GDPR: what are personal data?
The GDPR applies to the use of personal data. The definition of personal data in the context of this law is therefore of great importance.
Personal data are any information about an identified or identifiable natural person. A natural person is considered to be identifiable if he or she can be identified directly or indirectly. Information that at first sight doesn't appear to be traceable to a person can therefore be personal data according to the definition of the GDPR. This may be the case if the information can be traced back to the person in question, e.g. by combining the data with other or additional data.
- Some examples of 'regular' personal data include: name, address, e-mail address, photo, ID number, IP address, employee number, private or professional telephone number (who’s who), login data, identification cookies, account number, CV, log data (including cafeteria, parking use, web use, surfing), camera images, personnel files, wage data, professional expenses, etc.
- Please note: data that at first sight doesn't directly lead to (identification of) a person can still be personal data. For example, data about a person's reaction times to a task, brain activity (e.g. EEG), blood sugar level, personality, skin conductance and heart rate are also (sensitive) 'personal data' when there's also information that links this data (whether pseudonymised or not) to the natural person (see below under 'Pseudonymized data' and 'Anonymized data').
Data concerning deceased persons or organisations aren't personal data according to the GDPR and therefore fall outside the scope of the GDPR. Other laws and regulations may, however, apply to these data.
Some personal data belong to 'special categories'. These are personal data from which you can derive certain sensitive information. Processing such data therefore entails a higher risk and potentially bigger impact on the rights and freedoms of the data subject(s). Special categories of personal data (sensitive personal data) are those that may reveal the following:
- racial or ethnic origin,
- political views,
- religious or philosophical beliefs,
- membership of a trade union,
- genetic data,
- biometric data,
- health data, or
- someone's sexual behavior or sexual orientation.
Pseudonymised personal data
Pseudonymised personal data is personal data that's been processed in such a way that it can no longer be linked to a specific data subject without additional data being used (this was referred to as 'coding' in previous Privacy Legislation). It's important to store this additional data separately and to take the necessary technical and organizational measures to ensure that the personal data can't be linked to an identified or identifiable natural person.
Pseudonymised personal data are still personal data protected by the GDPR. In this case, the criterion isn't whether the pseudonymised dataset reveals who's who, but whether the data - with or without additional information sources - can be traced back to an identifiable natural person. In research, pseudonymisation is typically achieved by 'obscuring' all identifiable elements (removing, replacing, generalizing, ...) and where possible separating them from the research data in a separate key file that's securely stored in a separate place. If necessary, both the key file and the research data contain a unique but arbitrary code so that the link can be made between the data subjects and the pseudonymised research data.
Anonymised personal data
With anonymised personal data, the possibilities for identification have been 'irreversibly' removed by means of a processing technique.
It's important to evaluate whether the data can be related to an identified, or identifiable, person. Data that can't be traced back to the original individuals with reasonable effort are anonymous data. However, data that can be traced back to the original individuals with reasonable effort aren't anonymous - after all, it's traceable to an identifiable person. They therefore remain 'personal data' according tot the definition of the GDPR, so the legislation still applies.
For this reason, it's difficult to truly anonymise many types of research data (for example: qualitative data, large data sets with a wide range of personal data, etc.).
Please note that if you anonymise personal data yourself, you do of course work with identifiable personal data at the start of your research and during anonymisation - at which time the GDPR will apply. This means that you must meet the requirements of the GDPR, starting with registering your processing activity.
Anonymous data is data that doesn't relate to an identified or identifiable natural person or to personal data that's been made anonymous in such a way that the data subject is not or no longer identifiable (by any individual in any way).
Anonymous data aren't personal data and don't fall under the scope of the GDPR.
Please note: even if you only process anonymised data, it's still important to evaluate the ethical aspects of collecting or processing those data.
Last modified Oct. 21, 2022, 11:02 a.m.