What is personal data?

Every person, from birth to death, generates personal data, i.e. information that relates to that person and allows him or her to be identified. This is the basic element of our privacy.

With the entry into force of the General Data Protection Regulation on 25 May 2018, the definition adopted is: “any information relating to an identified or identifiable natural person“.

Personal data is at the heart of the issues at stake in the GDPR. It is to ensure the protection of personal data that such a regulation has been put in place, as their use has a profound impact on the private life of everyone.

Find out more about the challenges of the GDPR

A few precisions

Personal data can consist of “any information“, as soon as it is materialized, whatever the medium, the origin, the transmission channel, physical or digital.

When we carry out administrative procedures, buy goods, subscribe to a service, communicate by e-mail or on a forum, use a mobile application or the digital tools of our company, we generate personal data.

To qualify as personal data, the information in question must therefore concern a natural person – as opposed to legal persons (companies, corporations, etc.).

There are two categories of personal data :

  • those which allow a natural person to be identified directly (surname, first name)
  • those which allow a natural person to be identified indirectly (telephone number, number plate, social security number, postal or email address, voice, images, etc.)

Thus the term personal data can include a wide range of information, from a CRM database to a simple website cookie.

Personal data processing

What is a personal data processing?

“Processing” is the generic term used in the GDPR to refer to any operation on personal data. Indeed, the GDPR applies to the processing of personal data.

According to the very broad definition given by the RGPD, it is any operation carried out on personal data, such as

  • collection
  • recording
  • structuring
  • storage
  • extraction
  • modification / rectification
  • consultation
  • use
  • publication
  • communication by transmission
  • dissemination or any other form of provision
  • matching and linking
  • limitation
  • erasure and destruction

The consequence of this very broad definition is that the scope of application of the GDPR is very wide. Basically, any operation on personal data, whatever the operation, is a processing of personal data which must be listed by the controller, under the aegis of the Data Protection Officer. It should be noted that a subcontractor (or service provider) may carry out data processing on behalf of the company in question. In this case, it will be necessary to redouble vigilance and to integrate all the actors in the GDPR compliance process.

As soon as a company processes data, an essential aspect appears: the company must respect a certain number of rights, granted to the persons concerned by the data processing, when the latter request it.

What is personal data processing

Special case of data gathering.

When trying to define what is personal data, it is essential to address the subject of data collection.

What is data collection?

The collection of personal data is, as its name indicates, the action of gathering personal information on one or more people by whatever means (form, by hand during a physical meeting, database retrieval, etc.), whatever the purpose (marketing, HR, sales, etc.).

Collecting data is the first step when you want to do processing (whether for business or internally for HR).

Collecting data has a considerable impact on its security and on the protection of the privacy of individuals. This is why all these practices are strictly regulated by the GDPR. Indeed, the latter has come to provide a regulatory framework in order to limit the abusive collection of personal data and thus to ensure the protection of their data.

This is where the principle of legal basis comes into play (we are thinking in particular of consent, which plays an essential part in the process of respecting individual rights and freedoms).

Le cas de la collecte de données

What is the minimisation process ?

In this respect, the GDPR enshrines the principle of minimisation in the collection of personal data and provides that “personal data collected must be adequate, relevant and limited to what is necessary for the purposes for which they are processed”.

In other words, companies must now only collect personal data for specific purposes and in proportions appropriate to them. It will therefore be mandatory to indicate the type of data collected and the reason why the collection is necessary.

This will ensure full transparency between the data controller, the originator of the collection, the data subject and provide better data protection guarantees.

Use cases

Let’s take two opposing examples.

The GDPR states that the recording, storage and consultation of personal data are processing of that data. This shows that any operation, even a completely passive one (consultation on a website, etc.) can give rise to an application of the GDPR.

Find out which companies have been sanctioned for illegal data processing

Data retention

Second question on the question “What is personal data? is the retention of data.

Keeping personal data in one’s possession for a limited and reasonable period of time is mandatory in order to ensure their security and freshness.

Whether the law text, they all agree on limiting the retention of personal data over time. Indeed, they indicate that the retention must be proportionate to the purpose of the processing.

Some legal texts set a retention period. In the absence of these, the data controller is obliged to set a period of time that is proportionate to the objective and purpose of the processing. Once this period has been exceeded, the controller must delete or anonymise the personal data of the persons concerned.

Here are some examples of retention periods:

  • for data relating to payroll management, the maximum retention period is 5 years
  • a prospect’s personal data must be deleted if he or she has not responded to any solicitations for at least 3 years