Personal Data : definition
Every person, from birth to death, generates personal data, i.e. information that relates to that person and allows them to be identified. This is the basic element of privacy.
With the entry into force of the General Data Protection Regulation on 25 May 2018, the definition used is: “any information relating to an identified or identifiable natural person“.
Personal data is at the core of the GDPR. Use of this data has a profound impact on the private lives of every single person. The GDPR was created specifically with the protection of our personal data in mind.
A closer look
Personal data consists of “any information“, as soon as it is materialized, regardless of its media, origin, or channel of transmission – physical or digital.
Whenever we buy goods, subscribe to a service, communicate by e-mail or on a forum, use a mobile app or the digital tools of the company we work for, or carry out administrative formalities, we generate personal data.
To qualify as personal data, the information in question must concern a natural person – as opposed to a legal person (corporation, administration, etc.).
There are two categories of personal data:
- those which allow a natural person to be identified directly (last name, first name)
- those which allow a natural person to be identified indirectly (telephone number, vehicle license plate, social security number, postal or email address, voice, images, etc.)
The term “personal data” therefore covers a wide range of information, from a CRM database to a website cookie.
Sensitive data: definition
Sensitive personal data is a specific set of “special categories”. This includes information pertaining to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, and data related to a person’s sex life or sexual orientation.
In principle, processing sensitive data is prohibited except in the following cases:
- the data subject has given their explicit consent to the processing of this data
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
- processing is necessary to protect the vital interests of the data subject or of another natural person
- processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects
- processing relates to personal data which are manifestly made public by the data subject
- processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity
- processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law
- processing is necessary for the purposes of preventive or occupational medicine
- processing is necessary for reasons of public interest in the area of public health
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Personal data processing
“Processing” is the generic term used in the GDPR to refer to any operation performed on personal data.
The definition of processing given by the GDPR is very broad. It consists of the following operations performed on personal data:
- modification / rectification
- communication by transmission
- dissemination or any other form of provision
- matching and linking
- erasure and destruction
Given this broad definition, the scope of application of the GDPR is also very broad. Basically, any operation on personal data falls within the scope of processing. It must therefore be listed by the data controller, who is supervised by the Data Protection Officer. A subcontractor (or service provider) can perform data processing on behalf of an organization. In this case, processing operations must be carefully designed and integrate all the actors in the GDPR compliance process.
From the moment an organization processes data, it must guarantee certain rights to the persons whose data is being processed. These rights can be exercised at the person’s request.
When defining personal data, the issue of data collection is crucial.
The collection of personal data is the action of gathering personal information on one or more persons by whatever means (via form, note-taking during a physical meeting, database retrieval, etc.) and for whatever purpose (marketing, HR, sales, etc.).
Data collection is the first step of data processing (whether for business reasons or HR management).
Collecting data impacts data security and the protection of personal privacy. That’s why all these practices are strictly regulated by the GDPR. The latter has come to provide a regulatory framework designed to restrict abusive collection of personal data, and to ensure its protection.
This is where the principle of legal basis comes into play (mainly with regard to consent, which plays a central role in the protection of individual rights and freedoms).
The minimization process
The GDPR enshrines the principle of minimization with regard to the collection of personal data. This principle provides that “the personal data collected must be adequate, relevant and limited to what is necessary for the purposes for which it is processed”.
In other words, organizations may only collect personal data for specific purposes and proportionate to these purposes. They are therefore required to indicate the type of data collected and the reasons why such collection is necessary.
This ensures full transparency between the data controller, the originator of the collection, and the data subject, and provides better data protection guarantees.
The GDPR states that recording, storing or consulting personal data is part of processing. This means that the GDPR may apply to any operation, even those that are seemingly passive, such as visiting a website.
In any discussion of personal data processing, the idea of data retention is essential.
To ensure full protection of personal data and guarantee that it remains up to date, data should only be kept for a limited and reasonable period of time.
All the legal texts agree on limiting the retention time of personal data, and that such retention must be proportionate to the purpose of the processing.
Some legal texts set a retention period. If no such period is indicated, the data controller is required to determine a period of time that is proportionate to the objective and purpose of the processing. Beyond this period, the controller must delete or anonymize the personal data.
Examples of retention periods:
- for data relating to payroll management, the maximum retention period is 5 years
- a prospect’s personal data must be deleted if they have not responded to any solicitation for 3 years or more
GDPR: The fundamental rights granted to individuals
The right to protection of personal data is a fundamental right guaranteed by the European Union within the GDPR framework.
Each individual can exercise their right:
- to transparency on what is and will be done with their data
- to rectify incorrect data and delete certain data
- to object to processing, particularly in the case of profiling
- to have their data returned to them
By guaranteeing these rights, organizations pave their way toward GDPR compliance. Every action taken must be in line with these rights. They must set up processes that protect these rights and ensure that individuals retain control over their privacy.
Naturally, these processes are established over time and according to certain rules. And in some cases there are limitations on the rights of individuals.
For example, a person cannot demand the deletion of their data if it is held lawfully or is required for the performance of a contract they have signed.
So in practice there are the fundamental rules, but also a myriad of cases and ways these rules are applied. Therefore, the rules and conditions must be described in procedures applicable to each organization.
To comply with your obligations and secure your practices, we advise you to :
- centralize your process for managing data subject requests
- collect requests on a daily basis
- have the departments concerned by the request work collaboratively
- have the tools to determine whether to respond to a given request, what to respond to, and how to respond.
The Data Legal Drive GDPR solution, which was developed to answer practical customer issues, will allow you to implement these best practices smoothly and efficiently.
Rights related to personal data
Right to be informed
Any person whose data is processed has a right to be informed.
The right to be informed is the right to demand that the entity processing your data be transparent with regard to both the processing carried out and your rights relating to your data.
The information that must be provided must answer the following questions:
- Why: why is my data being processed?
- How: what do you do with my data, and for how long?
- To whom: to whom do you communicate my data?
What can I do about it: what are my rights regarding your processing and how can I object to it?
The GDPR does not state specifically how the information resulting from the right to be informed should be communicated, but it does require that it be communicated at the precise moment the data is collected, and that it be easily accessible, understandable and formulated in clear terms. Information that is buried in small print within general terms & conditions or is couched in legalese does not comply with the requirement for clear and instructive information.
The watchword here is clarity. All users, regardless of their legal awareness, must be able to make decisions with full knowledge of the facts.
They must have all the keys allowing them to exercise control over their personal data.
To observe this fundamental right, the data subject must be aware of:
- the purposeof the data collection and whether it is mandatory or optional
- the identity of the controller
- the recipients of the data
- any data transfers outside the European Union
- the rights that they can exercise to retain control over their data
The more sensitive or extensive the data processing, the more the information provided for exercising the right to be informed must be clear and comprehensive.
However, for a company such as Google, the information must be comprehensive, precise and clear, and allow navigating via links and pop-up menus. Users must be able to control the confidentiality settings for their personal information vis-à-vis Google and third parties in several different ways.
What information should be communicated to data subjects?
- Information collected directly from the data subject
Article 13 paragraph 1 provides that the data controller must provide the following information:
- The identity and contact details of the controller and, where applicable, of the controller’s representative
- The contact details of the data protection officer (DPO), where applicable
- The purposes of the processing for which the personal data is intended as well as the legal basis for the processing
- The external recipients of this data (service providers, suppliers, partners, etc.)
- The legitimate interests pursued by the controller, if the processing has this basis.
Furthermore, in order to guarantee fair and transparent processing of personal data, paragraph 2 of said article requires that the controller provide additional information, namely:
The length of time the personal data will be kept or, if this information is not available, the criteria used to determine the length of time.
the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
For consent-based processing, existence of the right to withdraw consent at any time, without prejudice to the lawfulness of the processing carried out prior to withdrawal of consent.
- The right to lodge a complaint with a supervisory authority.
- Information on whether the requirement to provide personal data is statutory or contractual or whether it is a condition for the conclusion of a contract, and whether the data subject is required to provide the personal data, as well as information on the possible consequences of not providing such data.
- The existence of automated decision-making, including profiling – which has legal effects on the data subject and which may process special categories of data – or at least useful information about the underlying logic, as well as the significance and the intended consequences of such processing for the data subject.
- Information collected indirectly
Article 14 contains the same list as Article 13, but also includes a subtler point. Indeed, in the case of indirect collection of personal data, the controller must provide the categories of personal data concerned by the processing.
Furthermore, when providing additional information, the controller must provide “the source from which the personal data originates and, and if applicable, a statement as to whether or not it came from publicly available sources” (Article 14(2)).
When must this information be provided?
If the data was collected directly from the data subject, the information must be provided at the time the data was obtained.
If, on the other hand, the data was collected indirectly, the controller must provide the data subject with the information:
- Within a reasonable period of time not exceeding 1 month, taking into account the specific circumstances in which the data is processed
- If the controller uses a data subject’s data for the purpose of communicating with them, the information must be provided at the time of the first communication.
Right of access
What is right of access?
Described in Article 15 of the General Data Protection Regulation, the GDPR right of access is the counterpart of the right to be informed.
By exercising the right of access under the GDPR, an individual requests information from the entity processing their data that is more or less the same as the information that must be provided at the time of data collection. However, whereas the right to be informed gives an individual the initial information all at once, the right of access allows an individual to control what is actually being done with their personal data, in real time, at any given moment.
The right of access is a data subject’s best way to verify that their personal data is not being used beyond what could reasonably be expected. If its use is no longer appropriate, or if an individual feels that the entity has not provided them with all the information required, they may exercise other rights such as the right to erasure, or even file a complaint with the supervisory authority.
Indeed, the power of the right of access is that it is unconditional, as long as the request is not obviously abusive (for example, is not the umpteenth request concerning the same data within a short period of time).
The entity is obliged to comply with the request and to deliver the information within a period of one month, which may be extended to two months in case of legitimate circumstances to be justified by the entity.
Let’s take the typical example of a real estate agency that conducts processing for contractual purposes on the one hand, and marketing on the other.
An owner has hired the real estate agency to manage their property rental. At the end of the lease, the owner terminates the rental management contract with the agency. However, the owner continues to receive commercial offers from the agency by email. Noticing that the offers clearly target their situation, and in order to know what information the agency holds, they exercise their right of access.
In response, the agency sends them all the data it possesses on them. The owner receives confirmation that their personal data should not have been processed for marketing purposes, in particular data relating to their financial and family situation. The owner then decides to withdraw their consent to the processing of their data and to exercise their right to erasure of their data, arguing that the contract had been terminated.
The agency proceeds with the deletion but informs the owner that the data strictly related to the rental management contract will be archived for a certain period of time corresponding to the contractual limitation period. It confirms that all other data has been deleted and that the owner will no longer receive commercial offers.
Find out more
More specifically, a person exercising their right of access may request the following information:
- the purposes of the processing
- the categories of data concerned
- the recipients or categories of recipients to whom the data has been or will be disclosed, in particular recipients who are established in third countries or international organizations
- where possible, the period for which the data will be kept or, where this is not possible, the criteria used to determine this period
- the existence of the right to request from the controller the rectification or erasure of data, a restriction on the processing of data relating to the data subject, or the right to object to such processing
- the right to lodge a complaint with a supervisory authority
- if the data was not collected from the data subject, any available information about their source
- the existence of automated decision-making, such as profiling. In such cases, data subjects are also entitled to request any relevant information concerning the underlying logic, significance and intended consequences of the processing for them.
The subject may request a copy of their data being processed. In this case, the data controller may charge a reasonable fee, based on the complexity and amount of data, and the administrative costs incurred.
Right to rectification
Use my personal information, okay, but only if the information is accurate!
Misleading or erroneous personal information used by an organization can lead to negative consequences, especially when it comes to the communication or storage of this data. In some cases, the person will want to have it corrected or completed. This is where the right to rectification comes into play.
The principle from which this right derives is the principle of fairness: if a third party processes my data, I have the right to demand that this personal data be “accurate, complete and, if necessary, kept up to date” in view of the purposes of the processing.
As with the right of access, this right is not subject to any conditions other than proof that the information is inaccurate. Moreover, the request must not be obviously abusive.
This right can also be exercised in the event of “digital death“: the personal data of a deceased person can be modified or completed by their beneficiaries, who make a request to the controller.
If the data has several recipients, the controller is required to transmit the rectifications to all the actors concerned.
Incorrect information on a form may lead a company to make a calculation that may be prejudicial to you, for example if it is used to calculate a refund or benefit whose estimation could be lower than the correct amount.
The same applies to information made available to the public, for example on a website: it must be possible to rectify incorrect information on your medical record.
Find out more
What are the conditions for exercising the right to rectification?
Article 12 of the GDPR governs the procedures for the right to rectification, which is described in Article 16 of the GDPR.
The data subject must first prove that their data is inaccurate, incomplete, out of date or equivocal. The controller must then validate the evidence provided by the data subject and inform the data subject of the rectification as soon as possible. The burden of proof in this case lies with the controller.
How does a data subject exercise their right to rectification?
The data subject must apply directly to the controller (they may also apply to the Data Protection Officer) to satisfy this request. The latter may require proof of the data subject’s identity or other types of proof (though they are prohibited from requesting a disproportionate number of documents).
Exercising this right is free of charge for the data subject and is the responsibility of the data controller and/or processor, who must demonstrate that they are handling the request as quickly as possible (1 to 3 months depending on the complexity of the request).
If your organization does not respond quickly enough, or fails to respond, the data subject has the right to request “restriction of processing” (prohibition of all processing of the data concerned), and may lodge a complaint with the supervisory authority.
Limits to the right to rectification
The right to rectification cannot be applied to the processing of journalistic, artistic or literary data. Moreover, in order to protect the confidentiality of investigations, processing relating to police, intelligence and national bank account listings agencies is excluded from the scope of this right.
Right to erasure / Right to be forgotten
In the true sense of the word, there is no right to be forgotten under the GDPR, only a right to erasure.
The right to erasure allows you to request the complete deletion of your data. However, in certain cases it may be perfectly legitimate for an organization to keep and use your personal data. For this reason, exercising the right to erasure is subject to relatively strict conditions: the data subject must demonstrate that the organization’s processing of their data is not legitimate, either because it never was or because it no longer is.
To exercise the right to be forgotten, a reason must be provided: for example, the data is no longer being used for the purposes stated when the data was collected.
However, even if a reason is provided, an organization can argue that the processing has legitimate interests, for example to ensure freedom of expression and information.
In addition, if the organization has reasonable doubt concerning the identity of the person making the request, it may ask for proof of identity (within reason).
- A data subject may make a request for erasure:
- electronically (via form, e-mail, etc.)
- by physical means (postal mail, etc.).
It is essential that all means be provided to facilitate the data subject’s exercise of their right to erasure by providing all necessary information (procedure, name of data controller, DPO’s details, etc.)
To respond to a legitimate erasure request, an organization has 1 to 3 months (depending on complexity of request) from the date of the initial request.
An internet service provider has personal data on you that it requires within the terms of an internet service agreement, and/or that it is obliged to retain for legal purposes (investigation of offences by judicial authorities, etc.).
After the contract has expired, the company must still keep the data as protection against potential lawsuits, for the duration of the applicable statute of limitations. During this time, your right to erasure does not apply: the company can refuse to erase your data.
However, once all retention periods have expired, the company must comply with your request and formally confirm that it has. Failure by the company to do so represents unlawful data processing.
Find out more
The right to erasure can only be exercised on the following grounds:
- the personal data is no longer necessary for the purposes for which it was collected or processed
- the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing
- the data subject objects to the processing and there are no compelling legitimate grounds for the processing
- the personal data has been processed unlawfully
- the personal data must be erased in order to comply with a legal obligation laid down by EU law or by the law of the Member State to which the controller is subject
The data may continue to be processed, even if the data subject has a legitimate reason to exercise their right, in the event that processing is necessary :
- to respect the right to freedom of expression and information
- to comply with a legal obligation which requires processing under EU law or the law of the Member State to which the controller is subject, to perform a task carried out in the public interest, or to exercise an official mandate vested in the controller
- for reasons of public interest pertaining to public health
- for archival purposes in the public interest, for scientific or historical research or for statistical purposes
- for the establishment, exercise or defense of legal claims.
GDPR Right to object
Any individual has the right to object, at any time, to the use of their personal data by an organization, for instance in the case of processing for commercial prospecting purposes. This right can be exercised even if the processing serves a legitimate purpose.
Unlike the right to erasure, when a data subject exercises their right to object, they are asking the company to stop processing their data, without necessarily requesting its erasure.
Nevertheless, the right to object is not an absolute right. While in most cases a data subject can exercise this right without providing a justification, for some processing activities a legitimate reason is required. More specifically, the GDPR requires that exercising of this right by the data subject be justified by “reasons relating to his or her particular situation”.
Your company sends out a newsletter to maintain a relationship with its prospects. The email addresses of the prospects are therefore used for marketing purposes, based solely on the consent given by the prospects.
The prospects must be able to exercise their right to object under the GDPR from the moment they feel that this processing (use of their email address to send them marketing messages) is no longer appropriate. In the event that they exercise this right, their email addresses must be removed from the mailing lists.
For this reason, each email you send should contain an unsubscribe link: it allows your contacts to exercise their right to object – and thus stop receiving your company’s marketing emails – in a single click.
Find out more
How does a data subject exercise their right to object?
No special formalities are required. Once the data subject has identified the data controller, they complete an online form or make the request via their website account.
Exercising this right is free of charge, and the process should be simple and user-friendly.
As with all the other rights discussed, it is essential to inform data subjects of the existence of their rights, as well as how to exercise them, e.g. via legal notices.
If the data subject does not receive a reply after one month, or if the reply is unsatisfactory, they may refer the matter to the relevant supervisory authority.
What are the limits of the right to object?
Article 38 of the GDPR sets out the limits of the right to object.
If the objection does not concern commercial prospecting, the controller may justify their refusal on several grounds:
- If there are legitimate and compelling reasons for processing the data, or if the data is necessary to establish, exercise or support legal claims
- The right may be waived if the data subject gives their contractual consent or if the processing of personal data is based on a legitimate interest.
Right to portability
How can you avoid being locked into a contract with a company and recover your personal data in order to change service providers? The right to portability was precisely designed to answer that question.
This new right laid out in the GDPR (since May 25, 2018) allows data subjects to retrieve their personal data in a structured, standardized and machine-readable format that allows its easy transfer to a new data controller.
This right is not absolute. It only concerns data whose processing is automated and only applies if consent has been obtained or if processing is necessary for the performance of a contract.
The controller must inform data subjects of the existence of this right in a “concise, transparent, comprehensible and easily accessible manner, in clear and simple terms”, namely in the website’s legal notice.
Data subjects should be aware of this right before closing an account so they can transfer their personal data to another controller in order to enable new data processing.
My company, a connected TV vendor, processes the preference data of our customers in order to give them a better user experience. A potential new customer, dissatisfied with the services of one of my competitors, contacted my company to get a new connected TV.
They had already configured their preferences on the competitor’s system, and it would have been very tedious for them to have to configure them again manually.
By exercising their right to data portability, a customer can require that their previous vendor transfer their data to us in a suitable format, allowing the customer to retrieve their preferences in our system.
Crédits photos :
Austin Distel, Unsplash
Dan Nelson Ah, Unsplash
Agence Olloweb, Unsplash