Every person, from birth to death, generates personal data, i.e. information that relates to that person and allows them to be identified. This is the basic element of privacy.
With the entry into force of the General Data Protection Regulation on 25 May 2018, the definition used is: “any information relating to an identified or identifiable natural person“.
Personal data is at the core of the GDPR. Use of this data has a profound impact on the private lives of every single person. The GDPR was created specifically with the protection of our personal data in mind.
Personal data consists of “any information“, as soon as it is materialized, regardless of its media, origin, or channel of transmission – physical or digital.
Whenever we buy goods, subscribe to a service, communicate by e-mail or on a forum, use a mobile app or the digital tools of the company we work for, or carry out administrative formalities, we generate personal data.
To qualify as personal data, the information in question must concern a natural person – as opposed to a legal person (corporation, administration, etc.).
There are two categories of personal data:
those which allow a natural person to be identified directly (last name, first name)
those which allow a natural person to be identified indirectly (telephone number, vehicle license plate, social security number, postal or email address, voice, images, etc.)
The term “personal data” therefore covers a wide range of information, from a CRM database to a website cookie.
Personal data processing
What is a personal data processing?
“Processing” is the generic term used in the GDPR to refer to any operation performed on personal data.
The definition of processing given by the GDPR is very broad. It consists of the following operations performed on personal data:
modification / rectification
communication by transmission
dissemination or any other form of provision
matching and linking
erasure and destruction
Given this broad definition, the scope of application of the GDPR is also very broad. Basically, any operation on personal data falls within the scope of processing. It must therefore be listed by the data controller, who is supervised by the Data Protection Officer. A subcontractor (or service provider) can perform data processing on behalf of an organization. In this case, processing operations must be carefully designed and integrate all the actors in the GDPR compliance process.
From the moment a company processes data, it must guarantee certain rights to the persons whose data is being processed. These rights can be exercised at the person’s request.
A special case: data collection
When defining personal data, the issue of data collection is crucial.
What is data collection?
The collection of personal data is the action of gathering personal information on one or more persons by whatever means (via form, note-taking during a physical meeting, database retrieval, etc.) and for whatever purpose (marketing, HR, sales, etc.).
Data collection is the first step of data processing (whether for business reasons or HR management).
Collecting data impacts data security and the protection of personal privacy. That’s why all these practices are strictly regulated by the GDPR. The latter has come to provide a regulatory framework designed to restrict abusive collection of personal data, and to ensure its protection.
This is where the principle of legal basis comes into play (mainly with regard to consent, which plays a central role in the protection of individual rights and freedoms).
What is the minimization process?
The GDPR enshrines the principle of minimization with regard to the collection of personal data. This principle provides that “the personal data collected must be adequate, relevant and limited to what is necessary for the purposes for which it is processed”.
In other words, organizations may only collect personal data for specific purposes and proportionate to these purposes. They are therefore required to indicate the type of data collected and the reasons why such collection is necessary.
This ensures full transparency between the data controller, the originator of the collection, and the data subject, and provides better data protection guarantees.
Let’s take two contrasting examples.
The GDPR states that recording, storing or consulting personal data is part of processing. This means that the GDPR may apply to any operation, even those that are seemingly passive, such as visiting a website.
Find out which companies have been fined for illegal data processing
In any discussion of personal data processing, the idea of data retention is essential.
To ensure full protection of personal data and guarantee that it remains up to date, data should only be kept for a limited and reasonable period of time.
All the legal texts agree on limiting the retention time of personal data, and that such retention must be proportionate to the purpose of the processing.
Some legal texts set a retention period. If no such period is indicated, the data controller is required to determine a period of time that is proportionate to the objective and purpose of the processing. Beyond this period, the controller must delete or anonymize the personal data.
Examples of retention periods:
for data relating to payroll management, the maximum retention period is 5 years
a prospect’s personal data must be deleted if they have not responded to any solicitation for 3 years or more