All information that makes statements about the personal circumstances of a person is considered personal data. The only relevant factor here is that this information can be assigned to a natural person or that this is at least indirectly possible.
The link between the person and the data is important
Any personal data requires that it can be assigned to a specific person. What sounds logical at first glance, however, has a major impact on closer inspection. It is not necessary that only a certain group of people can make this assignment. The only important thing is that this association can be made, even if the link is not publicly known.
The statement “The color of the German Chancellor’s eyes is blue-grey” serves as an example. In this case, the personal information is the eye color. And even if Angela Merkel’s name is not explicitly mentioned here, the statement “the Federal Chancellor” is sufficient to establish a link. It is irrelevant whether the Chancellor is known to a specific person.
Personal data in the company
Date of birth, address and ID card number are considered personal data. As a rule, they can be assigned to a specific person. For this reason alone, all information about a company’s employees is personal data.
The same applies to the rest of a company’s database. In the ERP area, CRM systems in particular stand out. From the data available here, for example, it could be deduced that Mr. Max Mustermann likes to buy sportswear of a certain brand. Since a direct correlation can be established between the purchasing behavior and the person, such information is also considered personal data.
Personal data is not always immediately recognizable
Sometimes it is not immediately clear which data belongs to which group of personal data. This is particularly due to the fact that the individual is not able to deduce a specific person from a piece of information. The IP address is worth mentioning here. No one – apart from the provider of the Internet access – can establish the link here. Even the investigating authorities are dependent on the provider’s cooperation in the event of a legal infringement. However, from a legal perspective, this information also counts as personal data, as such a relationship can be established. Who can ultimately do this is irrelevant.
Personal data and the General Data Protection Regulation
The new General Data Protection Regulation (GDPR) is a set of rules for processing personal data. This data is therefore at the heart of the entire GDPR. This is evident from the definition of the term “personal data” alone, which is considerably broader in the regulation than in the previous Federal Data Protection Act. While the BDSG only refers to “individual details about personal or factual circumstances”, the GDPR is very specific at this point in Article 4:
“[…] any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Based on this definition, the processing of personal data as regulated in the GDPR can be summarized in six basic requirements:
- Lawfulness and transparency:
Data may only be collected if this is expressly permitted. - Purpose limitation:
data may only be processed for the purpose for which it was collected - Data minimization:
Only the data that is absolutely necessary may be collected - Accuracy:
The stored data must be correct and up-to-date - Storage limitation:
data may only be stored for as long as is necessary for its purpose - Confidentiality:
data may only be accessible to the persons who need it for their work
The GDPR regulates the handling of personal data in great detail. As a result, its processing is subject to greater restrictions in many areas than was previously the case under data protection laws. However, the GDPR only introduces minor new regulations compared to the previous Federal Data Protection Act. Nevertheless, data protection is now gaining appropriate attention in many companies across Europe, not least due to the drastic increase in fines and the explicit penalties for every breach.
Legal notice:
The free and freely accessible content of this website has been created with the greatest possible care. However, we expressly point out that we assume no guarantee or other responsibility for the accuracy, timeliness or completeness of the journalistic guides and information provided on this website.
The content on this website is not intended as legal advice for your company on which you can rely for compliance with the legal regulations on data protection – in particular the GDPR – nor can it replace individual legal advice.
Furthermore, by accessing this free and freely accessible content, no contractual relationship is established between us and you as a user of the website in the absence of a corresponding legally binding intention on our part.
