Article 4 & 9 of the GDPR
Personal Data according to GDPR
Something very central to being able to comply with the provisions of the GDPR, is the understanding of the definition of personal data according to GDPR. There are many different types and categories of personal data, in addition to the most obvious ones.
Definition of personal data according to GDPR
The definition of personal data is set out in Article 4(1) of the GDPR. Personal data is any information relating, directly or indirectly, to an identified or identifiable natural living person.
In addition, an indication of one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person also constitutes personal data.
In short, GDPR covers all types of data that can identify a physical living individual, both directly and indirectly.
Who must comply with GDPR
All companies that process personal data of individuals located in the EU/EEA must comply with the EU General Data Protection Regulation (GDPR). This Regulation entered into force on 25 May 2018 and applies in all EU/EEA countries.
It also applies in many cases to companies established outside the EU/EEA, including if they offer services or goods, free of charge or against payment, to individuals located within the EU/EEA area.
Clear and less clear personal data
When it is somehow possible to link information to a physically living person, it is personal data. Keep in mind that even less clear data can be considered personal data under GDPR. It does not necessarily have to be information that can be directly linked to a person, but it can be done indirectly as well.
An individual has a personal bus card that can be blocked, if the missing card's card number is provided to the transport company. In order for the transport company to know who the card belongs to, they have a system that shows who the card is registered to. In other words, it is possible to connect the card number to the person through a so-called backdoor identification. Therefore, the card number is considered to be personal data. The same reasoning also applies to the registration number of a vehicle owned by a private individual, which is therefore also personal data under the GDPR.
- Examples of categories and types of personal data
- Identification data: Name, social security number, passport number, customer ID.
- Contact details: Postal address, e-mail address, telephone number.
- Location data: IP address linked to an individual, GPS coordinates.
- Economic factors: Bank account number, transaction and purchase history, credit rating.
- Online identifier: Social media user name, IMEI number, MAC address, device ID, cookies.
- Other personal data: Diagnosis by a psychologist.
- Physical factors: Fingerprints, genetic data such as DNA samples.
- Physiological factors: Heart rate measured by a smartwatch.
The more important or sensitive the personal data, the higher the security requirements
All companies must take appropriate technical and organizational measures to protect the personal data the company processes. The measures that should be taken vary depending on the situation, such as the types of personal data involved. The more important the personal data, the higher the security requirements.
For example, companies need stronger protection when storing credit card information than when storing email addresses. In addition, the company may need to carry out an data protection impact assessment before starting to carry out certain types of processes.
Special categories of personal data in Article 9 of the GDPR are also referred to as “Sensitive personal data”
There are certain special categories of personal data which, according to the general rule in Article 9 of the GDPR, are prohibited from processing. However, there are some exceptions to the general rule. These special categories of personal data are sometimes referred to as “Sensitive Personal Data”.
- Data that reveals information about the following constitutes such Sensitive Personal Data:
- Ethnic origin.
- Political opinions.
- Religious or philosophical beliefs.
- Membership of trade unions.
- Health data (such as blood type, sick leave, etc.)
- Sexual orientation or sexual life.
- Genetic data.
- Biometric data (e.g. when using biometric data for identification by AI via CCTV).
Where processing of sensitive personal data is permitted under the GDPR
As mentioned above, processing of sensitive personal data is prohibited in accordance with the general rule in Article 9(1) of the GDPR. However, Article 9(2) of the GDPR lists 10 exceptions to the general rule, which states when it is permitted to process sensitive personal data:
The data subject has consented to the processing of his or her sensitive personal data for one or more specific purposes. This applies, however, provided that it is not prohibited to use the consent as a legal basis under Member State law.
Where the processing is necessary for the employer or the data subject to exercise his or her rights and fulfil his or her obligations in the field of labour law, social security and social protection. This applies provided that appropriate safeguards are in place to ensure that the fundamental rights and interests of the data subject are safeguarded and that the processing is permitted by national law or collective agreements.
Where the data subject is physically or legally incapable from giving consent to the processing (e.g. unconscious), but the processing is necessary to protect the life of the data subject or of another natural person.
A foundation, association or other not-for-profit body with a political, philosophical, religious or trade union purpose has the right to process sensitive personal data. This applies provided that the processing concerns only current or former members, or persons who have regular contact with this because of the purpose of the body. In such cases, appropriate safeguards shall be put in place and the personal data shall not be disclosed externally without the consent of the data subject.
If sensitive personal data have clearly been made public by the data subject, it is permissible to process them.
The processing of special categories of personal data is lawful if it is necessary for the establishment, exercise or defence of legal claims. The same applies if the processing carries out part of the judicial activities of the courts.
If the processing of special categories of personal data is necessary for an important public interest, based on Union or Member State law, and is proportionate to the purpose, the processing is permitted. However, appropriate and specific security measures must be taken to safeguard the fundamental rights and interests of the data subject.
The processing of special categories of personal data is permitted if it is necessary for medical purposes. For example, for the assessment of a employee’s working capacity, medical diagnoses, the provision of healthcare, treatment, social care, etc., provided that the processing is authorised under Union or Member State law or under contracts with health professionals and provided that the data are processed by professionals subject to a legal obligation of professional secrecy. In addition, specific security measures shall be applied, such as encryption and access controls.
Processing may be carried out if it is necessary for public health purposes. For example, to ensure protection against serious cross-border threats to health (such as a pandemic). This applies if the processing is based on Union or Member State law. In addition, specific safeguards shall be in place to ensure the protection of the rights and freedoms of the data subject, in particular professional secrecy.
Processing of special categories of personal data is permitted if it is necessary for: a. archiving purposes in the public interest (such as the storage of public or historical records); b. scientific research (e.g. medical studies); c. historical research (for example, studies of culture or historical events); or d. statistical purposes (e.g. analysis of trends in society through statistics). This applies provided that the processing is based on EU law or the national law of the individual Member State in question. However, the processing must be proportionate to the purpose of the processing, respect the essence of the right to data protection and be subject to safeguards to ensure the fundamental rights and interests of the data subject.
Business data is normally not personal data
Please note that a company registration number does not constitute personal data. Data about companies is normally not covered by the GDPR. However, it can be personal data if it relates to a sole trader, in cases where the corporate identity number is the same as the owner’s personal identity number.
In some cases, a registration number on a car may be personal data and in other cases it is not. For example, if the car owner is a company, it is not personal data. However, if the car owner is a private individual, it is instead a personal data according to GDPR.
Additional conditions
Importantly, a Member State may maintain or introduce additional conditions, including restrictions, regarding the processing of genetic, biometric or health data. This is stated in Article 9(4) of the GDPR. The provisions of the GDPR thus form the basis and minimum requirements, therefore it is important for companies to also be aware of any deviations that apply in individual relevant Member States.
More information about the legal and lawful bases of the GDPR
Contract with data subjects is another legal basis
It is important to remember that protecting vital interests is a legal basis under the GDPR and that there are five more legal bases. Companies have the right to process personal data that is necessary for the performance of a contract with the data subject. This is another legal basis of the GDPR. A company that conducts e-commerce may process the customer’s contact information in order to deliver the products to the customer. However, the company does not have the right to process more personal data than is necessary for the performance of the contract.