Personal data are any data relating to identifiable natural person
Consider all means reasonably likely to be used for identification
(e.g. speed camera is likely to identify car owner by license plates)
Perspective matters: data are identifiable to those who have access
Once a person is identifiable, all other data relating to him or her becomes personal data
If you want to protect personal data, you definitely need to understand, what personal data are. And this is not always obvious, even to lawyers. That is why under GDPR, personal data means any information relating to natural person you can identify. So personal data can be virtually anything that can be said, shown, listened to or examined about you or any other natural person.
To trigger GDPR applicability, such information should be identifiable, meaning that within a given context, it is possible to attribute them to a specific person. For instance, if you see a name ‘Joe Bloggs’, you do not know who exactly are we talking about.
To assess if information is identifiable, take into account all the means reasonably likely to be used to identify the natural person. Consider costs and amount of time for such identification, as well as available technology. For instance, unless there was an accident, it is not reasonably likely that you identify drivers around you by their license plates.
Once you are able to identify a specific person, all data that relates to him or her should be treated as personal data. Data protection law does not apply to purely personal or household activity, but this part of life is protected by other privacy law norms. In all other cases, always double-check or even ask expert before concluding that GDPR or other data protection laws are not applicable.
Table of contents:
Self-implement GDPR in 16 steps: