GDPR: what are personal data?
Personal data
The GDPR applies to the use of personal data. The definition of personal data in the context of this law is therefore of great importance.
Personal data are any information about an identified or identifiable natural person. A natural person is considered to be identifiable if he or she can be identified directly or indirectly. Information that at first sight does not appear to be traceable to a person can therefore be personal data according to the definition of the GDPR. This may be the case if the information can be traced back to the person in question, eg by combining the data with other, or additional, data.
- Some examples of 'normal' personal data include: name, address, e-mail address, photo, ID number, IP address, employee number, private or professional telephone number (who’s who), login data, identification cookies, account number, CV, log data (including cafeteria, parking use, web use, surfing), camera images, personnel files, wage data, professional expenses, etc.
- Please note: data that at first sight does not directly lead to (identification of) a person can also be personal data. For example, data about a person's reaction times to a task, brain activity (e.g. EEG), blood sugar level, personality, skin conductance and heart rate are also (sensitive) “personal data” when there is also information that this data (whether or not pseudonymised) to the natural person. links. (See also below under Pseudonymized and Anonymized data)
Data concerning deceased persons or organisations are not personal data according to the GDPR and therefore fall outside the scope of the GDPR. Other laws and regulations may, however, apply to these data.
Special categories of personal data (sensitive personal data)
Special categories of personal data (sensitive personal data) are personal data that contain or comprise the following information:
- race
- ethnic origin
- political views
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data
- health data
- data on a person's sexual behaviour or sexual orientation
If this information becomes publicly available, for example as a result of a data breach, this can have very adverse consequences for the data subjects.
Genetic data
Genetic data are personal data related to the inherited or acquired genetic traits of a natural person that provide unique information about the physiology or health of that natural person, and that come in particular from an analysis of a biological sample of that natural person.
Biometric data
Biometric data are personal data that result from specific technical processing with regard to the physical, physiological or behavioural characteristics of a natural person on the basis of which unambiguous identification of that natural person is possible or confirmed, such as facial images or fingerprint data.
Health data
Health data are personal data related to the physical or mental health of a natural person, including data on health services provided that supply information about their health status.
Pseudonymised personal data
Pseudonymised personal data is personal data that has been pseudonymised (this was referred to as "coding" in the previous Privacy Legislation). Pseudonymisation of personal data means that they are processed in such a way that the personal data can no longer be linked to a specific data subject without additional data being used. It is important to keep this additional data separately and to take the necessary technical and organizational measures to ensure that the personal data cannot be linked to an identified or identifiable natural person.
Pseudonymised personal data are still personal data protected by the GDPR. In this case, the criterion is not whether the pseudonymised dataset reveals who is who, but whether the data - with or without additional information sources - can be traced back to an identifiable natural person. In research, pseudonymisation is typically achieved by "obscuring" all identifiable elements (removing, replacing, generalizing, ...) and where possible separating them from the research data in a separate key file that is securely stored in a separate place. If necessary, both the key file and the research data contain a unique but arbitrary code so that the link can be made between the data subjects and the pseudonymised research data.
Anonymised personal data
With anonymised personal data, the possibilities for identification have been 'irreversibly' removed by means of a processing technique.
It is important to evaluate whether the data can be related to an identified, or identifiable, person. Data that can be traced back to the original individuals with reasonable effort are not anonymous data. However, data that can be traced back to the original individuals with reasonable effort is not anonymous data - after all, it is traceable to an identifiable person. They therefore remain “personal data” according tot the definition of the GDPR and this legislation therefore applies to this data.
For this reason, it is difficult to truly anonymise many types of research data (for example: qualitative data, large data sets with a wide range of personal data, etc.).
Please note that if you do anonymise personal data yourself, you must of course work with identifiable personal data at the start and during anonymisation and the GDPR remains applicable. This means that you must meet the requirements of the GDPR, starting with registering your processing activity.
Anonymous data
Anonymous data is data that does not relate to an identified or identifiable natural person or to personal data that has been made anonymous in such a way that the data subject is not or no longer identifiable (by any individual in any way).
Anonymous data are not personal data and do not fall under the scope of the GDPR.
Please note: even if you only process anonymised data, it is still important to evaluate the ethical aspects of collecting or processing that data.
More information
More tips
- GDPR: Can I share research data with personal data with other researchers or institutions when my research project has ended? (Integrity in science)
- GDPR: how am I transparent to data subjects in my research? (Integrity in science)
- GDPR: how can I ensure that the processing of personal data is lawful? (Integrity in science)
- GDPR: how can I protect my data correctly? (Integrity in science)
- GDPR: how do I register personal data processing activities? (Integrity in science)
- GDPR: how long can research data containing personal data be stored? (Integrity in science)
- GDPR: what are the basic principles? (Integrity in science)
- GDPR: what are the different roles and responsibilities according to the GDPR? (Integrity in science)
- GDPR: What do I need to think about when transferring personal data to third countries or international organisations? (Integrity in science)
- GDPR: what has changed with regard to the previous privacy legislation? (Integrity in science)
- GDPR: what information should I include in an informed consent form when the processing of personal data is based on the consent of the data subjects? (Integrity in science)
- GDPR: what is the General Data Protection Regulation? (Integrity in science)
- GDPR: what rights do data subjects have, how do I respect them and what exceptions may apply to research? (Integrity in science)
- GDPR: What should I do if there is a data breach? (Integrity in science)
- GDPR: what should I do in the event of further/secondary processing of personal data? (Integrity in science)
- GDPR: what should I keep in mind when designing my research? (Integrity in science)
- GDPR: what should I keep in mind when processing special categories of personal data? (Integrity in science)
- GDPR: What should I think about when I collaborate with others or share my data? (Integrity in science)
- GDPR: What should I think about when processing personal data from minors? (Integrity in science)
- GDPR: When am I processing high-risk personal data and when do I need to conduct a DPIA? (Integrity in science)
- GDPR: when does it apply to my research? (Integrity in science)
- GDPR: who are considered as vulnerable persons? (Integrity in science)
- GDPR: why is it important to comply with this legislation? (Integrity in science)
Translated tip
Last modified April 1, 2021, 10:41 a.m.