What is personal data?

What is personal data?

Personal data is information that relates to an identified or identifiable natural person. It may be direct or indirect information that is used to identify an individual or to associate an individual with other data.

To further define which data is considered personal and which is not, two terms from the legal text help:

Identified or identifiable persons (according to the GDPR: identified or identifiable): The data must either be directly attributable to a specific person or it must be attributable to an identifiable person by means of additional information or expenses. This information can also come from third parties.

Natural persons: The information relates to living human beings. Data on so-called legal entities such as companies or deceased persons are not considered personal.

This information enjoys special protection under the General Data Protection Regulation (GDPR). It guarantees EU citizens the right to informational self-determination. Each person may decide for themselves what information they wish to disclose and for what purpose. The protection of the GDPR applies in principle worldwide and covers the data of all EU citizens, regardless of their place of residence or stay. However, protection outside the EU may be difficult to enforce.

Special category of personal data

In addition to general personal data, there is personal data that is protected in a special way. This is also referred to as special categories of personal data.

This data requires special protection and its use by companies is subject to higher requirements. Which data is covered by this is regulated in Art. 9 GDPR .

Special personal data are characteristics, from the following information:

• racial and ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic data
• biometric data to uniquely identify a natural person
• health data
• data concerning sexual life and sexual orientation

This information affects the privacy and personality of the data subjects in a special way. Therefore, it must be ensured by law that this data is only processed under particularly strict requirements.

Why is personal data worth protecting?

Personal data are worth protecting because they reveal a lot about us and can pose various risks. In the digital age, data can be easily collected, processed and analyzed. As a result, there is a risk of identity theft, fraud, discrimination, and opinion manipulation.

Today, many people are still careless about disclosing their personal data. Often this is done out of ignorance about the true value of this information for companies and authorities. Large international companies such as Google and Facebook collect data worldwide about the activities of users on the World Wide Web.

This data, which ranges from location information to purchasing behavior to contact information, is typically used to serve personalized advertising to each individual user. As a result, these companies generate millions of dollars in annual profits. This means that personal data is worth a lot of money.

In addition, misuse of this sensitive information can also have criminal consequences. Criminals can steal bank data and gain unauthorized access to accounts, for example. Personal data such as ID card or passport numbers can be used to create and sell counterfeit documents. There are many opportunities for misuse.

It is important to handle personal data responsibly and comply with data protection regulations to minimize the risk of misuse and damage.

How to deal with personal data

Not every company may simply collect all available data indiscriminately. If a public or non-public entity is authorized to collect and process data, it must ensure data protection. This means:

• Employees entrusted with data processing must be informed about data secrecy and receive data protection training to learn how to handle the data.
• The storage of personal data requires the highest security measures. These include not only password-protected workstations and databases, but also appropriate encryption programs and effective measures to defend against malware (such as antivirus programs and firewalls). In some cases, personal data must be anonymized to remove the reference to an identified or identifiable individual.
• The processing of personal data must always be purpose specific. Once the purpose is fulfilled, the information must be deleted or protected from further access. The data subject must have clearly consented to this purpose.
• The obligation to delete personal data generally exists as soon as the data is no longer needed or the original purpose no longer exists. Some data is also deleted at regular intervals. Unlawfully stored data must be securely deleted immediately.
• A legal basis is required for the processing of personal data. The basic rules of data processing that must be observed when processing personal data and which shape the GDPR are set out in Art. 5(1) GDPR.

GDPR: Data protection rules for personal data

If personal data are stored or are to be stored in a file system, the provisions of the General Data Protection Regulation (GDPR) apply.

Which data can be stored and processed?

In principle, it is prohibited to store and process personal data unless there is a case in which this is expressly permitted. Even in such cases, the principle of data minimization applies: only the data that is necessary for a specific purpose should be processed, i.e. as little as possible.

According to Art. 6 GDPR, there are four cases or legal bases for data processing:

Consent: A person may voluntarily agree that his or her data may be processed. However, before doing so, the person must be informed about the data that will be used and for what purpose. Consent can be revoked at any time.

Example: A user accepts cookies for usage analysis on a website and agrees that the usage data may be used for market research purposes.

Contractual relationship: In order to enter into and fulfill a contract, personal data may be processed.

Example: An employer stores data about its employee:s in the HR department in order to carry out the employment relationship agreed in the employment contract. Or a company stores the address of customers for delivery.

Justified Interest: Personal data may be processed if there is a legitimate interest that outweighs the protection of the freedom of the data subjects and justifies a restriction.

Example: A company monitors the Internet usage of its employee:s to ensure IT security and prevent fraud.

Legal processing permissions: Data processing is also permitted if it is necessary to comply with legal obligations.

Example: The tax office processes the financial data of all citizen:s in order to collect the taxes established by law.

What is purpose limitation? Personal data may only be processed for the specific purpose for which there is a legal basis. The data may not simply be used for other purposes.

Example: A customer has given her e-mail address when ordering from an online store in order to receive information about the delivery. The company may not use the address (without additional consent) to send her a newsletter.

What is the duty to inform? Anyone who stores and processes personal data must inform the data subjects transparently and comprehensively: about the data processed, the purposes and what rights the data subjects have in relation to the data processing (§ 12-14 GDPR).

What is the right of access?. In order to be able to exercise their right to informational self-determination, persons have the right, in accordance with Art. 15 GDPR, to request information from the persons responsible at any time about who is processing which of their data.

When does the data have to be deleted?

According to Art. 17 GDPR, personal data must be deleted, among other things, when

• they are no longer needed for the intended purpose,
• consent to processing is revoked, or
• the data has been collected unlawfully.
• Where there are legal requirements to retain data for a longer period, the right to erasure may be overridden.

Categories for personal data

The following list provides a selection of the most commonly used personal data:

Identity Data: This includes name, date of birth, gender, nationality, and other information that helps uniquely identify an individual.

Contact Information: This includes telephone numbers, email addresses, home addresses, and other data used to communicate with an individual.

Financial Information: Bank account information, credit card information, and other financial information collected as part of transactions.

Health Data: Medical information, medical histories, genetic data, and other data related to an individual's health.

Online Data: IP addresses, cookies, user behavior, preferences, and other data generated from web browsing.

Example: Use of personal data in an online store

To illustrate how personal data is used in practice, let's consider an example of an online store:

An online retailer collects personal data such as names, e-mail addresses and shipping addresses from customers in order to process orders and deliver products. In addition, financial data such as credit card details are collected to enable payments. This data is necessary to carry out the sales process and to ensure customer satisfaction.

The online store may also use personal data for marketing purposes. For example, e-mail addresses are used to inform customers about new products, special offers or upcoming discount promotions. By analyzing purchase histories and preferences, the store can make personalized recommendations and improve the shopping experience.

Data protection and compliance with applicable regulations are essential to maintain customer trust and protect their privacy. By being aware of personal data, we can promote responsible use and safely enjoy the benefits of the digital world.

Would you like to take back control of your data with your company and process, store and delete data in a GDPR compliant and secure way? Then contact us and unleash the power of open source with Glasskube today.