Personal data and GDPR

GDPR in everyday business – personal data according to GDPR explained simply 

Personal data in connection with GDPR 

Personal data refers to information that relates to an identified or identifiable individual. The term originates from ubiquitous data protection laws. However, the specific data protection laws might vary in German-speaking countries.

This article addresses the following frequently asked questions:

• When must personal data be deleted?
• What does not fall under personal data?
• Further examples of non-personal data?

Personal data plays an increasingly important role in our work environment. In every company, government institution and social media, data is collected, gathered and processed. Much of this information contains personal data, which has been subject to enhanced security since the General Data Protection Regulation (GDPR) came into effect in May 2018. Non-compliance with the regulation can lead to severe penalties, sanctions, and irreparable damage to a company's reputation. Therefore, it is crucial for businesses to be well-informed about proper handling of personal data, in order to avoid fines, sanctions, and reputational harm.

Understanding personal data: Definition and examples

Personal data, as defined by Article 4 No. 1 of the GDPR, refers to information about an identified or identifiable natural person. This encompasses any living individual who can be directly or indirectly identified through the collected data. It is important to note that the actual identification of the person is not necessary, as long as there is a possibility of identification.

Any information that can provide insight into the physical, physiological, genetic, psychological, economic, cultural or social identity falls under the term personal data. Examples include telephone numbers, IP addresses or the appearance of a person. Theoretically, processed working hours can also fall under personal data.

Collecting personal data in a GDPR-compliant manner - Examples of the collection of personal data

• Banking data
• Demographic data
• Identification numbers
• Data collected online
• Testimonials
• Health information
• Political views
• Religious data
• Sexual orientation

What regulatory measures are there for handling personal data in companies?

Most companies are directly or indirectly involved in processing data and information. This data processing basically falls under the general principles of data protection. It is obligatory to take these established principles into account and to demonstrate compliance with them.

The following principles (Article 5 (1) of the GDPR) must be observed:

Lawfulness of data processing

Data processing is only permitted if there is a legal basis or the consent of the data subject. 

Processing of information in good faith

As a matter of principle, personal data may only be processed in the same way as it was provided in a survey. Only a trustworthy person may carry out the processing.

Transparency of data processing

If one is affected by the processing of one's own data, one always has the right to informal self-determination. At any time, one can question who is processing the data and for what purpose the processing serves. 

Purpose limitation

In principle, there must be a comprehensible purpose for processing personal data. This must pursue a defined, clear and legitimate reason and must be comprehensibly meaningful.

The minimization of data

The collection of personal data must be reduced to a necessary level for the fulfillment of the purpose. In principle, as little personal data as possible should be collected. This principle minimizes data flows.

Accuracy of data processing

As a matter of principle, data must be recorded in a factually correct manner and should always be kept up to date. Data subjects can request data correction at any time.

Limitation of storage

The personal data collected may only be stored for a period of time that is necessary for the intended purpose. If archiving of the data is no longer necessary, the personal information must be deleted. An exception to this is when legal retention periods apply.

Integrity and confidentiality

Personal data must be treated with a high and appropriate level of security. This should protect against unlawful processing and prevent loss, destruction or unlawful access. This protection is ensured by technical and organizational measures (TOM), which are specified in Article 32 of the GDPR.

What types of personal data are there? 

The protection of personal data is the focus of the GDPR. A distinction is made here between different types of personal data. This means that the need for protection varies within the different categories.

Personal data - data requiring special protection

This category includes survey data that provide information on ethnic origin. Similarly, political opinions, religious or secular beliefs, trade union membership, sexual orientation, and genetic or biometric data are considered particularly sensitive and thus require special protection.

The GDPR excludes the personal processing of data from these categories. In special cases, processing may be permitted, although this is usually accompanied by the written consent of the data subject.

How is consent to data processing regulated in these categories?

Consent must be given explicitly and must refer to the above categories. The data subject must be explicitly informed about the processing of sensitive data. Consent must always be given voluntarily. If this consent is to be given in an employment relationship, no negative consequences may arise. The employee must be informed about the purpose of the processing and his or her right of revocation.

Additional requirements for these special categories

Special categories of personal data require additional safeguards and considerations. Processing such data necessitates obtaining explicit consent from the data subject. The company must ensure the implementation of appropriate technical and organizational measures and carefully review the language used in the consent declarations. It is important to note that, as a general principle, collection of personal data from special categories should be limited and treated as an exceptional circumstance, in accordance with Article 9(2) of the GDPR. It is crucial for every company to recognize the importance of treating the processing of personal data from special categories as an exceptional practice.

Why is personal data considered worthy of protection?

To ensure proper compliance with data protection regulations, careful attention must be paid to numerous details. If/when the data collected has the potential to reveal information about an individual's lifestyle or enable their identification, it is considered highly sensitive and deserving of special protection.

For companies, personal data often equates to a monetary advantage. Data can support marketing departments and serve the Sales department as a basis for day-to-day business. The legislator sets particularly strict standards here and supports the protection of the personal rights of the persons concerned (e.g., in the case of use in one's own image).

Regulations on the disclosure of personal data

The transfer of personal data is a particular focus of data protection regulations. This common form of processing poses many difficulties for companies in terms of data protection law.

If personal data is passed on, the applicable rights of the data subjects are automatically interfered with. If data is to be disclosed, companies and also private individuals must ask themselves whether the disclosure is also in compliance with data protection pursuant to Article 6 of the GDPR. There can be serious legal consequences for any error that occurs due to carelessness or even negligence. First and foremost, of course, are the consequences and implications for the data subject. Companies must reckon with fines, but there is also the threat of damage to their image if the negligent handling of personal data is made public. In this case, economic damage would also be expected. Data protection violations that are publicized in the press and media can result in more significant economic damage than the fines themselves. Therefore, it is crucial for companies to thoroughly address this issue and consider involving data protection professionals.

The disclosure of personal data is a key concern for regulatory authorities and subject to strict control. The GDPR has established significant fines for data protection breaches, prompting companies to closely examine their handling of personal data. It's important for companies to recognize that data breaches can lead to consequences beyond GDPR violations, as other breaches may also be penalized. These breaches often infringe upon the personal rights of individuals, potentially resulting in substantial damage claims.