What is Personal Data? Simple Examples From Everyday Life
To make data protection more comprehensible in everyday life, we have put together a few practical examples of personal data.
Check your knowledge: Is your hair color, your height, your favorite band or your opinion on Donald Trump personal data? After carefully reading our article and checking our infographic, you should easily be able to answer this.
Especially companies, institutions and business people profit from a clear understanding of personal data. They have to protect it, to safeguard the privacy of their customers and partners and to avoid drastic fines that come with the GDPR of the EU. But customers and users should know which of their data is especially sensitive as well.
To know what falls under personal data is the foundation of protecting this data and enforcing strict privacy.
Personal Data – Definition as per GDPR
There is not a simple answer to what personal data is, mainly because states define it individually and because sometimes legal texts cause more confusion than clarity.
German data protection is governed by the Federal Data Protection Act (BDSG) but is also heavily influenced by EU regulations. Since the GDPR came into effect in May 2018, the new Federal Data Protection Act (BDSG-neu) is in force in Germany. The GDPR is superordinate to the BDSG-neu. Therefore, we mainly consider the GDPR in this article.
The General Data Protection Regulation (GDPR) of the EU defines personal data like this:
‘personal data’ involves any information relating to an identified or identifiable natural person (‘data subject’);
Personal data is everything that relates to an identifiable, natural person. The next sentence of the definition clarifies what makes a person identifiable:
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; (GDPR, article 4)
Different aspects of the identity of a person are listed. It is a good thing, that not only physical factors, but also your cultural and social identity are considered. Your hair color, your medical history and your height are just as much nobody’s business as your political opinion and your religion.
The General Data Protection Regulation has replaced the 1995 directive and thus revised European data protection. However, not much has changed in the definition of personal data. The characteristic 'genetic' was added, the term 'determinable' was replaced by 'identifiable' and 'specific elements' by 'particular features'. The inclusion of genetic characteristics in the new order reflects the progress of biotechnology and medicine, as the processing of data on genetic characteristics is more relevant today than it was 20 years ago.
All data that is related to any of those aspects of your identity, as described in the GDPR definition, counts as personal data and needs special protection if you are identifiable by it.
Why must personal data be protected in particular?
The protection of personal data falls under the right of informational self-determination. Everyone has the right to know how their data is handled. If this data is not adequately protected, a lot of damage can be done.
With the help of the right of informational self-determination, everyone should be able to decide for themselves which personal data they wish to disclose and who may use it.
(Source: Federal Agency for Civic Education)
It is especially important to protect data when its disclosure may lead to discrimination and disadvantage.
Personal Data and Examples
To provide a better overview, we have grouped examples of personal data - from the GDPR, official documents and court rulings - into five categories. Of course, there are overlaps; some examples fall into the private as well as the professional sphere, for example. But the general categorization still makes it easier to assess which data falls under personal data. You can find the detailed infographic with examples and categories at the end of the article.
How Businesses Can Protect Personal Data
Companies have to take extra security measures to protect personal data. There are several possibilities to protect data, for example tokenization, pseudonymization, anonymization and encryption. With encryption, personal data becomes unrecognizable, and therefore the affected person unidentifiable. Some even say that encrypted personal data does not fall under personal data anymore.
For instance, it is useful to note that personal data should not be stored in the cloud for security reasons, especially when it comes to cloud storage with servers abroad that are subject to other (less strict) data protection laws.
However, if data is encrypted by state of the art without any possibility that a third party could gain access, storing data in the cloud is all right even after the European GDPR.
Conclusion: Businesses have to be careful when handling personal data of their employees, customers, or users, when they want to avoid fines. State of the art end-to-end encryption allows you to store data wherever you want.