounding the precise case”.
The three elements must be considered as alternative conditions, therefore only one of those elements needs to be present in order to deem that the information is “about” an individual. In addition, it is also possible that the same piece of information relates to different individuals at the same time, which will happen when there is more than one element and each refers to different individuals.
[individual] “identified or identifiable”
As the Art. 29 WP states, “a natural person can be considered as ‘identified’ when, within a group of persons, he or she is ‘distinguished’ from all other members of the group. Accordingly, the natural person is ‘identifiable’ when, although the person has not been identified yet, it is possible to do it.”
As the Article 4.1 of the GDPR sets forth, an “identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person“.
Usually we consider that a person is directly identified when we know their “name”, as it is the most common identifier and the most used in practice. However, sometimes the name may not be enough to identify a person and it has to be combined with other pieces of information, such as an address, a profile picture or a phone number.
In cases where prima facie the extent of the identifiers available does not allow anyone to single out a specific person, but when those are combined with other pieces of information (whether retained by us or not) allow the individual to be distinguished from others, the individual shall be deemed as indirectly identifiable.
Finally, a natural person may also be identified even when you are not in a position to find out their “name”. The reason behind this is that in many situations the name of an individual is not necessary to single it out because you may have other identifiers which allow you to create a profile and attribute him or her decisions (think of that neighbour whose name we do not know and yet we are able to distinguish them from other people, or in the unique identifier that we have given to each of our clients when including them in our files).
The Regulation establishes in recital 14 that “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data“. It is, therefore, a universal right of natural persons that is not restricted to nationals or residents in a certain country.
The GDPR limits its protection to living individuals, expressly excluding those not alive in recital 27: “This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons“.
Nor will the Regulation apply to data relating to legal persons. This is established in recital 14, which reads: “This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person”
This are the four elements which are key to find out which information held may be classified as personal data. Actually, it is a very broad concept and the key process is determining whether a specific individual is identified or identifiable, either with the information available in your files or when that information is matched or combined with pieces of information of a third party.
If the individual is identified or identifiable, all information you hold about him or her will qualify as personal data.