Which data are personal data? This is subject to interpretation. From May 25 2018 onwards the GDPR will take effect. This new regulation forces some organisations to take a critical look at the data they have been processing. Especially personal data. This not only applies to personal data you process from May 25 2018 onwards, but also to all data that has been processed up to that date.
Personal data are data that concern an identifiable, private individual. Information that is directly about someone or that could be traced to someone. This means that everything that leads to one private individual is classified as personal data. The fact that it has to concern a private individual means that data about deceased persons or organisations are not personal data.
There are many kinds of personal data. The most obvious are a name and address. These can be traced to an identifiable private individual.
Yet, what counts as personal data to one, does not have to be personal data for someone else. Examples are number plates or IP addresses. For you this may not be traceable to a private individual; for the RDW (Dutch Vehicle Registration Authority) or the police, it is.
Special data such as race, religion or medical data are also called sensitive personal data. These data are more carefully protected by law. This means for example that your medical data are better protected; when you are to be operated upon, not everyone is allowed to access or change your file. Only experts are allowed to change these data.
A social security number is also classified as sensitive data, because this can be traced to a private individual. It is a unique number, states the Data Protection Authority.
Processing personal data means: any operation or set of operations performed on personal data by an organisation, from collecting up to destruction. This includes things such as storing, consulting or changing data, as well as using, transferring or combining them.
Do you have any questions about personal data? Or about the GDPR in general? Please contact us.
Source: Autoriteit Persoonsgegevens (Dutch Data Protection Autority)
Starting May 25 2018 any business in the European Economic Area (EEA) that processes personal data has to comply with the GDPR. This regulation replaces existing national legislation. The GDPR states requirements that have to be met when processing personal data. With the new regulation, the EU wants to return to her citizens the control of their personal data. There are strict conditions and the GDPR is obligatory. Violations will be heavily penalised, with the risk of high fines of up to €20,000,000 or 4% of your annual turnover! Plenty of reasons to take this seriously.