What is the scope of the GDPR?
For the GDPR to be applicable, personal data needs to be:
Entirely or partly, processed by automated means;
Part of a filing system, or intended to be part of a filing system, when processing does not happen by automated means.
What constitutes “personal data”
When is a person “identifiable”?
The context in which the data is being collected is also very important.
One single piece of data (E.G. hair colour, occupation, car…) might not be enough to identify a natural person as such. Now should the data be combined with other data; this might change the situation. Enterprises that collect multiple types of data on people should take this into account.
Anonymizing and pseudonymizing data are encouraged by the GDPR. The difference between these techniques is that pseudonymous data merely reduces likability but still allows for some form of re-identification (E.G. encryption or when the identifiers are replaced by individual codes), while anonymous data cannot be re-identified (linked to persons) at all.
Any data or information - which have had their identifiers removed (anonymization) or replaced (pseudonymization) - will still be considered being a “personal data” for the purposes of the GDPR.
N.B. Information which is truly and fully anonymous even before being processed is not covered by the GDPR.
What is not “personal data”?
Information about a deceased person, cookies tracking the number of visits to a website without identifying the visitors (statistics), data about companies or public authorities or any other data from which it is not possible to directly or indirectly link it to a person are not to be considered as personal data.
However, a nuance should be added regarding information about individuals acting as sole traders, employees, partners and enterprise directors when the information relates to them as individuals and where they are individually identifiable. In that case, it does concern “personal data”.
Special categories of data
The GDPR make a distinction between ‘regular’ personal data and special categories of data. The latter require extra protection because of their sensitive nature. Therefore, processing personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation are, in principle, prohibited.
However, a limited number of exceptions to this rule is provided by the legislator.
“Processing” is defined very broadly under the GDPR:
Any operation or set of operations;
Which is performed on personal data or on sets of personal data;
Whether or not by automated means.
Recording – Collecting – Organising – Structuring – Adapting or altering – Storing – Retrieving – Consulting – Disclosing by transmission – Using – Disseminating or otherwise making available –Aligning or combining – Erasing or destructing – Restricting
When you pseudonymize or anonymize personal data, you are also processing in the sense of the GDPR.
What does not constitute “processing” under the GDPR?
The GDPR does not apply to certain activities such as processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities (e.g. when collecting names and telephone numbers of attendees of a party at your house).
In the absence of processing activities or personal data, the GDPR will not apply.