What is personal data?
- The GDPR applies to the processing of personal data that is:
- wholly or partly by automated means; or
- the processing other than by automated means of personal data which
forms part of, or is intended to form part of, a filing system.
- Personal data only includes information relating to natural persons who:
- can be identified or who are identifiable, directly from the information in question; or
- who can be indirectly identified from that information in combination with other information.
- Personal data may also include special categories of personal data
or criminal conviction and offences data. These are considered to be
more sensitive and you may only process them in more limited
- Pseudonymised data can help reduce privacy risks by making it more
difficult to identify individuals, but it is still personal data.
- If personal data can be truly anonymised then the anonymised data is
not subject to the GDPR. It is important to understand what personal
data is in order to understand if the data has been anonymised.
- Information about a deceased person does not constitute personal data and therefore is not subject to the GDPR.
- Information about companies or public authorities is not personal data.
- However, information about individuals acting as sole traders,
employees, partners and company directors where they are individually
identifiable and the information relates to them as an individual may
constitute personal data.
What are identifiers and related factors?
- An individual is ‘identified’ or ‘identifiable’ if you can distinguish them from other individuals.
- A name is perhaps the most common means of identifying someone.
However whether any potential identifier actually identifies an
individual depends on the context.
- A combination of identifiers may be needed to identify an individual.
- The GDPR provides a non-exhaustive list of identifiers, including:
- identification number;
- location data; and
- an online identifier.
- ‘Online identifiers’ includes IP addresses and cookie identifiers which may be personal data.
- Other factors can identify an individual.
Can we identify an individual directly from the information we have?
- If, by looking solely at the information you are processing you can
distinguish an individual from other individuals, that individual will
be identified (or identifiable).
- You don’t have to know someone’s name for them to be directly
identifiable, a combination of other identifiers may be sufficient to
identify the individual.
- If an individual is directly identifiable from the information, this may constitute personal data.
Can we identify an individual indirectly from the information we have (together with other available information)?
- It is important to be aware that information you hold may indirectly
identify an individual and therefore could constitute personal data.
- Even if you may need additional information to be able to identify someone, they may still be identifiable.
- That additional information may be information you already hold, or
it may be information that you need to obtain from another source.
- In some circumstances there may be a slight hypothetical possibility
that someone might be able to reconstruct the data in such a way that
identifies the individual. However, this is not necessarily sufficient
to make the individual identifiable in terms of GDPR. You must consider
all the factors at stake.
- When considering whether individuals can be identified, you may have
to assess the means that could be used by an interested and
sufficiently determined person.
- You have a continuing obligation to consider whether the likelihood
of identification has changed over time (for example as a result of
What is the meaning of ‘relates to’?
- Information must ‘relate to’ the identifiable individual to be personal data.
- This means that it does more than simply identifying them – it must concern the individual in some way.
- To decide whether or not data relates to an individual, you may need to consider:
- the content of the data – is it directly about the individual or their activities?;
- the purpose you will process the data for; and
- the results of or effects on the individual from processing the data.
- Data can reference an identifiable individual and not be personal
data about that individual, as the information does not relate to them.
- There will be circumstances where it may be difficult to determine
whether data is personal data. If this is the case, as a matter of good
practice, you should treat the information with care, ensure that you
have a clear reason for processing the data and, in particular, ensure
you hold and dispose of it securely.
- Inaccurate information may still be personal data if it relates to an identifiable individual.
What happens when different organisations process the same data for different purposes?
- It is possible that although data does not relate to an identifiable
individual for one controller, in the hands of another controller it
- This is particularly the case where, for the purposes of one
controller, the identity of the individuals is irrelevant and the data
therefore does not relate to them.
- However, when used for a different purpose, or in conjunction with
additional information available to another controller, the data does
relate to the identifiable individual.
- It is therefore necessary to consider carefully the purpose for
which the controller is using the data in order to decide whether it
relates to an individual.
- You should take care when you make an analysis of this nature.