Personal data is any information that relates to a living individual. Even though personal data does not necessarily require high-security measures like encryption, it must still be treated as confidential when you store it. According to EU privacy laws, businesses must put certain systems in place to inform users and protect their personal data.
Article 4(1) of the EU General Data Protection Regulation (GDPR) defines "personal data" as "information relating to an identified or identifiable natural person".
Who are identified or identifiable persons?
An Identified person is a subject whose data can be referenced immediately. For example, " Ms Donovan is 23 years old".
An Identifiable person is a person whose personal information can be identified by means of additional knowledge. For instance, "Employee no. 121 is 23 years old". If employee numbers are disclosed, then this data can be easily related to an actual person.
Personal identifiers are:
- Name and identifying information (e.g. date of birth, titles, ID number).
- Contact data (e.g. mailing and e-mail address, phone number).
- Biometric and health data (e.g. height, weight, hair colour, genetic fingerprint, medical conditions, drug use).
- Psychological information (e.g. political opinions, religious or ideological convictions, desires, attitudes, beliefs, legal competence).
- Connections and relationships (e.g. friends and relations, employers).
- Other data (e.g. location data, usage data, activities, statements, value judgements, career, banking information, etc.).
What is a unique identifier?
Personal data consists of unique identifiers. These are pieces of information, which, collected together, can lead to the identification of a particular person. Since the definition includes “any information,” one must assume that the term “personal data” should be interpreted broadly. The European Court of Justice considers less explicit information, such as records of work times or interview notes, as personal data.
"For instance, age alone is not a unique identifier, but the combination of demographics like age, gender, address, could allow identification. If data is in any way identifiable or can be connected to the user (directly or indirectly), the data collection process cannot make the claim of being anonymous."
Who is covered under GDPR?
Data is personal only if it relates to an identified or identifiable natural person. A natural person means a living human being, so GDPR does not apply to companies or other legal entities. GDPR applies to anyone resident within the EU, regardless of citizenship.
How can I protect personal data?
From an administrative point of view, you must, among other things:
- Collect users' consent for data processing (see art. 4(11), 6(1) and 7 of GDPR;
- Process data lawfully and in compliance with the GDPR, (see Directive 2002/58/EC).
From a technical point of view, among other things you must:
- Enforce access controls (only authorised users can access the data);
- Store data in a safe place (e.g. use a hosting provider that guarantees compliance with GDPR);
- Ensure all partners with whom you share the data use it lawfully (see art. 4 GDPR).
What are the technical limitations for data storage under GDPR?
Personal data needs to be stored according to the GDPR, regardless of the technology used for storage and processing. GDPR is technology neutral and applies to both automated and manual data processing.
It applies to all data storage systems including APIs, video surveillance, or paper. In all cases, personal data is subject to the protection requirements set out in the GDPR, and the business using the technology is responsible for ensuring compliance.
How can Chino.io help?
Even though personal data do not require high-security measures like encryption, they may still be confidential or important to your business. With Chino.io you can easily store them in a safe place and ensure security, confidentiality and compliance.