GDPRPersonal Data

The term ‘personal data’ is the entryway to application of the Data Protection Basic Regulation and is defined in Art. 4 para. 1 no. 1. Personal data are all information which is related to an identified or identifiable natural person.

Those impacted are identifiable if they can be identified, especially using assignment to an identifier such as a name, an identifying number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons. In practice, these also include all data which are or can be assigned to a person in any kind of way. For example, the telephone number, credit card or personnel number of a person, account data, number plate, appearance and customer number or address are all personal data.

Since the definition includes “all information,” one must assume that the term “personal data” should be as broadly interpreted as possible. This is also found in case law of the Court of Justice of the European Union. These include also less-clear information, such as recordings of work times which include information about the time when an employee begins and ends his work day, as well as breaks or times which do not fall in work time. Also, written answers from a test-taker and any remarks from the test about these answers are “personal data” if the test-taker can be theoretically identified. The same also applies to IP addresses. If the processor has the legal option to oblige the provider to publish additional information which can identify the user who is behind the IP address, this is also personal data. In addition, one must note that personal data need not be objective. Subjective information such as opinions, judgements or estimates can be personal data. Thus, this includes an assessment of creditworthiness of a person or an estimate of work performance by an employer.

Last but not least, the law states that the information for a personnel reference must refer to a natural person. In other words, data protection does not apply to information about legal entities such as corporations, foundations and institutions. For natural persons, on the other hand, protection begins and is extinguished with legal capacity. Basically, a person obtains this capacity with his birth, and loses it upon his death. Data must therefore be assignable to specific or specifiable living persons for reference to a person.

In addition to general personal data, one must consider above all the special categories of personal data (also known as sensitive personal
data) which are highly relevant because they are subject to a higher level of protection. These data include genetic, biometric and health data, as well as personal data from which racial and ethnic origin, political opinions, religious or ideological convictions or membership in a union can be attributed to a person.