What is personal data and what is not?

The question to ask as the headline of this article is very common in environments where the GDPR has some influence or even in our personal life, when a company asks us for consent to process our personal data for different purposes. “Well, why not, but first I would like to know what is considered personal data“.

We will respond in depth.

To get straight to the point, we will say that personal data is any information and/or characteristic that makes it possible to identify or make identifiable any person. This is defined in Article 4.1 of the GDPR. Consequently, the image of a person is personal data, as is any information that allows to determine, directly or indirectly, their identity, such as, for example, a name, an identification number, a telephone number, a vehicle license plate, an IP address… Or even anthropometric characteristics that allow to unequivocally identify a person, as has been considered on numerous occasions by the Spanish Data Protection Agency (AEPD). On the contrary, personal data would not be those that do not facilitate the identification of the natural person, such as, for example: commercial registration number (CIF), a generic e-mail address, info@ type, and others.

The GDPR recognizes the existence of categories of personal data and even determines a very specific one referring to specially protected data. Below is an approximate list of the types of personal data that exist:

1. Identifying data: name, ID card number, Social Security number, telephone number, address, signature, user name, IP address, etc.
2. Personal characteristics: physical characteristics, preferences, hobbies, date of birth, etc.
3. Family and social circumstances: number of children, leaves of absence, leaves of absence, etc.
4. Employment information: professional category, job position, professional experience, payroll, etc.
5. Academic and professional data: education, degrees, academic history, etc.
6. Time and attendance control: clocking in at the workstation or access control to the facilities.
7. Financial: income, income, bank details, etc.

In relation to the category of specially protected data, provided for in article 9 of the GDPR, are those data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data[1], biometric data[2] aimed at uniquely identifying a natural person, data concerning the health or life and sexual orientations of a natural person. The processing of this type of data is prohibited, unless it complies with a number of exceptions, such as the following:

• Explicit consent of the person concerned.
• Fulfillment of obligations and exercise of rights in the field of labor law and social security and protection.
• Protection of vital interests of the data subject
• Processing carried out within the scope of foundations or associations whose purpose is political, philosophical, religious or trade union.
• Processing of manifestly public data.
• Processing necessary for the formulation, exercise or defense of claims, or processing carried out by courts in the exercise of their judicial function.
• For reasons of public interest in the field of public health.
• Processing necessary for archiving and public interest purposes, scientific or historical research purposes or statistical purposes.

Data can be collected through any channel (paper, electronic format, voice…). However, both at the time of collection and subsequently, the controller[3] must provide information on how your data will be processed in accordance with Articles 13 and 14 of the GDPR. In this case, and depending on the type of communication channel used, the way of providing this information may vary (paper, email, or WhatsApp are some of the possible channels).

The layer system is very useful to facilitate the information in a data collection process. That is to say, in a first layer the basic information is provided and in a second layer the additional information. For more details on how and when to provide this information, it is advisable to consult the Guide for the fulfillment of the duty to inform, published by the Spanish Data Protection Agency. In any case, this information must be provided in clear and simple language, in a concise, transparent, intelligible and easily accessible form. That is why it is necessary to highlight the importance of the data collection process by the data controller, who can collect data through forms, models or templates, sent through any channel. The important thing is to have evidence that can guarantee that the process has been carried out in compliance with the requirements of the GDPR. In principle, any means of collection is valid. Nowadays there are many channels to collect data, and most of them, besides being agile, are very usable by the general public, as is the case of WhatsApp. What is essential is that the data controller is able to accredit its collection and to prove that it has the consents that may be attached to it for specific purposes. As we have indicated above, it is up to the company’s data controller to provide the information and to prove that it has been satisfied. To do this, it can rely on a qualified trusted service provider, as is the case of Mailcomms Group, which, moreover, thanks to its experience in sending personalized omnichannel communications, can adapt to the data collection needs of any customer and company. And, always, providing the data controller with the necessary evidence in the event of a complaint, since it enjoys the presumption iuris tantum. Similarly, at MailComms Group we offer a tool capable of obtaining, processing and managing, from start to finish, these consents with guaranteed regulatory compliance. Would you like to know more about it?

[1] Genetic data: data relating to the inherited or acquired genetic characteristics of a natural person that provide unique information about that person’s physiology or health, obtained in particular from the analysis of a biological sample from that person. For example, through a chromosomal analysis, or any analysis that allows obtaining unique information on the physiology and health of a person.

[2] Biometric data: personal data obtained from specific technical processing, relating to the physical, physiological or behavioral characteristics of a natural person that enable or confirm the unique identification of that person, such as facial images or dactyloscopic data.

[3] Data Controller: Any person who could decide on the purposes and means of data processing.