Personal Data is not just a Name and a Surname. The GDPR’s definition of personal data is very broad and includes any information which directly or indirectly identifies a living individual. Your name and surname would identify you as a person, BUT what if you have a common name? One thing to keep in mind is that if it does not constitute personal data then it does not fall under the GDPR.
About Personal Data within the GDPR
The GDPR strives to find a balance between HAVING a strong Regulation which gives data subjects clear protection and BEING flexible from businesses perspectives. For this reason, the GDPR delves into defining personal data. If a company or an organisation collects, uses, or stores personal data of individuals within the EU, then the said company or organisation has the obligation to comply with the privacy and security requirements imposed by the GDPR. If not, huge fines will be imposed by the respective Supervisory Authority.
Is Personal Data just my Name and Surname?
Personal Data is more than just a name and a surname. It involves several personal identifiers which can lead to the identification of a particular individual.
Let’s say your name is Joe Borg. In Malta this is a very common name. Thus, how can you identify such person? The answer is that if this name is combined with other information which allows you to identify the person, then this constitutes personal data. So, if you are collecting identifiable information about a person, you will be collecting personal data, and the GDPR rules and requirements shall apply.
Don’t be so fast. Personal Data does not stop here. Under the GDPR, there is no exhaustive list of what can constitute personal data, however this evolves around and highly depends on the proper interpretation of the definition in Article 4 of the GDPR.
Of course, there are the obvious things which identify a person, like the name and surname, document numbers on a Passport or an Identity Document, postal address, bank account number and more. But how about thinking outside the box for a while?
Thinking outside the box
It is not a secret to say that tattoos are very popular nowadays. So, you might be asking whether your tattoo (if you have one) would constitute personal data? Just like a common name and surname needs to be combined with other relevant information in order to be able to identify that person, the same applies to a common tattoo.
But if a tattoo can easily identify that person then it constitutes personal data under the GDPR given that the context in which it is being collected and processed is taken into consideration.
TIP: When you are getting a tattoo, remember that the tattooist cannot just share your data unless it complies with the GDPR.
When the information about a person is collected together, different pieces of information may be used to narrow down the criteria to the extent that a person may be identified.
Let’s take another example: a License Plate. Vehicle registration numbers do fall within the definition of personal data under the GDPR. With the right tools, a License Plate may be matched to the owner of the car and thus the person may be indirectly identified. Do not worry, although number plates may be collected, the collection of such numbers is sanctioned under the GDPR.
Storage and Collection of Personal Data
The GDPR puts emphasis on the notion of data minimisation which includes the volume of data being stored and the retention of such data. The legal requisites under the GDPR states that personal data shall only be retained for the period necessary to fulfil the purpose for which it is being processed.
If a Company is collecting your personal data make sure that, upon collection of data you are clearly informed about it. Here is a list of questions you need to have answers to:
- WHICH is the company collecting your data?
- HOW you can contact the company or their DPO (if any) ?
- WHY is your data being used?
- IS there a legal justification for the processing of personal data?
- FOR how long personal data can be kept ?
- WHO else might be receiving your data?
- WILL your data be transferred to someone outside the EU?
- DO you have a right to obtain a copy of your data?
- DOES the company consider your basic rights under GDPR?
- ARE you provided with a right to lodge a complaint?
- IS your right to withdraw consent as easy as it is to obtain it?
- DOES the company have an automated decision making system?
See the complete list here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679#d1e2254-1-1
Personal Data must be retained for the shortest time possible. Such period needs to be stipulated in terms of the GDPR and thus it needs to take into account reasons why a company processes personal data and any legal obligations which impose a longer retention period (for instance tax laws require a company to retain the data for 10 years).
A company shall establish time periods after which data which is no longer needed is removed or reviewed so as to avoid the storage of unnecessary data. The Regulation provides for exceptions which are applicable to the retention periods depending on the purposes. If the purpose of storing data is in the interest of the general public or it is kept for scientific/ historical research, then personal data may be kept for longer periods, given that all necessary measures are in place.
A company needs to also make sure that the personal data is accurate and up-to-date.
Information such as License Numbers and Tattoos are not the ‘usual’ personal data that we think of, however, storage of such information needs to be done in line with the GDPR. For every processing of personal data there needs to be a compliance process which complies with the GDPR. If you are interested to know more, contact us on .