cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Francois1208
Newcomer I

GDPR - What is considered personal data?

Hi community,

 

I have a very practical question: Since the regulation defines personal data as “Any information relating to an identified or identifiable natural person…”, does it mean first + last name is considered personal data? Historically we identified PII as a combination of several elements like name + address or name + social. If first + last is indeed considered personal information under GDPR the impact is much more significant so we want to make sure we're addressing it appropriately.

 

I haven't been able to get a straight answer yet so I figured someone here might be able to help.

 

Thanks!

 

33 Replies
Early_Adopter
Community Champion

@Bhuwnesh@arifhussain Guys, someone's name is most definitely Personal Data under the GDPR.

 

The GDPR is not an initiative, it's a law enforced by the largest trading bloc in the world.

 

It doesn't need to be combined with anything else and you need a legal means or explicit consent to process it.

 

If you don't have this, and you control the data of a Natural Person residing in the EU that you acquired from your establishment in the EU(a website served from Bangalore and Pune but accessible in the EU would count) then woe betide you.

 

You outsource it to another processor without BCR, Third country adequacy etc - someone tips off a Supervisory Authority or Max Schrems goes after you, or you get a SAR you ignore, or you have a breach of personal data and don't inform within 72 hours - welcome to administrative fines. You don't play ball, the SA goes after your establishment.

 

OK, let's say you have no business in the EU at all, but you still processed that data and you have a bad breach. Do you need consumer trust for your business? Sorry, you don't have that anymore as you just got dragged through the European legal system, backward by the collar with every consumer advocacy group kicking you on the way. Any legal agreements between your country and EU? They use those. No legal, diplomatic, doesn't work economics. You are in tatters, Equifax Sqaured. 

 

Bottom line, the name is enough, and you have all of the agencies represented by WP29 who can go after you, and they all want a kill in MAy or shortly after.

 

marcvael
Newcomer I

Apologies but the EU GDPR is applicable to all identifiable natural persons (no distinction between deceased or living) : always go to the authentic source of the EU GDPR please  so no mistakes are made http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:20...

marcvael
Newcomer I

Wrong: GDPR applies to all identifiable natural persons. The words "living" or "deceased" do not even appear in the regulation. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:20...
mikkosuomu
Newcomer II

Hi,

considering GDPR, here's nice infographic:

http://ec.europa.eu/justice/smedataprotect/index_en.htm

 

Early_Adopter
Community Champion

@marcvael It doesn't need to it's implicit due to the fact a 'Natural Person' is living not dead person, with 'sense of self', 'limited lifespan' etc. Once you are dead GDPR no longer applies to that data as you don't really have any rights or liberties to protect.

 

Happy to be persuaded away from this viewpoint, but that's a long march.

 

https://legaldictionary.net/natural-person/

Early_Adopter
Community Champion

OK, the third time I tried to post... apologies if they all come through at once...

 

@marcvael the term 'Natural Person' pretty defines a living person - that is one with a limited lifespan and one that is conscious, can think an make choices. Dead people can't do any of these things.

 

 https://legaldictionary.net/natural-person/

 

So it's implicit when that term is used and doesn't need to reference living in the text.

 

Early_Adopter
Community Champion

Wow, tough to reply to this thread... Fourth time lucky?

 

'Natural Person' as an entity specifically defines them as having choice, free will, possessing a limited lifespan will die one day.ving

 

Zombies do not have their personal data protected under the GDPR, nor do dead people.

marcvael
Newcomer I

Deceased people's privacy can not be abused by any organisation or other people.  Relatives inherit the privacy rights of a deceased person.  Dead people have (privacy) rights even beyond when they lived. 

TimG
Newcomer III

Others posting on this thread have made the point that the best place to go for guidance is the EU (look up the Article 29 Working Party - it stems from article 29 of the Data Protection Directive, but its guidance on the GDPR is viewed as the nearest thing we have to definitive at the moment) and/or your local data protection regulator. It's helpful to bear in mind that the law is rooted in the human rights of EU citizens and not in the data themselves. Can your organisation identify a living EU citizen from the data either directly or by cross-reference with others? If so, then they're personal.

Remember that the law attaches to the data subject and not to the data - it matters not a jot where you are processing them, though it's way easier to demonstrate compliance if you do it within the European Economic Area. The burden is on the data controller to prove compliance, and that is something to which many of us simply aren't accustomed. We're just going to have to learn to deal with it.

There's a sort of analogy with money, which has been regulated for some time. If my bank can't show where my money is, what it's doing with it or it can't hand it back to me when I ask then it's breaking the law. We're heading that way now with personal data so if you use, copy or share them you need to know where, how and why, and if needs be you have to be able to correct them and stop processing or storing them unless you need them in order to comply with other legislation.

If that doesn't seem hard to do, then it's likely that you're missing something!

Early_Adopter
Community Champion

Maybe, but not under the GDPR, and they are not natural persons.

 

Recital 27 is really very specific on this.

 

'This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.'

 

So in summary, dead people are not natural people, and outside of what a natural person is defined as(not dead) the GDPR specifically excludes dead people and allows individual countries a free hand.