Hi community,
I have a very practical question: Since the regulation defines personal data as “Any information relating to an identified or identifiable natural person…”, does it mean first + last name is considered personal data? Historically we identified PII as a combination of several elements like name + address or name + social. If first + last is indeed considered personal information under GDPR the impact is much more significant so we want to make sure we're addressing it appropriately.
I haven't been able to get a straight answer yet so I figured someone here might be able to help.
Thanks!
First of all it must belong to a living entity, not a deceased one.
"Any information relating to an identified or identifiable living natural person (data subject)."
A data subject is defined as the individual whose data is being collected and can be identified from the data.
Does this answer your question?
So out of the data available, that you hold - can you identify the person, from the information you hold i.e. can you identify their activity by location (GPS), by IP address and/or MAC address; bio metric data, DNA or by association with their abode i.e. address, bank numbers, social number etc etc.
All of these, could identify that living person.
Suggest you have a look the EU's independent data protection authority's website for a definition: https://edps.europa.eu/node/3110#personal_data
They give examples too:
"The name and the social security number are two examples of personal data which relate directly to a person. But the definition also extends further and also encompasses for instance e-mail addresses and the office phone number of an employee. Other examples of personal data can be found in information on physical disabilities, in medical records and in an employee's evaluation."
Recently attended a session hosted by the deputy EU data protection supervisor where they even stated IP addressed may be considered personal data. Might make sense to keep an eye on their website as they promised to come up with guidance documents.
Good point: I am seeing so many different interpretations of the facts - we should always go back to the original source for the true facts.
Well given that there was a European Court case, which was upheld on the very fact that IP addresses and/or Mac Addresses could identify the activity of the individual involved - then this is also the stance taken by my organisation as well. However, only the lawyers, who are obviously waiting for the 25th May 2018 to delivery their lawsuits and challenges will this be tested fully.
Yes, the Data Processor - A person or body acting on behalf of the data controllers to store or process the data.
I know, every contract has to be reviewed, from a risk management perspective, and agreed with the clients and appropriate Technical & Organisational Measures (TOMs) have to be agreed and put in place.
@Caute_cautim wrote:Well given that there was a European Court case, which was upheld on the very fact that IP addresses and/or Mac Addresses could identify the activity of the individual involved - then this is also the stance taken by my organisation as well. However, only the lawyers, who are obviously waiting for the 25th May 2018 to delivery their lawsuits and challenges will this be tested fully.
There is a really good paper on this on the ICO (Information Commissioners Office) web site in the UK with lots of examples https://ico.org.uk/media/for-organisations/documents/1554/determining-what-is-personal-data.pdf . It builds up the scenarios really well - ultimately you have to make a sensible decision. For me it boils down to some simple questions:
- Is it an organised electronic or paper store
- can identify a living person (or use identifiers to get to that living individual e.g. IP address)
- the attributes and information that relate to that living person are personal information.