We build an overview of what data exists, where it comes from, and which systems and suppliers are involved. This makes it easier to see where links to individuals may arise, even when data is spread across multiple places.
Personal data
Data protection lawyers assess how personal data may be handled, stored and shared
What is personal data?
How do you determine whether something is personal data? Personal data is information that relates to an identified or identifiable, living natural person. Identifiers include name, address, telephone number, email address, personal identity number, and other details that can be used to identify an individual directly or indirectly. Examples of personal data under GDPR personal data rules include online identifiers, biometric data and financial information when linked to a person.
It is important to note that information may be personal data even if it does not directly mention a person’s name or personal identity number, provided it can be linked to that person. This is the case where, for example, a database contains a person’s financial information that, on its own, does not identify the owner of the data but can be connected to a name or personal identity number belonging to a natural person. A GDPR lawyer at Morling Consulting can help assess whether your data constitutes personal data under GDPR.
Approach for governing personal data processing
The data is categorised based on how it can be linked to a person and what the consequences would be if it were accessed or disclosed unlawfully. The focus is on likely misuse scenarios and where the level of protection needs to be raised.
You develop a practical plan with measures in the right order, based on risk and feasibility. The result is clear decision points for the business and a reasonable level of controls and documentation.
Measures are implemented in routines for collection, access, storage, and sharing, as well as in relevant technical settings. At the same time, we create traceability so you can demonstrate how the handling is intended to work in practice.
You set up a simple approach for recurring reviews of changes in the business and IT environment. This reduces the risk that new uses of personal data are launched without being assessed and addressed in time.
Documented data flows
When you have a clear picture of which personal data you handle, it becomes easier to set the right controls. Build on this with records and retention rules, and ensure the supplier chain is governed by contracts. Click through to turn oversight into concrete actions.
How personal data can be misused
Personal data can be misused in many ways if it is not handled correctly. One of the most common is identity theft, where an unauthorised party obtains someone’s details and uses them to open bank accounts, take out loans or order goods in the victim’s name. This can cause significant financial and personal harm.
Another risk is unauthorised disclosure, where data collected for a specific purpose is shared or sold without consent. This may expose people to targeted advertising, fraud attempts or, in the worst case, harassment. Such disclosure often occurs via digital channels where large volumes of data can spread quickly, for example after a cyberattack.
Even incorrect handling within an organisation can have serious consequences. If security routines fail, for example in the storage or transfer of data, personal data may end up in the wrong hands by mistake. It is therefore essential that companies and organisations continuously review their procedures and security measures to minimise the risk of misuse.
GDPR REQUIREMENTS
How does the General Data Protection Regulation (GDPR) affect personal data?
As soon as personal data is processed by, for example, a company or an association, the General Data Protection Regulation (GDPR) applies. Under GDPR, companies must handle personal data in line with the following:
- Lawful basis: All processing of personal data must have a lawful basis, for example consent or legitimate interests.
- Purpose limitation: Organisations must clearly state the purpose for collecting and processing personal data and must not use it for incompatible purposes.
- Data minimisation: Only personal data necessary for the purpose may be collected and stored.
- Storage limitation: Personal data must not be stored longer than is necessary for the purpose.
- Security: Appropriate technical and organisational measures must be implemented to protect the personal data.
- Transparency: Organisations must inform individuals about how their personal data is processed and respect their rights, such as the rights of access and erasure.
- Accountability: Organisations are responsible for, and must be able to demonstrate, compliance with GDPR’s principles.
- Data Protection Officer (DPO): Certain organisations must appoint a Data Protection Officer as part of their GDPR compliance.
By following these principles, organisations can ensure GDPR personal data compliance and avoid potential sanctions. Morling Consulting can help your organisation comply with GDPR and related legislation across Europe.
Common misconceptions about personal data
A common misconception is that personal data only concerns names and personal identity numbers. In reality, the concept is much broader and includes IP addresses, images, recordings and other data that, in some way, relates to a living individual. Even combinations of data that, individually, do not identify a person can become personal data when, together, they make it possible to identify someone. These are clear examples of personal data.
Another misconception is that companies and organisations can freely use personal data as long as they do not sell it. However, GDPR regulates not only sales but all forms of processing — collection, storage, analysis and even deletion. Even internal uses therefore require adherence to personal data under GDPR rules.
There is also a persistent belief that GDPR only applies within the EU. In practice, the rules apply to any organisation that processes personal data about people in the EU, regardless of where the organisation is based. This means international actors must also comply if they have customers or users in the EU.
Sensitive personal data under GDPR
Certain types of personal data are considered particularly worthy of protection and are subject to special rules under GDPR. The starting point is that these special categories of personal data must not be processed, subject to limited exceptions. One exception is where the person has given explicit consent to the processing of this sensitive personal data; another is where the person has made the data public themselves, for example by publishing it online. Sensitive personal data includes:
- Race or ethnic origin, for example information about a person’s skin colour.
- Political opinions, for example information about membership of a particular political party.
- Religious or philosophical beliefs, for example information about religious affiliation.
- Trade union membership, for example information about payment of union fees.
- Genetic and biometric data, for example facial recognition data.
- Health data, for example information about allergies.
- Sex life or sexual orientation, for example information about partnerships or marital status that reveals sexual orientation.
Special categories of personal data also include data from which certain inferences can be drawn. It is therefore not always clear whether a given item of personal data requires special protection. Morling Consulting’s GDPR consultants can advise on which personal data qualifies as sensitive personal data.
Frequently asked questions on personal data under GDPR
Information is personal data when it directly or indirectly relates, or can relate, to a living natural person. This applies even if the information does not mention the person’s name or personal identity number, as long as the information can be connected to the individual through, for example, a customer number, IP address or other supplementary data.
Handling personal data (“processing” in GDPR terms) covers all operations on the data, whether manual or digital. It includes, among other things:
- Collecting, recording or storing data.
- Analysing, structuring or adjusting data.
- Transferring, sharing, erasing or destroying data.
When a company processes personal data, GDPR must be followed. Key requirements include:
- There must be a lawful basis defined before processing begins.
- The purpose must be clear and the data must not be used for incompatible new purposes.
- Personal data must be protected with appropriate security measures.
- The organisation must inform data subjects about the processing and respect their rights.
- Documentation is required to demonstrate compliance.
Morling Consulting helps ensure your operations meet GDPR personal data requirements.
Certain data is considered particularly sensitive under GDPR and is generally prohibited from processing, save for limited exceptions. This includes information about, for example, health, sexual orientation, genetic data, ethnic origin, religious belief, political opinions or trade union membership. Where there is doubt about whether information qualifies as sensitive personal data, Morling Consulting provides legal advice.
All data that relates, or can relate, to a living natural person is covered by GDPR. Even data that does not contain a name or personal identity number can be personal data under GDPR if it can be linked to an individual. This includes, for example:
- Technical identifiers (such as IP addresses).
- Internal ID numbers that can be traced to a person.
- Pseudonymised data, i.e., data that can be re-identified.
Morling Consulting can help you correctly assess which information constitutes personal data under GDPR.
Speak to a GDPR lawyer
Do you need support on personal data and processing activities? Contact us to discuss
"*" indicates required fields