Module 2: Personal Data Flashcards
What is personal data?
Article 4(1) of the GDPR defines it as: ‘Any information relating to an identified or identifiable natural person’
Four criteria:
- ‘Any information’: could be anything from a person’s name to their location
- ‘Relating to’ refers to the information’s purpose and impact on someone’s privacy rights
- ‘Identified’ means that an individual person has been named or singled out—for example, by specific characteristics
‘Identifiable’ refers to indirect identification, taking into account all the ‘means reasonably likely to be used’ to identify the person
- A ‘natural person’ is a real human being, as distinguished from a corporation. This person is referred to as the data subject
What are personal data elements?
Pieces of data that happen to be personal information
e. g. general personal data: gender, age, date of birth, marital status, citizenship, languages spoken, veteran status
e. g. organisational personal data: physical addresses, phone numbers, email addresses, internal identification numbers, government-issued identification numbers
Anonymous and pseudonymous definitions
Anonymous data: not related to an identified or an identifiable natural person. It has been rendered unidentifiable and, as such, is NOT protected by the GDPR
Pseudonymous data: not fully anonymous, has undergone a process that has detached the aspects of the data attributed to a specific individual, similar to creating an alias for a person’s name. Yet the personal data is still retrievable. Pseudonymising data is typically a security measure that makes the use of the data less risky. -> still subject to EU data protection laws
Special categories of personal data
Sensitive because its processing has a more profound impact on individual’s privacy rights.
Has a higher standard of protection.
Article 9(1): Personal Data Revealing - Racial or Ethnic origin - Political Opinions - Religious or philosophical beliefs - Trade union membership For the purpose of uniquely identifying a natural person - Genetic Data - Biometric Data Data Concerning - Health - Sex life - Sexual Orientation
Processing shall be prohibited.
GDPR also highlights personal data related to criminal convictions and offences
Article 10
processing shall only be carried out under ‘control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects’.
In addition, ‘Any comprehensive register of criminal convictions shall be kept only under the control of official authority’.
Aggregation
Aggregation of data elements can make personal data richer and harder to de-identify.
For example cookies combined with unique identifiers and other information can be used to create profiles of the natural persons and identify them.
With more data elements comes more potential risk associated with protecting the data or using it responsibly.
