GDPR: what are personal data?

The GDPR applies to the processing of personal data. The definition of personal data is therefore of great importance.

“Personal data are any information about an identified or identifiable natural person.”

So, when a person is identified (e.g. you know the person's name), any data you collect relating to that person is personal data.

This is also the case when a person is not identified, but 'identifiable'. This means that the person can be directly or indirectly identified.

Direct identification occurs on the basis of information that leads directly to the identity of a person. Examples include a name, an address, a telephone number, the national registration number, a photograph, etc.

Indirect identification, on the other hand, occurs on the basis of information that in itself is not directly traceable to a person, but when combined with other available information. These are often data that are characteristic of that natural person's physical, physiological, genetic, psychological, economic, cultural or social identity. Examples include a postal code, age, gender, data on a person's reaction time to a task, brain activity (e.g. EEG), blood sugar level, personality, heart rate, ...

Thus, we speak of personal data when data:

directly lead to the identity of a person;
lead to the identity of a person in combination with other data;
are linked to an identified or identifiable person but do not in themselves have identifiable characteristics.

It is important to remember that information that at first sight doesn't appear to be traceable to a person can therefore be personal data according to the definition of the GDPR.

Data concerning deceased persons, organisations (legal entities) or animals are not personal data according to the GDPR and therefore fall outside the scope of the GDPR. Other laws and regulations may, however, apply to these data.

Special categories

Some personal data are so sensitive that they should only be processed in very specific cases; these are the so-called 'special categories of personal data' or ‘sensitive personal data’. These are personal data from which you can derive certain sensitive information. Processing such data therefore entails a higher risk and potentially bigger impact on the rights and freedoms of the data subject(s). The GDPR therefore requires increased protection when using and processing this data.

Special categories of personal data (sensitive personal data) are those that may reveal the following:

racial or ethnic origin,
political views, religious or philosophical beliefs or membership of a trade union,
genetic data (e.g. a DNA analysis),
biometric data for the purpose of unique identification (e.g. fingerprint data or facial recognition),
data relating to health, or
data relating to a person’s sexual behavior or sexual orientation.

Pseudonymised personal data

Pseudonymised personal data is personal data that you process in such a way that you can no longer link it to a specific individual without additional data being used (this was referred to as 'coding' in previous Privacy Legislation). This usually involves replacing the identifying data with a pseudonym. You then include the link between the identity of the data subjects and the pseudonym in a separate file. In doing so, it is important to take the necessary technical and organisational measures to secure this separate file (e.g. encryption).

Because there still remains a link to the data subject's identity (by using additional data/information sources, the data can be linked to the data subject), pseudonymised personal data do remain personal data protected by the GDPR.

Anonymised personal data

With anonymised personal data, the possibilities for identification have been 'irreversibly' removed by means of a processing technique.

Personal data anonymised in such a way that no one with reasonable effort can (re)identify the data subjects are no longer considered personal data, but anonymised data. Anonymised personal data does not fall within the scope of the GDPR.

The act of anonymising does fall within the scope of the GDPR.

So please note: if you anonymise personal data yourself, you do of course work with identifiable personal data at the start of your research and during the anonymisation - at which time the GDPR will apply. This means that you must meet the requirements of the GDPR, starting with registering your processing activity through a GDPR record.

Data that can be traced back to the original individuals with reasonable effort is not anonymised data, but is still personal data falling within the scope of the AVG.

A lot of types of research data (e.g. qualitative data, large datasets with a wide range of personal data, etc.) are difficult to anonymise.

Anonymous data

Anonymous data is data that doesn't relate to an identified or identifiable natural person, or personal data rendered anonymous in such a way that the data subject is not or no longer identifiable. Data is anonymous if no one, by any means, can identify the persons concerned, so it is not enough that identification is only impossible by your research group.

Anonymous data are not personal data and don't fall under the scope of the GDPR.

Please note: even if you only process anonymous data, it's still important to evaluate the ethical aspects of collecting or processing those data.