Personal Data is NOT just your Name and Surname! Here’s an Explanation.

Per­son­al Data is not just a Name and a Sur­name. The GDPR’s def­i­n­i­tion of per­son­al data is very broad and includes any infor­ma­tion which direct­ly or indi­rect­ly iden­ti­fies a liv­ing indi­vid­ual. Your name and sur­name would iden­ti­fy you as a per­son, BUT what if you have a com­mon name? One thing to keep in mind is that if it does not con­sti­tute per­son­al data then it does not fall under the GDPR.

personal-data-1

About Personal Data within the GDPR

The GDPR strives to find a bal­ance between HAVING a strong Reg­u­la­tion which gives data sub­jects clear pro­tec­tion and BEING flex­i­ble from busi­ness­es per­spec­tives. For this rea­son, the GDPR delves into defin­ing per­son­al data. If a com­pa­ny or an organ­i­sa­tion col­lects, uses, or stores per­son­al data of indi­vid­u­als with­in the EU, then the said com­pa­ny or organ­i­sa­tion has the oblig­a­tion to com­ply with the pri­va­cy and secu­ri­ty require­ments imposed by the GDPR. If not, huge fines will be imposed by the respec­tive Super­vi­so­ry Author­i­ty.

Is Personal Data just my Name and Surname?

Hint: NO!

Per­son­al Data is more than just a name and a sur­name. It involves sev­er­al per­son­al iden­ti­fiers which can lead to the iden­ti­fi­ca­tion of a par­tic­u­lar indi­vid­ual.

Let’s say your name is Joe Borg. In Mal­ta this is a very com­mon name. Thus, how can you iden­ti­fy such per­son? The answer is that if this name is com­bined with oth­er infor­ma­tion which allows you to iden­ti­fy the per­son, then this con­sti­tutes per­son­al data. So, if you are col­lect­ing iden­ti­fi­able infor­ma­tion about a per­son, you will be col­lect­ing per­son­al data, and the GDPR rules and require­ments shall apply.

Don’t be so fast. Per­son­al Data does not stop here. Under the GDPR, there is no exhaus­tive list of what can con­sti­tute per­son­al data, how­ev­er this evolves around and high­ly depends on the prop­er inter­pre­ta­tion of the def­i­n­i­tion in Arti­cle 4 of the GDPR.

Of course, there are the obvi­ous things which iden­ti­fy a per­son, like the name and sur­name, doc­u­ment num­bers on a Pass­port or an Iden­ti­ty Doc­u­ment, postal address, bank account num­ber and more. But how about think­ing out­side the box for a while?

Thinking outside the box

personal-data-2

It is not a secret to say that tat­toos are very pop­u­lar nowa­days. So, you might be ask­ing whether your tat­too (if you have one) would con­sti­tute per­son­al data? Just like a com­mon name and sur­name needs to be com­bined with oth­er rel­e­vant infor­ma­tion in order to be able to iden­ti­fy that per­son, the same applies to a com­mon tat­too.

But if a tat­too can eas­i­ly iden­ti­fy that per­son then it con­sti­tutes per­son­al data under the GDPR giv­en that the con­text in which it is being col­lect­ed and processed is tak­en into con­sid­er­a­tion.

TIP: When you are get­ting a tat­too, remem­ber that the tat­tooist can­not just share your data unless it com­plies with the GDPR.

When the infor­ma­tion about a per­son is col­lect­ed togeth­er, dif­fer­ent pieces of infor­ma­tion may be used to nar­row down the cri­te­ria to the extent that a per­son may be iden­ti­fied.

Let’s take anoth­er exam­ple: a License Plate. Vehi­cle reg­is­tra­tion num­bers do fall with­in the def­i­n­i­tion of per­son­al data under the GDPR. With the right tools, a License Plate may be matched to the own­er of the car and thus the per­son may be indi­rect­ly iden­ti­fied. Do not wor­ry, although num­ber plates may be col­lect­ed, the col­lec­tion of such num­bers is sanc­tioned under the GDPR.

Storage and Collection of Personal Data

The GDPR puts empha­sis on the notion of data min­imi­sa­tion which includes the vol­ume of data being stored and the reten­tion of such data. The legal req­ui­sites under the GDPR states that per­son­al data shall only be retained for the peri­od nec­es­sary to ful­fil the pur­pose for which it is being processed.

If a Com­pa­ny is col­lect­ing your per­son­al data make sure that, upon col­lec­tion of data you are clear­ly informed about it. Here is a list of ques­tions you need to have answers to:

  • WHICH is the com­pa­ny col­lect­ing your data?
  • HOW you can con­tact the com­pa­ny or their DPO (if any) ?
  • WHY is your data being used?
  • IS there a legal jus­ti­fi­ca­tion for the pro­cess­ing of per­son­al data?
  • FOR how long per­son­al data can be kept ?
  • WHO else might be receiv­ing your data?
  • WILL your data be trans­ferred to some­one out­side the EU?
  • DO you have a right to obtain a copy of your data?
  • DOES the com­pa­ny con­sid­er your basic rights under GDPR?
  • ARE you pro­vid­ed with a right to lodge a com­plaint?
  • IS your right to with­draw con­sent as easy as it is to obtain it?
  • DOES the com­pa­ny have an auto­mat­ed deci­sion mak­ing sys­tem?

See the com­plete list here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679#d1e2254‑1–1

Per­son­al Data must be retained for the short­est time pos­si­ble. Such peri­od needs to be stip­u­lat­ed in terms of the GDPR and thus it needs to take into account rea­sons why a com­pa­ny process­es per­son­al data and any legal oblig­a­tions which impose a longer reten­tion peri­od (for instance tax laws require a com­pa­ny to retain the data for 10 years).

A com­pa­ny shall estab­lish time peri­ods after which data which is no longer need­ed is removed or reviewed so as to avoid the stor­age of unnec­es­sary data. The Reg­u­la­tion pro­vides for excep­tions which are applic­a­ble to the reten­tion peri­ods depend­ing on the pur­pos­es. If the pur­pose of stor­ing data is in the inter­est of the gen­er­al pub­lic or it is kept for scientific/ his­tor­i­cal research, then per­son­al data may be kept for longer peri­ods, giv­en that all nec­es­sary mea­sures are in place.

A com­pa­ny needs to also make sure that the per­son­al data is accu­rate and up-to-date.

Conclusion

Infor­ma­tion such as License Num­bers and Tat­toos are not the ‘usu­al’ per­son­al data that we think of, how­ev­er, stor­age of such infor­ma­tion needs to be done in line with the GDPR. For every pro­cess­ing of per­son­al data there needs to be a com­pli­ance process which com­plies with the GDPR. If you are inter­est­ed to know more, con­tact us on gdprcompliance@drwerner.com.

About Dr. Rebecca Mifsud

Dr Rebec­ca Mif­sud, born 6th May 1994, attend­ed the Uni­ver­si­ty of Mal­ta and is an LLB Hon­ours grad­u­ate. She also grad­u­at­ed in the Mas­ters in Advo­ca­cy and will be sit­ting for her Mal­ta War­rant Exam in 2019. She suc­cess­ful­ly defend­ed her dis­ser­ta­tion enti­tled: ‘Imput­ing respon­si­bil­i­ty for foot­ball injuries inflict­ed by minors in the Mal­tese sce­nario,’ in 2017.

View All Posts

Leave a Reply

Your email address will not be published.