Lawpath Blog
What Counts as ‘Personal Data’ Under the GDPR?

What Counts as ‘Personal Data’ Under the GDPR?

The GDPR concerns how personal data is handled in the European Union (EU). However, there's circumstances where it also applies to Australian businesses.

10th October 2019

The General Data Protection Regulation (GDPR) is a European law on data protection and privacy for citizens of the European Union. It predominantly addresses personal data. However, many people don’t understand what this means under the GDPR. We break it down below, to ensure that you accurately understand what it contains.

Definition of personal data

A section of the GDPR defines what personal data entails. It includes any information that is related to an identified or identifiable person. If a person can be recognised through any identifier it may be considered personal. This includes:

  • Name.
  • Location data.
  • Identification number.
  • Online identifier.

In short, if an individual can be identified through any kind of data, it falls within the definition.

How deep does this extend?

The definition includes ‘any information’. Thus, the definition needs to be interpreted broadly. Numerous cases have proven this, considering less explicit information such as recordings of employee’s shift times, break times and IP addresses. It even includes written information on a test.

Personal data doesn’t need to be objective. Subjective information such as opinions, judgements or even personal estimates may constitute personal data.

Does it only extend to people?

Part of the definition includes ‘identified or identifiable persons’. It must be a natural person. Therefore, these laws do not protect information about businesses, corporations or institutions. However, natural people have capacity under the definition from the moment they are born, to the moment they die.

When is data not personal?

Data that has been made anonymous to the extent that an individual is not identifiable is when it ceases to be personal data. There must be no link between the data, and the person it belongs to. If there is even a hint that it belongs to the person, then it may be classed as personal.

Final thoughts

Before understanding how the law operates, it’s necessary to understand what kind of information the law is built to protect. Personal data is any data that may attributed to a natural person. To ensure you meet these requirements, a GDPR Privacy Policy is specifically created to abide with this framework for your business. For further enquiries on the topic, a privacy lawyer may be able to assist.

Don’t know where to start? Contact us on 1800 529 728 to learn more about customising legal documents and obtaining a fixed-fee quote from Australia’s largest lawyer marketplace.

Author
Kyle McIndoe

Kyle worked in the content team as a legal intern for Lawpath. He is undertaking a Bachelor of Laws with a Bachelor of Psychology (Honours) at Macquarie University.