July 24, 2024
The EU-US Data Privacy Framework: What You Need to Know
With the final approval of the EU-U.S. Data Privacy Framework, data can once again flow across the Atlantic. Learn more about the new rules at TrueVault.
If you had to summarize the EU’s General Data Protection Regulation (GDPR) in the briefest way possible, it might be this: The GDPR regulates the use of personal data. That is certainly the law’s overarching purpose, but for anyone trying to understand the GDPR, this statement begs a follow-up question. What is “personal data”?
The quick answer is that a lot of information is considered personal data under the GDPR. In this article we’ll go over the statutory definition of the term and provide some real-world examples to help understand the scope of what is covered.
Article 4 of the GDPR provides the legal definition of “personal data,” which is:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’).
Using this definition, the test for determining whether a specific piece of information is personal data is to ask two questions. First, is there an identified or identifiable person? If so, does the information relate to that person?
Imagine a spreadsheet with information about thousands of individuals, but it only has two pieces of data on each one: an anonymous identifier and gender. It reads, “Person #1 - Female,” Person #2 - Male,” and so on. Taken in isolation, this is not personal data because it is not possible to identify any of the people.
However, this can easily become personal data with the addition of a little more information. For example, if you added another column that showed each person’s email address, they become identifiable. Now the gender identification for each individual is information related to an identifiable person, so it is personal data. In fact, even the (formerly) anonymous identifier becomes personal data as an identification number assigned to each person.
If all of that sounds a bit abstract, delving into a few examples should bring it into focus. Here are some of the most common types of GDPR personal data
Identifiers serve a dual function as they both identify the data subject and are specific pieces of information related to that person. Common identifiers are names, mailing addresses, telephone numbers, email addresses, and usernames.
Though they are a subcategory of identifiers, online identifiers are worth calling out separately because so many organizations overlook them when examining their data practices. The two most common online identifiers are IP addresses and tracking technologies such as cookies and pixels. They are important to remember because most websites automatically collect this data from each of their visitors, and the identifiers are used to connect other kinds of online personal data (e.g., ad clicks, page views, etc.) to a particular data subject.
Any online activity can be considered personal data when related to an identifiable data subject (see “online identifiers” above). This includes browsing history, search history, email opens, ad clicks, shopping-cart data, and online purchases.
Geolocation data, even at a higher level such as city or state, is considered personal data when related to a specific data subject. For example, if a smartphone app connects GPS data to a device identifier, it is personal data.
Any number of personal characteristics such as age, gender, race, ethnicity, religion, and education can be personal data.
If an organization uses personal data to create a profile of a particular data subject (e.g., to predict future shopping behavior), the profile itself is a type of personal personal data.
This is by no means an exhaustive list of the types of personal data under the GDPR. If you’re not sure whether something is personal data, ask yourself, “Is there an identifiable person?” and then, “Does this information relate to them?”
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
