Get an offer
Inst

Siarhei Varankevich

CIPP/E, CIPM, CIPT, MBA, FIP
Siarhei Varankevich FIP is the founder of the international data protection consultancy, Data Privacy Office. He provides consultation on the European GDPR and Emirati PDPL. He is the author and instructor of GDPR DPP, GDPR DPM, and UAE DPO data protection training courses. He is a certified professional (CIPP/E), manager (CIPM), and technologist (CIPT) in information privacy. Siarhei is also the chief editor of GDPR-Text.com, an online guide to the EU General Data Protection Regulation.
Learn more

Sign up for the DPO Europe Newsletter

We will share useful materials with you and talk about the latest news from the world of privacy.

podcast deep dive into data privacy
Personal data is

What is Personal Data? Closer look into GDRP Definition

  • 05.03.2024

Understanding “personal data” is key for following the General Data Protection Regulation (GDPR) and other privacy laws. These laws regulate only the processing of personal data.

In accordance with Article 4(1) of the General Data Protection Regulation (GDPR), personal data is defined as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

Components of personal data

Simply put, personal data refers to any information relating to an identified or identifiable individual, also known as a “data subject”. So the definition of personal data involves a number of concepts:

  • related information
  • identifier
  • identifiable individual
  • identified individual

Let’s briefly go through each of these concepts.

Related information

“Related” means that the information has a connection to the individual in some way. Following factors become connectors between the information and the data subject:

  1. content of the information, i.e. when the information is “about a person”
  2. purpose for which it is used, or
  3. result it has on the person’s rights and interests.

The first group of related information (“content”) includes identifiers.

 In the complete GDPR DPP Course, you will also:

  • Examine each connector (relation) between the identifier and additional information through examples.
  • Take part in a quiz in class to practice identifying relevant (and thus personal) and irreverent (i.e. non-personal) data points. You will need to ground you answers based on the General Data Protection Regulation and guidelines/opinions supervisory authorities'.

Identifier

An identifier is a unique piece of data or characteristic used to distinguish an individual from other people.

Personal data

It is relatively unique characteristic or data point that is associated with a particular person. Uniqueness is relative to the context in which the subject is being identified, for example, it could be relative to a certain dataset, information system, business process, or broader context.

Example: When you participate in the online GDPR DPP course training session (limited to 15 people), the trainer may refer to you by your first name and differentiate you from other students using your Zoom name and profile picture. In this scenario (context), your first name, Zoom name, and profile picture don’t need to be unique worldwide. It’s enough that they’re different from those of other students in the training session. Despite this, your identification is considered complete, and you are recognized as a uniquely identified individual (data subject).

Without an identifier, the information becomes anonymous.

Certain legislations even label personal data as personally identifiable information (PII), emphasizing how essential an identifier is.

In the full GDPR DPP Course, you will also learn:

  • What can become an identifier
  • The circumstances in which information transitions from an identifier to "related information" that remains personal
  • The most commonly used types of identifiers
  • The technologies that create new types of identifiers
  • How closely should the characteristic be linked to a data subject to become identifier
  • Why context is crucial

You will also practice detecting identifiers during practical exercises in class through quick quizzes, and at home via tests and a practical exercise on the case study, “ABC Password Keeper”.

Identified individual

An identified individual is someone whose personal data or information can be attributed to him or her with certainty. To identify a person means to single the person out from other members of the group.

This can be accomplished through the use of identifiers or any other unique characteristics that allow identification. Researchers often refer to these characteristics as quasi-identifiers.

We should treat information as personal data belonging to an identified individual if it contains any identifiers (like name, phone number, personal ID, login, etc.). However, personal information may also belong to identifiable individuals, not just those already identified. See the following paragraph for more details.

Identifiable individual

Identifiable individual is a person who can be identified, that is, who can be distinguished from other people.

Frequently, data may not contain exact and complete identifiers of individuals, but it can be rich with details that make identifying an individual reasonably easy. In such cases, the information should also be treated as personal and protected accordingly.

If we do not have a reasonable opportunity to identify the data subject, then such information is not personal, but anonymous.

For instance, if we don’t know someone’s full name, but we know there’s a person named John who is 38 years old in our city, that information would be considered anonymous to us.

However, if we know that a person named John is 38 years old, lives in our city, and works at a small law firm called “Kupala & Associates Law Office”, we can easily identify him. This type of information is classified as personal data.

The theoretical and practical challenge is to determine the extent to which identification is likely and reasonable, and the point at which it becomes so unlikely, that the information falls into the category of anonymous.

In the complete GDPR DPP course, we will use the specially developed Formula of Personal Data to address this challenge.

Layers of information

Personal information can be divided into two layers:

  •  identifying information, which includes identifiers and quasi-identifiers, and
  •  related information not used for identification.

Outside of these layers is anonymous information, which is neither used for identification nor tied to a data subject through its content, purpose, or effect on the data subject.

Personal data is
Download in higher resolution

Simply put, details like name, passport number, ID card, username, nickname, email address, phone number, IP address, and bank card are always considered personal data due to their identifying nature. Similarly, a vehicle number, handwriting, video, or photo can be classified as personal data as they can easily identify an individual. Other details like address, marital status, sex, gender, e-wallet details, health data, page views, search queries, and social media posts are considered personal data if it is known to whom they relate.

Categories of Personal data

Categories of data

The term “categories of personal data” appears in several places throughout the GDPR text. This refers to different groups of personal information. Privacy professionals decide how to categorize and describe these groups for their specific work purposes.

For instance, in a privacy statement, you might use the term “contact information”, and further divide this category into “postal address, telephone number, email address” within the comprehensive privacy notice and register of processing activities.

Categories can range from broad ones like “financial information”, to more specific ones such as “bank details, income information, credit history”, or even more detailed categories like “cardholder name, credit card number, validity period of the card, CVV code”. The level of detail depends on the context (document, system, department), and the purpose for which the grouping is used.

In the complete GDPR DPP Course, you will also:

  • Discover how to decide if information is personal using a special formula,
  • Use a Cost-Benefit analysis to check if information is anonymous,
  • Understand factors important for re-identifying data (like technologies, time, manpower, and effort),
  • Study scenarios of re-identification,
  • Understand the difference between making data anonymous and pseudonymous, as well as the subtle distinction between anonymous and anonymized data.
  • Discuss real-life applications of making data anonymous and pseudonymous,
  • Learn what is the 'Special categories of personal data' in European privacy laws and understand why these categories were first introduced in Germany.
  • Learn when personal data becomes biometric data, and whether any biometric information falls under a special category of personal data.
  • Understand the term 'data processing' and find out what word is missing from its definition in the GDPR.
  • Understand that the concept of personal data is gradually becoming more narrow and context-dependent in supervisory authorities' guidelines.

Contact us

Fill in the form and we will contact you as soon as possible!

Inst

Contact Sales

Learn what Data Privacy Office Europe can do for you.

Fill out the form and we will contact you as soon as possible!