What are "personal data" and when are they "processed"?

  • Personal data basically means any information about a living person, where that person either is identified or could be identified. Personal data can cover various types of information, such as name, date of birth, email address, phone number, address, physical characteristics, or location data – once it is clear to whom that information relates, or it is reasonably possible to find out.
  • Personal data doesn’t have to be in written form, it can also be information about what a data subject looks or sounds like, for example photos or audio or video recordings, but data protection law only applies where that information is processed by ‘automated means’ (such as electronically) or as part of some other sort of filing system.
  • Personal data can be information where the data subject is identified – “John’s favourite colour is blue” – or where they are ‘identifiable’ – “John’s sister’s favourite colour is blue” (where you don’t know his sister’s identity, but could find out using context and/or additional information).
  • Even where personal information is partially anonymised, or ‘pseudonymised’, but this could be reversed and the data subject could possibly be identified using additional information, it should still be considered personal data. However, if information is truly anonymised, irreversibly, and could not be traced back to an identified person, it is not considered personal data.
  • To determine whether a person is ‘identifiable’, particularly where the information about that person is pseudonymised, all the methods and information reasonably likely to be used by the controller or other person to identify someone, either directly or indirectly, have to be considered.
  • Certain types of sensitive personal data, called ‘special categories’, are subject to additional protection under the GDPR, and their processing is generally prohibited, except for where specific requirements are met (such as having explicit consent), as set out in detail in Article 9 GDPR. The special categories are: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data processed to uniquely identify a person; data concerning health; and data concerning a person’s sex life or sexual orientation.
  • Data protection law governs situations where personal data are ‘processed’. Processing basically means using personal data in any way, including; collecting, storing, retrieving, consulting, disclosing or sharing with someone else, erasing, or destroying personal data. Although, data protection law does not apply where this is done for purely personal or household activities.