Dr. jur. Jörg WernerPersonal data goes far beyond just your first and last name. The GDPR provides a very broad definition of personal data, covering any information that directly or indirectly identifies a living person. Your first and last name might identify you as an individual, BUT what if you have a common name? One thing to keep in mind is that if information doesn't count as personal data, it doesn't fall under the GDPR.
About Personal Data Within the GDPR
The GDPR aims to strike a balance between strong regulations that protect individuals and flexibility for businesses. This is why the definition of personal data matters so much. If a company or organisation collects, uses, or stores personal data of individuals within the EU, that entity is obliged to comply with GDPR provisions regarding privacy and security. Failing to do so can result in heavy fines imposed by the relevant supervisory authority.
Is Only My First and Last Name Considered Personal Data?
The short answer: NO!
Personal data is more than just a name. It involves multiple personal identifiers that can lead to the identification of a specific person.
Let's say your name is Joe Borg. In Malta, that is a very common name. How can you identify a specific person with that name? If the name is combined with other information that allows you to single out the individual, it becomes personal data. So, if you are collecting identifiable information about a person, you are collecting personal data, and GDPR rules and regulations apply.
Not so fast. Personal data can be found elsewhere too. Under the GDPR, there is no exhaustive list of what constitutes personal data. This concept is constantly evolving and depends heavily on the correct interpretation of the definition in Article 4 of the GDPR.
Of course, there are the obvious things that identify a person, such as first and last name, document numbers on a passport or ID card, postal address, bank account number, and more. But what about looking beyond the obvious?
Looking Beyond the Obvious
It is no secret that tattoos are very popular these days. You might wonder if your tattoo (if you have one) would constitute personal data. Just as a common name needs to be combined with other relevant information to identify a person, the same applies to a common tattoo.
However, if a tattoo can easily identify a specific person, it is considered personal data under the GDPR, as the context in which it is collected and processed is taken into account.
TIP: If you get a tattoo, remember that the tattoo artist cannot simply share your data if it does not comply with the GDPR.
When information about a person is pieced together, various details can be used to narrow down the criteria enough to identify an individual.
Let's take another example: a license plate. Vehicle registration numbers fall under the definition of personal data under the GDPR. With the right tools, a license plate can be matched to the owner of the car, thereby indirectly identifying the person. Don't worry though – while license plates can be collected as data, the collection of such numbers is sanctioned under GDPR regulations.
Storage and Collection of Personal Data
The GDPR emphasizes the concept of data minimization, which covers the volume of data stored and the retention of that data. Legal requirements under the GDPR state that personal data may only be kept for as long as necessary to fulfill the purpose for which it is being processed.
If a company collects your personal data, you should ensure that you are clearly informed when the data is being captured. Here is a list of questions you need answers to:
- WHICH company is collecting your data?
- HOW can you contact the company or the Data Protection Officer (DPO – if one exists)?
- WHY is your data being processed?
- IS THERE a legal justification for processing the personal data?
- HOW LONG will your personal data be kept?
- WHO else might receive your personal data?
- WILL your data be transferred to someone outside the EU?
- DO YOU have the right to receive a copy of your data?
- DOES the company respect your fundamental rights under the GDPR?
- DO YOU have the right to lodge a complaint?
- IS your right to withdraw consent as easy to exercise as giving it?
- DOES the company have an automated decision-making system?
You can find the full list here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679#d1e2254‑1–1
Personal data must be kept for the shortest time possible. This period must be defined in accordance with the GDPR and must therefore consider the reasons why a company processes personal data, as well as legal obligations that mandate a longer retention period (e.g., tax laws that require a company to keep records for 10 years).
The company sets deadlines after which data that is no longer needed is deleted or reviewed to avoid storing unnecessary information. The regulation provides for exceptions regarding retention periods depending on the purpose. If the purpose of storing data is in the public interest, or if it is kept for scientific or historical research, personal data may be kept longer, provided all necessary measures are taken.
A company must also ensure that personal data is accurate and up to date.
Conclusion
Information like license numbers and tattoos aren't the "usual" personal data we think of, but storing such information must still be done in compliance with the GDPR. A compliance process that meets GDPR standards must be in place for any processing of personal data. If you would like to know more, contact us at gdprcompliance@drwerner.com.
