What data is personal data?
When considering whether some data is personal data, use this principle:
If any information is related to a specific (identified or identifiable) natural person, it is considered personal data.
GDPR clarifies what is personal data and lists examples of information like and says literally: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
So, a piece of data should be considered as personal:
- without the limitation of the data type or nature (that is why Article 4.1. a reads: "personal data means any information relating to an identified or identifiable natural person (‘data subject’);"
- is related to a specific person which mainly means that is about that person
- can be used to identify or make identifiable a specific person (a person is considered as "identified" when, within a group of persons, he or she is "distinguished" from all other members of the group)
- that it relates to a natural person (an individual, human being)
The keyword here is: "relate". Remember the phrase: any data that relates to an individual is personal data.
The relationship between data and a person should never be taken out of context because the nature of the relationship heavily depends if the data is personal or not.
The nature of a link between the data and an individual determines if data can actually become personal data. Take into consideration that a link can be non-existent or just forming, existing, broken, or breaking, changed since formation or it can be changing its essence or relationship it creates with the individual.
Those link properties can change over time
- because the individual changes
- data changes
- link nature changes
causing a significant change that link impact has to an individual and the context as a whole.
The context of the data processing activity is an integral part of assessing its lawfulness
The context is:
- determined against all data types
- determined against all data subjects types
- determined against all data processing activities
- combination of all the impacts that personal data has on the individual
- combination of all the impacts that processing of the personal data has on the individual
- described by describing the nature of all the links between personal data, processing activities, data processors, data controllers, third parties on one side and the individual (natural person) on the other side (natural person)
Inherently, any data can become personal data or cease to be personal data, depending on the context and time, even when the personal data itself doesn't change at all (but context changes).
In the example where individuals read a vacancy advertisement, they receive information about the salary for a position from the advertisement. Is advertised salary personal data? Clear answer: No. (Not at that particular moment when an individual has just read it)
Here is a breakdown of reasons why salary was not personal data at the time: At the time of reading, no link with a significant impact between the salary of the advertised vacancy (data) and the reader (individual), potential employer (the data controller) has been established, so the context is not established yet. Data exists in its job adverts context, and the individual exists in the context of its own, with those two contexts having no significant impact on one another.
For the link to have the aforementioned significant impact, it would mean that data is used, or is likely to be used, to learn, evaluate, treat in a certain way, make a decision about, or influence the status or behavior of an individual. In the event when the link between data and data subject causes a significant impact on the data subject, such an event establishes a context of coexistence of the data and data subject, causing data to be classified as personal and therefore protected by GDPR.
However, if the individual from the previous example becomes employed (at some later point - observe time component of the context) by filling the previously mentioned advertised vacancy, a direct link between salary (data) and employee (individual) is established.
Transparency in data processing is regulated by GDPR, too. Regardless of what data is processed, in what context, and for what purposes, the first rule of transparency for every single processing activity in relation to the data subject should never be broken or even appear to be broken. The first rule of data processing transparency is:
The short version of the first rule of transparency: Say what you do and do what you say.
The longer version of the rule would read: "Say what you do and why you do it and explain the rights of the data subjects to them, and do what you say, explain why you said it and assure it's easy to exercise the rights of the data subject.", but the author will prepare another blog post about how to follow main principles of lawfulness, fairness and transparency as set out in Article 5.a. of GDPR.
Don't say you do more than you actually do, but never omit to inform the data subject that you are doing something with the data you received.
Context can cause data to be reclassified from non-personal to personal
The nature of the newly established link between salary and employee is self-evident (employment) and the impact is clear, too. At the point when the link between the data (salary amount) and the individual (data subject) is established, salary becomes personal data because it's both linked to the employee and the link impacts the employee significantly and creates new additional links (that have different levels of impact). As an example, salary significantly impacts life quality, the credit rating (new link), type of car they drive (new link), housing type (new link), neighborhood (new link), etc. By establishing one or more links, context is established and its attributes become apparent.
As an example, let's assume that a photographer, as an individual (natural person) hires a lawyer (natural person) to sue a hypothetical company that provides time tracking SaaS software for copyright infringement. Let's assume that lawyer has presented himself as an expert in the field of intellectual property law to the photographer. When the photographer as the plaintiff loses the lawsuit the photographer reports the lawyer to the bar for malpractice.
During the initial court case, when the photographer was holding the role of the plaintiff, all of the email correspondence between the lawyer and his client had lawyers' details (name, street, city, postal code, phone number, credentials, references...). Email correspondence between the lawyer and the photographer during the initial lawsuit wasn't about the lawyer or self-sufficient writing without a goal but had the purpose of discussing copyright infringement lawsuits. Therefore the lawyer's data shouldn't be considered as personal data during the time of copyright infringement case, but any other type of data protected from disclosure because it's a professional secret or falls under attorney-client privilege.
However, as the photographer has later (time component of the context) reported the lawyer for malpractice, those proceedings became about the lawyer (as the data subject) and the lawyer's data became personal data protected by GDPR.
Saving employee personal data is a processing activity and has to have a clear specific purpose. A personal data processing purpose has to be lawful (have a legal basis) A processing activity without a purpose or with a purpose, but unlawful is an offense punishable by GDPR.
Respecting the fundamental right of all individuals to personal data protection is not always easy
Beware, some data that should be classified as personal data sometimes isn't. Data or a data set does not have to confirm the identity of an individual by itself, but only allow, facilitate, speed up, or simplify the identification of an individual. A good example of allowing identification is when personal data itself is not enough to confirm the identity (e.g. data set containing only first and last name, height and weight of and individual, without any other personal data: that data set does not contain enough information to identify a specific person, as there can be many people with the same names and average weight and height). Regardless of the fact that that data set (group composite identifier) cannot identify a specific individual is also considered as personal data, especially biometric data, but also other personal data types (identifiers).
Identifying a specific person from personal data is a processing activity and is regulated by GDPR. Such processing activity should always be lawful, fair, and transparent, as European Union explicitly declared the protection of personal data as a fundamental right and freedom of any natural person (individual, human). Hence, all processing activities should strictly adhere to GDPR. One doing data processing (data processor) and one controlling the personal data (the data controller) can be held responsible for any infraction, non-observance, non-compliance or infraction that can cause serious legal consequences and high fines if they don't adhere to provisions of GDPR.
A formal test that determines if data is personal should be developed
Not classifying data or a data set as personal data can lead to nonconformity with legal requirements as set out in GDPR. As this post describes, it is not always apparent that some data should be classified as personal data.
Taking the entirety of the written text, especially that there is a visible structure in this opinion piece, the author believes that a formal test can be conducted to determine if any data should be considered personal data. The author will attempt to create such a formal test and describe it in one of the following blog posts.
This blog post is made available by the author who is a licensed ISO 27001 Internal Auditor and has extensive experience in managing privacy. This blog is intended for educational purposes only as well to present views of the author how business understands the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney-client relationship between you and this blog publisher. The blog should not be used as a substitute for competent legal advice from a licensed professional attorney. Views of the author do not necessarily represent views of Infranet (see our incorporation details) nor does it constitute a promise. Photos: Pexels.com