Ugrás a fő tartalomra
Az Európai Bizottság logója
Európai Bizottság

Definitions of “personal data” and “processing”

What is personal data and processing?

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the General Data Protection Regulation (GDPR).

Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.

The GDPR protects personal data regardless of the technology used for processing that data – it is technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). 

It also does not matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.

Examples of personal data

  • a name and surname;
  • a home address;
  • an email address such as name [dot] surnameatcompany [dot] com (name[dot]surname[at]company[dot]com);
  • an identification card number;
  • location data (for example the location data function on a mobile phone)*;
  • an Internet Protocol (IP) address;
  • a cookie ID*;
  • the advertising identifier of your phone;
  • data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

*Note that in some cases, there is a specific sectoral legislation regulating for instance the use of location data or the use of cookies – the ePrivacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002(OJ L 201, 31.7.2002, p. 37)  and Regulation (EC) No 2006/2004) of the European Parliament and of the Council of 27 October 2004 (OJ L 364, 9.12.2004, p. 1)

Examples of data not considered personal data

  • a company registration number;
  • an email address such as infoatcompany [dot] com (info[at]company[dot]com);
  • anonymised data.

References

What constitutes data processing?

Processing covers a wide range of operations performed on personal data, including by manual or automated means. 

It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

The GDPR applies to the processing of personal data wholly or partly by automated means as well as to non-automated processing, if it is part of a structured filing system.

Examples of processing include:

  • staff management and payroll administration;
  • access to/consultation of a contacts database containing personal data;
  • sending promotional emails*;
  • shredding documents containing personal data;
  • posting/putting a photo of a person on a website;
  • storing IP addresses or MAC addresses;   
  • video recording (CCTV).

*Please remember that to send direct marketing emails, you also have to comply with the marketing rules set out in the ePrivacy Directive.

References

Businesses and organisations subject to data protection rules

Who does the data protection law apply to?

The GDPR applies to:

  1. a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
  2. a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.

If your company is a small and medium-sized enterprise ('SME') that processes personal data as described above you have to comply with the GDPR. 

However, if processing personal data is not a core part of your business and your activity does not create risks for individuals, then some obligations of the GDPR will not apply to you (for example the appointment of a Data Protection Officer ('DPO')). 

Note that ‘core activities’ should include activities where the processing of data forms is an inextricable part of the controller’s or processor’s activities.

Examples

When the regulation applies

Your company is a small, tertiary education company operating online with an establishment based outside the EU. It targets mainly Spanish and Portuguese language universities in the EU. 

It offers free advice on a number of university courses and students require a username and a password to access your online material. Your company provides the said username and password once the students fill out an enrolment form.

When the regulation does not apply

Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. 

Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR. 

What does the General Data Protection Regulation (GDPR) govern?

The GDPR regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU.

It doesn’t apply to the processing of personal data of deceased persons or of legal persons.

The rules don’t apply to data processed by an individual for purely personal reasons or for activities carried out in one's home, provided there is no connection to a professional or commercial activity. 

When an individual uses personal data outside the personal sphere, for socio-cultural or financial activities, for example, then the data protection law has to be respected.

Examples

When the regulation applies

A company with an establishment in the EU provides travel services to customers based in the Baltic countries and in that context processes personal data of natural persons.

When the regulation doesn’t apply

An individual uses their own private address book to invite friends via email to a party that they are organising (household exception).

References

Specific rules for SMEs 

Do the rules apply to SMEs?

Yes, the application of the data protection regulation depends not on the size of your company/organisation but on the nature of your activities. 

Activities that present high risks for the individuals’ rights and freedoms, whether they are carried out by an SME or by a large corporation, trigger the application of more stringent rules. However, some of the obligations of the GDPR may not apply to all SMEs.

For instance, companies with fewer than 250 employees do not need to keep records of their processing activities unless processing of personal data is a regular activity, poses a threat to individuals’ rights and freedoms, or concerns sensitive data or criminal records.

Similarly, SMEs will only have to appoint a Data Protection Officer if processing is their main business and it poses specific threats to the individuals’ rights and freedoms (such as monitoring of individuals or processing of sensitive data or criminal records) in particular because it’s done on a large scale.

Are the obligations the same regardless of the amount of data my company/organisation handles?

The GDPR is based on the risk-based approach. In other words, companies/organisations processing personal data are encouraged to implement protective measures corresponding to the level of risk of their data processing activities

Therefore, the obligations on a company processing a lot of data are more onerous than on a company processing a small amount of data.

For example, the probability of hiring a data protection officer for a company/organisation processing a lot of data is higher than for a company/organisation processing a small amount of data (in that case this links to the notion of processing of personal data on a ‘large scale’). 

At the same time, the nature of the personal data and the impact of the envisaged processing also play a role. Processing of a small amount of data, but which is of a sensitive nature, for example health data, would require implementing more stringent measures to comply with the GDPR.

In all cases, the principles of data protection must be respected and individuals allowed to exercise their rights.

Reference

Data about legal persons

Do the data protection rules apply to data about a company?

No, the rules only apply to personal data about individuals, they don’t govern data about companies or any other legal entities. 

However, information in relation to one-person companies may constitute personal data where it allows the identification of a natural person. 

The rules also apply to all personal data relating to natural persons in the course of a professional activity, such as the employees of a company/organisation, business email addresses like ‘forename [dot] surnameatcompany [dot] eu (forename[dot]surname[at]company[dot]eu)’ or employees’ business telephone numbers.

References