Personal data is information that pertains to an identified or identifiable natural person, often referred to as the “data subject.” The protection of such data is essential for ensuring privacy rights in the digital age. The definition of personal data is provided by Article 4 of the General Data Protection Regulation (GDPR), which seeks to protect the integrity and privacy of individuals by regulating how their personal information is processed and stored. This article explores the scope of personal data, breaking down its key elements, and analyzing the conditions under which information can be considered personal data.
Key Elements of Personal Data
As defined by the GDPR and further elaborated in the *Opinion 4/2007* by the Article 29 Working Party, personal data can be understood through four primary building blocks:
1. Any Information
2. Relating To
3. An Identified or Identifiable
4. Natural Person
1. Any Information
Personal data encompasses a wide range of information, not just objective data but also subjective statements or opinions about an individual. The Opinion 4/2007 clarifies that personal data can include both factual details and personal assessments, such as opinions or evaluations.
– Objective Information : Passport number, blood alcohol content, credit score, or degree details.
– Subjective Information: Opinions about someone’s reliability, risk assessments, or feedback on service quality.
Additionally, personal data doesn’t have to be accurate. The individual has the right to access and challenge any data held about them.
Personal data can relate to an individual’s activities, relationships, and behaviors. This is not limited to sensitive data such as health or financial details but extends to other aspects of an individual’s private, family, social, and professional life.
The format of personal data is flexible—it can exist in both structured and unstructured forms, whether paper-based or digital. Examples of personal data include recorded customer service calls, or video surveillance footage in which an individual is recognizable.
2. Relating To
Personal data “relates to” an individual if it directly or indirectly refers to their identity, characteristics, or behavior, or influences how they are treated or evaluated. The connection between the data and the individual may not always be immediately obvious, but once established, it becomes clear that the data impacts that person in some way.
The Opinion 4/2007 outlines three important elements to determine whether data “relates to” an individual:
– Content: Data that directly concerns a specific person, such as medical results or identity document numbers.
– Purpose: The intended use of the data, which might involve evaluating or influencing the individual’s behavior or status, such as performance reviews or medical treatments.
– Result: The consequences of using the data, such as how it affects a person’s rights or interests. Even minor impacts, like customer reviews on a booking platform, may influence an individual’s reputation or treatment.
3. Identified or Identifiable
A person is identified when they can be distinguished from others based on specific identifiers like passport numbers or national ID numbers. A person is identifiable when they can be identified through additional data, even if their identity is not immediately apparent. For example, combining an individual’s date of birth, gender, and postal code might make them identifiable.
4. Natural Person
Personal data protection applies only to natural persons—human beings, as opposed to legal entities such as companies. The GDPR does not cover the personal data of deceased individuals, though specific laws may exist for such cases in certain jurisdictions. Under Section 14 of the DPDP Act 2023, individuals can nominate someone to exercise their data rights on their behalf after their death.
About The Author