What are personal data?

In order to make personal data processing in your company, you should start from answering one very important question – what are personal data? It is a starting point – if data which you aquire constitute personal data, you are obliged to follow all rules determined in GDPR[1]Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and you will be liable for any negligence.

Definition of “personal data”

According to definition determined in article 4 p. 1) of tGDPR, by “personal data” shall be deemed to be “any information relating to an identified or identifiable natural person”. To facilitate understanding, the definition may be divided into the following components:

  1. All and any information;
  2. Natural person;
  3. Identified or identifiable natural person;

and subsequently each of them should be discussed separately.

Any information

This term is so broad that in its scope it comprises virtually everything irrespective of the form or source of information. All that concerns an identified or identifiable natural person constitutes their personal data. It does not matter that such data may be communicated, for instance, in a language you do not know. Such would also constitute personal data. Of course, provided that the other elements of the above definition are satisfied.

Natural person

Natural person means every human being since their birth to death. In other words – simply, everyone. Although the matter appears utterly clear-cut, there is no escaping from some questions that require discussing in more detail. Those concern:

  1. humans conceived but still not born, and
  2. humans deceased.

When it comes to humans still unborn, it is hardly conceivable to have such baby’s data given anywhere. Admittedly, information concerning the course of pregnancy is usually recorded (for instance, upon the expecting mother’s visit at the doctor’s), however, in my opinion, such should be classified as the personal data of the expecting mother (and – in addition – sensitive data as concerning the mother’s health).

In case of the deceased the case is even more simple. GDPR in p. (27) of the preambule indicates directly that it is not applicable to personal data of deceased, however with reservation that each member state may adapt regulations on processing of deceased humans’ data. In Poland such provisions has not been adapted and tehrefore it has to be considered that information related to the deceased does not constitute personal data.

In the context of natural persons it is worthy to mention data of persons running a business activity. Even a few years ago, according to the then in force Act on Freedom of Economic Activity, article 39b, personal data contained in the Central Register and Information on Economic Activity (CEIDG) were explicitly excluded from the coverage of the provisions of the Act on Personal Data Protection being in force befor GDPR. That meant that the personal data of entrepreneurs being natural persons did not fall subject to protection. That state of affairs was changed as of 28 April 2012, when the Act on Freedom of Economic Activity was revoked. Currently there is no such provision in the Polish law so even personal data revealed in CEIDG are subject to the rules of processing determined in GDPR.

The situation is similar in case of personal data revealed in the National Court Register (KRS), for examople of companies’ board members (in KRS are published first and middle names, last names and PESEL number). It does not change anything that such data are publicly available – any processing should be conducted according to the rules introduced by GDPR.

Legal persons and other entities

Natural persons are not the only business entities which entrepreneurs deal with in connection with their activity. That is why worthy of remembering is the fact that personal data concern only natural persons. Whereas data (e.g. name unless it does not concern last name of natural person, or address) concerning legal persons (i.a. corporations, foundations, registered associations), so-called unincorporated legal entities (i.e. partnerships), or any other entities do not constitute personal data, and, as a consequence, are not covered by the protection measures provided for in GDPR.

Identified or identifiable natural person

The range of information concerning a natural person may be extensive. Not all, however, constitutes personal data. It is then crucial to establish whether a given piece of information concerns an identified or identifiable natural person.

Despite GDPR constitutes definition of “identifiable person” (the remaining part of article 6 p. 1) – “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”), it is very difficult to determine the border between “identified” and  “identifiable” natural person. For that reason, both concepts should be best considered jointly. A conclusion then arises that personal data should encompass all and any information which even indirectly (by way of juxtaposition with other data) may be attributed to a concrete natural person.

Nevertheless, it is advisable to remember that any single case should be assessed individually. All information (inclusive of the context) at the disposal of the data controller, should be taken into consideration. A mere juxtaposition of a natural person’s name and domicile does not usually constitute personal data. However, it is not always so. It may occur that the name and domicile combined with a particular unique physical feature of a person known to the data processing individual enable that person’s identification. That is a case when personal data are being dealt with.

Better too much than too little protection

The definition of personal data in GDPR is remarkably broad. The wording used in it makes personal data comprise most information on natural persons collected and stored by entities selling goods or rendering services. If your company has business contacts clients or partners (surely, it does), you almost certainly process their personal data.

Given the afore-discussed ambiguities and the necessity to treat every single case individually, I recommend adopting a very careful approach while assessing whether a particular item of information constitutes personal data. Following the principle that it is better to do too much than too little, it proves safer to treat dubious information as personal data. There are no penalties for applying the rules stipulated in GDPR to information not being personal data. If the case is otherwise, one may expose themselves to actions undertaken by the President of Personal Data Protection Office.

Przypisy

Przypisy
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Tomasz Korolko

Partner

Related Posts

1 May 2023

Entrusting processing of personal data

Quite often it happens that an entrepreneur performing operations on personal data does not become their controller. Despite the fact that it processes data, someone else is their controller.

Read More
31 March 2023

Data protection officer

GDPR provides for the function of a data protection officer, who should be appointed by the controller in certain situations. I explain when it is mandatory and who and how to appoint to this position, as well as what are his tasks.

Read More
Back To Top