What counts as personal data under GDPR?

Personal data is any information that directly or indirectly relates to a living individual, for example names, ID numbers, IP addresses or financial details. We help you identify which Personal Data you process and how it must be handled under GDPR.

Which personal data is considered sensitive under GDPR?

Sensitive personal data includes information about health, sexual orientation, ethnic origin, religious beliefs, political opinions, trade union membership and certain biometric and genetic data. We assess whether your data falls into these categories and design compliant routines for handling it.

How can Morling Consulting help us comply with GDPR personal data rules?

We provide practical GDPR advice on Personal Data, from mapping and classifying data to defining lawful bases, policies and security measures. Our GDPR lawyers support you in implementing compliant processes and documentation across your organisation.

Personal data

What is personal data?

How do you determine whether something is personal data? Personal data is information that relates to an identified or identifiable, living natural person. Identifiers include name, address, telephone number, email address, personal identity number, and other details that can be used to identify an individual directly or indirectly. Examples of personal data under GDPR personal data rules include online identifiers, biometric data and financial information when linked to a person.

It is important to note that information may be personal data even if it does not directly mention a person’s name or personal identity number, provided it can be linked to that person. This is the case where, for example, a database contains a person’s financial information that, on its own, does not identify the owner of the data but can be connected to a name or personal identity number belonging to a natural person. A GDPR lawyer at Morling Consulting can help assess whether your data constitutes personal data under GDPR.

How personal data can be misused

Personal data can be misused in many ways if it is not handled correctly. One of the most common is identity theft, where an unauthorised party obtains someone’s details and uses them to open bank accounts, take out loans or order goods in the victim’s name. This can cause significant financial and personal harm.

Another risk is unauthorised disclosure, where data collected for a specific purpose is shared or sold without consent. This may expose people to targeted advertising, fraud attempts or, in the worst case, harassment. Such disclosure often occurs via digital channels where large volumes of data can spread quickly, for example after a cyberattack.

Even incorrect handling within an organisation can have serious consequences. If security routines fail, for example in the storage or transfer of data, personal data may end up in the wrong hands by mistake. It is therefore essential that companies and organisations continuously review their procedures and security measures to minimise the risk of misuse.

GDPR REQUIREMENTS

How does the General Data Protection Regulation (GDPR) affect personal data?

As soon as personal data is processed by, for example, a company or an association, the General Data Protection Regulation (GDPR) applies. Under GDPR, companies must handle personal data in line with the following:

Lawful basis: All processing of personal data must have a lawful basis, for example consent or legitimate interests.
Purpose limitation: Organisations must clearly state the purpose for collecting and processing personal data and must not use it for incompatible purposes.
Data minimisation: Only personal data necessary for the purpose may be collected and stored.
Storage limitation: Personal data must not be stored longer than is necessary for the purpose.
Security: Appropriate technical and organisational measures must be implemented to protect the personal data.
Transparency: Organisations must inform individuals about how their personal data is processed and respect their rights, such as the rights of access and erasure.
Accountability: Organisations are responsible for, and must be able to demonstrate, compliance with GDPR’s principles.
Data Protection Officer (DPO): Certain organisations must appoint a Data Protection Officer as part of their GDPR compliance.

By following these principles, organisations can ensure GDPR personal data compliance and avoid potential sanctions. Morling Consulting can help your organisation comply with GDPR and related legislation across Europe.

Illustration showing personal data as interconnected puzzle pieces with a user icon, IP text, video camera and microphone symbols.

Common misconceptions about personal data

A common misconception is that personal data only concerns names and personal identity numbers. In reality, the concept is much broader and includes IP addresses, images, recordings and other data that, in some way, relates to a living individual. Even combinations of data that, individually, do not identify a person can become personal data when, together, they make it possible to identify someone. These are clear examples of personal data.

Another misconception is that companies and organisations can freely use personal data as long as they do not sell it. However, GDPR regulates not only sales but all forms of processing — collection, storage, analysis and even deletion. Even internal uses therefore require adherence to personal data under GDPR rules.

There is also a persistent belief that GDPR only applies within the EU. In practice, the rules apply to any organisation that processes personal data about people in the EU, regardless of where the organisation is based. This means international actors must also comply if they have customers or users in the EU.

Sensitive personal data under GDPR

Certain types of personal data are considered particularly worthy of protection and are subject to special rules under GDPR. The starting point is that these special categories of personal data must not be processed, subject to limited exceptions. One exception is where the person has given explicit consent to the processing of this sensitive personal data; another is where the person has made the data public themselves, for example by publishing it online. Sensitive personal data includes:

Race or ethnic origin, for example information about a person’s skin colour.
Political opinions, for example information about membership of a particular political party.
Religious or philosophical beliefs, for example information about religious affiliation.
Trade union membership, for example information about payment of union fees.
Genetic and biometric data, for example facial recognition data.
Health data, for example information about allergies.
Sex life or sexual orientation, for example information about partnerships or marital status that reveals sexual orientation.

Special categories of personal data also include data from which certain inferences can be drawn. It is therefore not always clear whether a given item of personal data requires special protection. Morling Consulting’s GDPR consultants can advise on which personal data qualifies as sensitive personal data.

Information is personal data when it directly or indirectly relates, or can relate, to a living natural person. This applies even if the information does not mention the person’s name or personal identity number, as long as the information can be connected to the individual through, for example, a customer number, IP address or other supplementary data.

Handling personal data (“processing” in GDPR terms) covers all operations on the data, whether manual or digital. It includes, among other things:

Collecting, recording or storing data.
Analysing, structuring or adjusting data.
Transferring, sharing, erasing or destroying data.

When a company processes personal data, GDPR must be followed. Key requirements include:

There must be a lawful basis defined before processing begins.
The purpose must be clear and the data must not be used for incompatible new purposes.
Personal data must be protected with appropriate security measures.
The organisation must inform data subjects about the processing and respect their rights.
Documentation is required to demonstrate compliance.

Morling Consulting helps ensure your operations meet GDPR personal data requirements.

Certain data is considered particularly sensitive under GDPR and is generally prohibited from processing, save for limited exceptions. This includes information about, for example, health, sexual orientation, genetic data, ethnic origin, religious belief, political opinions or trade union membership. Where there is doubt about whether information qualifies as sensitive personal data, Morling Consulting provides legal advice.

All data that relates, or can relate, to a living natural person is covered by GDPR. Even data that does not contain a name or personal identity number can be personal data under GDPR if it can be linked to an individual. This includes, for example:

Technical identifiers (such as IP addresses).
Internal ID numbers that can be traced to a person.
Pseudonymised data, i.e., data that can be re-identified.

Morling Consulting can help you correctly assess which information constitutes personal data under GDPR.

Contact

Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields