External DPO Cost
External DPO Cost

What are personal data under the GDPR?

Definition of personal data:

Personal data is any information relating to an identified or identifiable natural person. A natural person is identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Examples of personal data:

  • Names: first names, last names, nicknames
  • Addresses: residential addresses, email addresses, IP addresses
  • Telephone numbers: landline numbers, mobile numbers
  • Birth data: date of birth, place of birth
  • Bank details: account numbers, IBAN, BIC
  • Location data: GPS data, movement data
  • Online identifiers: cookies, MAC addresses, device identifiers
  • Biometric data: fingerprints, facial recognition data
  • Health data: medical records, diagnoses, treatment plans

Special categories of personal data:

Special categories of personal data, also known as sensitive data, include information that requires particular protection. These include:

  • Racial and ethnic origin
  • Political opinions
  • Religious or ideological beliefs
  • Trade union membership
  • Genetic data
  • Biometric data for unique identification
  • Health data
  • Data on sexual life or sexual orientation

Relevant articles of the GDPR:

  • Article 4 (1): Definition of personal data
  • Article 9: Processing of special categories of personal data

Processing bases for personal data:

The processing of personal data is only lawful under certain conditions. The GDPR lists several legal bases on which the processing can be based:

  1. Consent (Article 6(1)(a): The data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes.
  2. Performance of a contract (Article 6(1)(b): Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  3. Compliance with a legal obligation (Article 6(1)(c): Processing is necessary for compliance with a legal obligation to which the controller is subject.
  4. Vital interests (Article 6(1)(d): Processing is necessary to protect the vital interests of the data subject or of another natural person.
  5. Performance of a task in the public interest (Article 6(1)(e)): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  6. Legitimate interests (Article 6(1)(f): Processing is necessary to protect the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Processing of special categories of personal data:

The processing of special categories of personal data is generally prohibited unless one of the following conditions is met (Article 9(2)):

  1. Consent: The data subject has expressly consented to the processing of personal data concerning him or her.
  2. Labour, social security and social protection law: Processing is necessary for the controller or the data subject to exercise his or her rights and to comply with his or her obligations under labour law and social security and social protection law.
  3. Vital interests: Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is unable to give consent.
  4. Data processing by foundations, associations or other non-profit organisations: The processing is carried out within the framework of their legitimate activities with appropriate guarantees by a foundation, association or other non-profit organisation with political, ideological, religious or trade union objectives, provided that the processing relates exclusively to the members or former members of that organisation or to persons who have regular contact with it with regard to its objectives, and the personal data are not passed on without the consent of the data subjects.
  5. Manifestly made public: The processing relates to personal data that the data subject has manifestly made public.
  6. Legal claims: Processing is necessary for the establishment, exercise or defense of legal claims or in the context of the activities of courts.
  7. Substantial public interest: Processing is necessary for reasons of substantial public interest, based on Union or Member State law, which is proportionate to the aim pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject.
  8. Healthcare, occupational medicine, public health: Processing is necessary for reasons of public interest in the area of ​​public health, such as protection against serious cross-border threats to health or ensuring high quality and safety standards in health care and medicinal products or medical devices, on the basis of Union or Member State law which provides for appropriate and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.
  9. Archiving, scientific and historical research: Processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1), which must be based on Union or Member State law, be proportionate to the aim pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject.

Summary:

The definition of personal data under the GDPR is comprehensive and includes a wide range of information that can be directly or indirectly linked to an identifiable person. The protection of this data is a central part of the regulation and processing is subject to strict conditions to ensure the privacy and rights of the data subjects. Special categories of personal data require additional safeguards and may only be processed under specific conditions.

Globeria Consulting GmbH zeichnet sich als einer der führenden DSGVO-Dienstleister in Deutschland aus und bietet umfassende Lösungen durch zertifizierte Datenschutzbeauftragte (DSB). Unsere Dienstleistungen decken das gesamte Spektrum der DSGVO-Compliance ab und stellen sicher, dass Ihr Unternehmen alle rechtlichen Anforderungen effizient erfüllt. Vertrauen Sie auf unsere Expertise für ein beispielloses Datenschutz- und Privacy-Management.

Wir bedienen Berlin, Frankfurt, München, Magdeburg, Sachsen-Anhalt, Hamburg und ganz Deutschland.
+4939155721388
info@globeriadatenschutz.de
Arbeitszeiten: Montag-Freitag, 09:00-17:00
© 2024 Globeria Consulting GmbH. Alle Rechte vorbehalten.