"Personal Data" (Personal Information) qualifies as any detail about a living individual that can be used on its own, or with other data, to identify them. This includes employees.
What constitutes as Personal Data?
- Personal data (personal information) is information that relates to an identified or identifiable individual.
- What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.
- If it is possible to identify an individual directly from the information you are processing, then that information may be personal information.
- Personal information may also include special categories of personal information or criminal conviction and offences information. These are considered to be more sensitive and you may only process them in more limited circumstances.
- Pseudonymised information can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal information.
Examples of personal data
From employee information to suppliers and customers, it is highly likely your company deals with personal information in the form of;
- a name and surname;
- a home address;
- an email address such as email@example.com;
- an identification card number;
- location data (for example the location data function on a mobile phone)*;
- an Internet Protocol (IP) address;
- a cookie ID*;
- the advertising identifier of your phone;
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.
What does not constitute as Personal Data?
- Information about a deceased person does not constitute personal information and therefore is not subject to the GDPR.
- Information about companies or public authorities is not personal information.
- However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal information.
- If personal information can be truly anonymised then the anonymised information is not subject to the GDPR. It is important to understand what personal information is in order to understand if the information has been anonymised.
Examples of data that is not considered personal
- a company registration number;
- an email address such as firstname.lastname@example.org;
- anonymised data.
What the regulator says:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- GDPR: Material Scope - Article 2
- GDPR: Definitions - Article 4 (1), Article 4 (5)
- GDPR Whereas: (14), (15), (26), (27), (29) and (30)
- Article 29 Working Party Opinion 4/2007 on the concept of personal data
- Article 29 Working Party Opinion 05/2014 on Anonymisation Techniques