Every person, from birth to death, generates personal data, i. e. information concerning this person and enabling to identify him/her. It is the basic element of our private life. The GDPR defines it as “any information relating to an identified or identifiable natural person”.
A few details
Personal data may consist of “any information”, as long as it is materialized, regardless of its medium, origin, transmission channel, physical or digital.
When we carry out administrative procedures, buy a good, subscribe to a service, communicate by e-mail or on a forum, use a mobile application or our company’s digital tools, we generate personal data. To qualify as personal data, such personal information must therefore relate to a natural person – as opposed to legal persons (companies, societies, etc.).
There are two categories of personal data:
those concerning directly identified natural persons
those concerning indirectly identifiable natural persons.
Personal Data collection
The collection of personal data is strictly regulated by the GDPR. Indeed, the latter has provided a regulatory framework limiting the collection of abusive personal data.
In this respect, it enshrines the principle of minimisation in the collection of personal data and provides that “personal data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.
In other words, companies must now collect personal data only for specific purposes. It is therefore required to indicate the type of data collected and the reason why it is necessary to collect it. This ensures full transparency between the controller, who initiated the collection, and the data subject.
Whether it is the French Data Protection Act or the GDPR, the applicable legal framework requires limitation of the storage of personal data over time. Indeed, they provide that the storage must be proportionate to the purpose of the processing.
Some laws set a retention period. If not, the controller is required to set a duration proportionate to the objective and purpose pursued. Once this period has expired, the controller must delete and anonymise the personal data of the data subjects.
Here are some examples of shelf life:
for payroll management data, the maximum retention period is 5 years.
a prospect’s personal data must be deleted if he has not responded to any solicitation for at least 3 years.