Have you already filled out a digital form or made an online purchase today? In such cases, there is a possibility that your personal data has been processed. In our increasingly digitalized world, where information abounds, it is important that you familiarize yourself with the topic of personal data. It is important to establish clear rules for handling personal data and protecting privacy. In this article, we will define the term and explain different types of personal data to develop a better understanding of how personal data is used in the real world.
Personal data is information that relates to an identified or identifiable natural person. It may be direct or indirect information that is used to identify an individual or to associate an individual with other data.
To further define which data is considered personal and which is not, two terms from the legal text help:
Identified or identifiable persons (according to the GDPR: identified or identifiable): The data must either be directly attributable to a specific person or it must be attributable to an identifiable person by means of additional information or expenses. This information can also come from third parties.
Natural persons: The information relates to living human beings. Data on so-called legal entities such as companies or deceased persons are not considered personal.
This information enjoys special protection under the General Data Protection Regulation (GDPR). It guarantees EU citizens the right to informational self-determination. Each person may decide for themselves what information they wish to disclose and for what purpose. The protection of the GDPR applies in principle worldwide and covers the data of all EU citizens, regardless of their place of residence or stay. However, protection outside the EU may be difficult to enforce.
In addition to general personal data, there is personal data that is protected in a special way. This is also referred to as special categories of personal data.
This data requires special protection and its use by companies is subject to higher requirements. Which data is covered by this is regulated in Art. 9 GDPR .
Special personal data are characteristics, from the following information:
This information affects the privacy and personality of the data subjects in a special way. Therefore, it must be ensured by law that this data is only processed under particularly strict requirements.
Personal data are worth protecting because they reveal a lot about us and can pose various risks. In the digital age, data can be easily collected, processed and analyzed. As a result, there is a risk of identity theft, fraud, discrimination, and opinion manipulation.
Today, many people are still careless about disclosing their personal data. Often this is done out of ignorance about the true value of this information for companies and authorities. Large international companies such as Google and Facebook collect data worldwide about the activities of users on the World Wide Web.
This data, which ranges from location information to purchasing behavior to contact information, is typically used to serve personalized advertising to each individual user. As a result, these companies generate millions of dollars in annual profits. This means that personal data is worth a lot of money.
In addition, misuse of this sensitive information can also have criminal consequences. Criminals can steal bank data and gain unauthorized access to accounts, for example. Personal data such as ID card or passport numbers can be used to create and sell counterfeit documents. There are many opportunities for misuse.
It is important to handle personal data responsibly and comply with data protection regulations to minimize the risk of misuse and damage.
Not every company may simply collect all available data indiscriminately. If a public or non-public entity is authorized to collect and process data, it must ensure data protection. This means:
If personal data are stored or are to be stored in a file system, the provisions of the General Data Protection Regulation (GDPR) apply.
In principle, it is prohibited to store and process personal data unless there is a case in which this is expressly permitted. Even in such cases, the principle of data minimization applies: only the data that is necessary for a specific purpose should be processed, i.e. as little as possible.
According to Art. 6 GDPR, there are four cases or legal bases for data processing:
Consent: A person may voluntarily agree that his or her data may be processed. However, before doing so, the person must be informed about the data that will be used and for what purpose. Consent can be revoked at any time.
Example: A user accepts cookies for usage analysis on a website and agrees that the usage data may be used for market research purposes.
Contractual relationship: In order to enter into and fulfill a contract, personal data may be processed.
Example: An employer stores data about its employee:s in the HR department in order to carry out the employment relationship agreed in the employment contract. Or a company stores the address of customers for delivery.
Justified Interest: Personal data may be processed if there is a legitimate interest that outweighs the protection of the freedom of the data subjects and justifies a restriction.
Example: A company monitors the Internet usage of its employee:s to ensure IT security and prevent fraud.
Legal processing permissions: Data processing is also permitted if it is necessary to comply with legal obligations.
Example: The tax office processes the financial data of all citizen:s in order to collect the taxes established by law.
What is purpose limitation? Personal data may only be processed for the specific purpose for which there is a legal basis. The data may not simply be used for other purposes.
Example: A customer has given her e-mail address when ordering from an online store in order to receive information about the delivery. The company may not use the address (without additional consent) to send her a newsletter.
What is the duty to inform? Anyone who stores and processes personal data must inform the data subjects transparently and comprehensively: about the data processed, the purposes and what rights the data subjects have in relation to the data processing (§ 12-14 GDPR).
What is the right of access?. In order to be able to exercise their right to informational self-determination, persons have the right, in accordance with Art. 15 GDPR, to request information from the persons responsible at any time about who is processing which of their data.
According to Art. 17 GDPR, personal data must be deleted, among other things, when
The following list provides a selection of the most commonly used personal data:
Identity Data: This includes name, date of birth, gender, nationality, and other information that helps uniquely identify an individual.
Contact Information: This includes telephone numbers, email addresses, home addresses, and other data used to communicate with an individual.
Financial Information: Bank account information, credit card information, and other financial information collected as part of transactions.
Health Data: Medical information, medical histories, genetic data, and other data related to an individual's health.
Online Data: IP addresses, cookies, user behavior, preferences, and other data generated from web browsing.
To illustrate how personal data is used in practice, let's consider an example of an online store:
An online retailer collects personal data such as names, e-mail addresses and shipping addresses from customers in order to process orders and deliver products. In addition, financial data such as credit card details are collected to enable payments. This data is necessary to carry out the sales process and to ensure customer satisfaction.
The online store may also use personal data for marketing purposes. For example, e-mail addresses are used to inform customers about new products, special offers or upcoming discount promotions. By analyzing purchase histories and preferences, the store can make personalized recommendations and improve the shopping experience.
Data protection and compliance with applicable regulations are essential to maintain customer trust and protect their privacy. By being aware of personal data, we can promote responsible use and safely enjoy the benefits of the digital world.
Would you like to take back control of your data with your company and process, store and delete data in a GDPR compliant and secure way? Then contact us and unleash the power of open source with Glasskube today.
Easily and scale your IT infrastructure while deploying applications quickly and securely with our cloud native technology solutions.