GDPR: what are personal data?
Personal data are any information about an identified or identifiable natural person. A natural person is considered to be identifiable if he or she can be identified directly or indirectly.
- some examples of 'normal' personal data include: name, address, e-mail address, photo, ID number, IP address, employee number, private or professional telephone number (who’s who), login data, identification cookies, account number, CV, log data (including cafeteria, parking use, web use, surfing), camera images, personnel files, wage data, professional expenses, etc.
Data concerning deceased persons or organisations are not personal data according to the General Data Protection Regulation (GDPR) and therefore fall outside the scope of the GDPR. Other laws and regulations may, however, apply to these data.
Special categories of personal data (sensitive personal data)
Special categories of personal data (sensitive personal data) are personal data that contain or comprise the following information:
- ethnic origin
- political views
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data
- health data
- data on a person's sexual behaviour or sexual orientation
If this information becomes publicly available, for example as a result of a data breach, this can have very adverse consequences for the data subjects.
Genetic data are personal data related to the inherited or acquired genetic traits of a natural person that provide unique information about the physiology or health of that natural person, and that come in particular from an analysis of a biological sample of that natural person.
Biometric data are personal data that result from specific technical processing with regard to the physical, physiological or behavioural characteristics of a natural person on the basis of which unambiguous identification of that natural person is possible or confirmed, such as facial images or fingerprint data.
Health data are personal data related to the physical or mental health of a natural person, including data on health services provided that supply information about their health status.
Pseudonymised personal data
Pseudonymised personal data (referred to as 'coded data' in previous Privacy legislation) are personal data (whether sensitive or not) that can only be associated with an identified or identifiable person by means of a non-public (secret) key.
Pseudonymised personal data are still personal data protected by the GDPR.
Anonymised personal data
With anonymised personal data, the possibilities for identification have been 'irreversibly' removed by means of a processing technique.
Data that can be traced back to the original individuals with reasonable effort are not anonymous data, but remain personal data and therefore fall under the GDPR. For this reason, it is difficult to completely anonymise many types of research data (for example: qualitative data, large data sets with a wide range of personal data, etc.).
Please note that if you do anonymise personal data yourself, you must of course work with identifiable personal data at the start and during anonymisation and the GDPR remains applicable.
Anonymous data is data that does not relate to an identified or identifiable natural person or to personal data that has been made anonymous in such a way that the data subject is not or no longer identifiable (by any individual in any way).
Anonymous data are not personal data and do not fall under the scope of the GDPR.
Please note: even if you only process anonymised data, it is still important to evaluate the ethical aspects of collecting or processing that data.
Last modified March 30, 2020, 1:34 p.m.