Personal data is a very broad concept in the context of the GDPR. It can include any information about an individual - both information that is commonly understood as personal data (e.g. name, address, personal ID number, etc.) and less obvious information such as image, location, information about purchases from an online shop, online activity or email correspondence.
The key criterion in assessing whether information is 'personal data', is whether the information relates to an identified or identifiable natural person. In many cases, the question whether the information relates to an "identifiable person" is problematic. The preamble of the GDPR indicates that:
To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
In practical terms, looking from the perspective of the entity that holds personal data, if the entity is able to identify certain information as relating to a specific individual without or after additional measures, but using objectively available technologies and with objectively reasonable cost and time, it should treat that information as personal data within the meaning of the GDPR.
What is the ‘processing’ of personal data under the GDPR?
Data processing within the meaning of the GDPR is a very broad concept. From a practical point of view, it can be assumed that if to any extent, for any reason and in any way employees of an organisation's have access to recorded personal data in the performance of their duties, or if to any extent, for any reason and in any way, personal data is recorded (even temporarily) using an organisation's assets, that organisation is processing such personal data.
What is a 'restriction of processing' of personal data under the GDPR?
For information on the concept of 'restriction of processing', please refer to the commentary on GDPR Article 18.
What is 'profiling' under the GDPR?
For information on the concept of 'profiling', please refer to the commentary in GDPR Article 22.
What is 'pseudonymisation' under the GDPR?
Pseudonymisation is one of the measures for the protection of personal data: it is an action involving the processing of personal data in such a way that, after processing, the data can no longer be attributed to a specific data subject without the use of additional information (e.g. a key), provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
As the preamble to the GDPR states:
Pseudonymisation of personal data can reduce risks for data subjects and help controllers and processors to comply with their data protection obligations.
From a practical point of view, when planning the implementation of pseudonymisation, it should be considered on a case-by-case basis:
whether the personal data has been processed in such a way that it cannot be effectively attributed to a specific individual without the use of additional information (i.e. in particular, whether the raw information is not sufficient to be attributed to a specific individual);
that additional identifying information is stored separately and in an appropriately protected manner.
Importantly, as the preamble to the GDPR states:
Pseudonymised personal data that can be attributed to a natural person using additional information should be considered as information relating to an identifiable natural person,
and therefore still as personal data within the meaning of the GDPR, to which the provisions of the GDPR apply.
What is a 'data set' within the meaning of the GDPR?
Who is the controller of personal data within the meaning of the GDPR?
From the perspective of the provisions of the GDPR, the data controller is a key concept. Indeed, the vast majority of obligations under the GDPR fall on the controller. ‘Controller’ means the natural or legal person, public authority, body or other entity which alone or jointly with others determines the purposes and means of the processing of personal data. In practice, it may often be difficult to unambiguously identify which entity determines the purposes and means of a particular processing of personal data and, consequently, which entity is the controller under the GDPR in relation to a particular processing of personal data (particularly where several entities are involved in the processing).
From a practical perspective, the following information may be helpful in identifying the controller in a particular processing operation:
In practice, where an obligation or right to carry out a particular processing of personal data arises from the law, or where the manner of processing is described in the law, the entity that has such a right or obligation, or that is indicated as having to process the data in a particular manner, will in most cases be considered the controller of such data (see further information in the aforementioned Guidelines).
The employer will, in principle, be the controller of the data of its employees that it processes in the context of the employment relationship (see further information in the abovementioned Guidelines).
An entity that enters into a contract with an individual will, in principle, be the controller of that individual's data to the extent that it processes that data in connection with a contract with that individual.
Who is a 'processor' under the GDPR?
For comments on the concept of 'processor', please see the commentary on GDPR Article 28.
Who is a 'recipient' of data under the GDPR?
In practice, a ‘recipient’ is any person or entity to whom the controller or processor discloses personal data, regardless of whether the data subject obtains and processes the data with or without the authority of the discloser.
Importantly, public authorities receiving personal data in the context of a specific proceeding under European Union or Member State law are not considered recipients.
Who is a ‘third party’ under the GDPR?
From a practical perspective, a 'third party' under the GDPR is any natural or legal person, public authority, body or entity body that is not:
the controller of certain personal data;
the processor thereof;
the data subject,
another entity that may process personal data under the authority of the controller or processor (for example, an employee of the controller).
In other words, a ‘third party’ is an entity that is not a data subject, a controller, a processor or another person who processes personal data under the authority of the controller or processor.
What is 'consent' for data processing under the GDPR?
Biometric data is personal data relating to the physical, physiological or behavioural characteristics of an individual, which is processed in such a way that it allows or confirms the unique identification of that person. Examples of biometric data can be an appropriately processed facial image, dactyloscopic data, a processed retinal image. The specificity of biometric data is that it is generated by processing other personal data (e.g. physical characteristics of a person).
The Labour Code contains specific provisions on the processing of biometric data of employees. According to Article 221b of the Labour Code, employees' biometric data may be processed in two cases:
if consent to the processing of such data is given and the provision of such data is at the initiative of the employee (whereby the imbalance in the relationship between the employer and the employee must be taken into account when considering basing data processing on consent to data processing);
where the provision of such data is necessary to control access to particularly sensitive information, the disclosure of which could expose the employer to harm, or access to premises requiring special protection.
The employer would therefore be in breach of the principles set out in the GDPR (Article 5(1)) by using the employee's biometric data to record working time. In particular, he would be processing data contrary to the principles of lawfulness (point (a)), purpose limitation (point (b)) and data minimisation (point (c)), as he would not be able to demonstrate why and on what legal basis he processes employees' biometric data for the purpose of verifying their attendance at work.
What is a 'main business unit' under the GDPR?
For comments on the concept of 'main organisational unit', please see the commentary on GDPR Article 56.
Who is a 'representative' under the GDPR?
For comments on the concept of 'representative', please see the commentary on GDPR Article 27.
What are 'binding corporate rules' under the GDPR?
For comments on the concept of 'binding corporate rules', please see the commentary on GDPR Article 47.
What is 'cross-border processing' of personal data under the GDPR?
For comments on the concept of ‘cross-border processing’ of personal data, please see the commentary on GDPR Article 56.
What are 'information society services' under the GDPR?
The term 'information society services' is defined in Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and rules on information society services. This means any service normally provided for remuneration, at a distance, by electronic means and at the individual request of the recipient of the service.
At the same time, the aforementioned Directive states that:
‘at a distance’ means that the service is provided without the parties being simultaneously present;
‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means;
‘at the individual request of the recipient of services’ means that the service is provided through the transmission of data on individual request.
From a practical point of view, in the context of personal data, the processing of personal data in relation to the provision of information society services will most often occur when personal data is processed in relation to services provided over the Internet.
Commentary on art. 4
Definitions
What is 'personal data' under the GDPR?
Personal data is a very broad concept in the context of the GDPR. It can include any information about an individual - both information that is commonly understood as personal data (e.g. name, address, personal ID number, etc.) and less obvious information such as image, location, information about purchases from an online shop, online activity or email correspondence.
The key criterion in assessing whether information is 'personal data', is whether the information relates to an identified or identifiable natural person. In many cases, the question whether the information relates to an "identifiable person" is problematic. The preamble of the GDPR indicates that:
In practical terms, looking from the perspective of the entity that holds personal data, if the entity is able to identify certain information as relating to a specific individual without or after additional measures, but using objectively available technologies and with objectively reasonable cost and time, it should treat that information as personal data within the meaning of the GDPR.
What is the ‘processing’ of personal data under the GDPR?
Data processing within the meaning of the GDPR is a very broad concept. From a practical point of view, it can be assumed that if to any extent, for any reason and in any way employees of an organisation's have access to recorded personal data in the performance of their duties, or if to any extent, for any reason and in any way, personal data is recorded (even temporarily) using an organisation's assets, that organisation is processing such personal data.
What is a 'restriction of processing' of personal data under the GDPR?
For information on the concept of 'restriction of processing', please refer to the commentary on GDPR Article 18.
What is 'profiling' under the GDPR?
For information on the concept of 'profiling', please refer to the commentary in GDPR Article 22.
What is 'pseudonymisation' under the GDPR?
Pseudonymisation is one of the measures for the protection of personal data: it is an action involving the processing of personal data in such a way that, after processing, the data can no longer be attributed to a specific data subject without the use of additional information (e.g. a key), provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
As the preamble to the GDPR states:
From a practical point of view, when planning the implementation of pseudonymisation, it should be considered on a case-by-case basis:
Importantly, as the preamble to the GDPR states:
and therefore still as personal data within the meaning of the GDPR, to which the provisions of the GDPR apply.
What is a 'data set' within the meaning of the GDPR?
For comments on the concept of ‘data set’, please see the commentary to GDPR Article 2.
Who is the controller of personal data within the meaning of the GDPR?
From the perspective of the provisions of the GDPR, the data controller is a key concept. Indeed, the vast majority of obligations under the GDPR fall on the controller. ‘Controller’ means the natural or legal person, public authority, body or other entity which alone or jointly with others determines the purposes and means of the processing of personal data. In practice, it may often be difficult to unambiguously identify which entity determines the purposes and means of a particular processing of personal data and, consequently, which entity is the controller under the GDPR in relation to a particular processing of personal data (particularly where several entities are involved in the processing).
From a practical perspective, the following information may be helpful in identifying the controller in a particular processing operation:
Who is a 'processor' under the GDPR?
For comments on the concept of 'processor', please see the commentary on GDPR Article 28.
Who is a 'recipient' of data under the GDPR?
In practice, a ‘recipient’ is any person or entity to whom the controller or processor discloses personal data, regardless of whether the data subject obtains and processes the data with or without the authority of the discloser.
Importantly, public authorities receiving personal data in the context of a specific proceeding under European Union or Member State law are not considered recipients.
Who is a ‘third party’ under the GDPR?
From a practical perspective, a 'third party' under the GDPR is any natural or legal person, public authority, body or entity body that is not:
In other words, a ‘third party’ is an entity that is not a data subject, a controller, a processor or another person who processes personal data under the authority of the controller or processor.
What is 'consent' for data processing under the GDPR?
For comments on the concept of ‘consent’ for the processing of personal data, please see the commentary on GDPR Article 7.
What is a 'personal data breach' under the GDPR?
For comments on the concept of ‘data breach’, please see the commentary to GDPR Article 33.
What is 'biometric data' under the GDPR?
Biometric data is personal data relating to the physical, physiological or behavioural characteristics of an individual, which is processed in such a way that it allows or confirms the unique identification of that person. Examples of biometric data can be an appropriately processed facial image, dactyloscopic data, a processed retinal image. The specificity of biometric data is that it is generated by processing other personal data (e.g. physical characteristics of a person).
The Labour Code contains specific provisions on the processing of biometric data of employees. According to Article 221b of the Labour Code, employees' biometric data may be processed in two cases:
The Polish Office for the Protection of Personal Information (PUODO) explicitly addressed the issue of the processing of employees' biometric data for the purpose of time recording - it considered such processing to be incompatible with the GDPR:
What is a 'main business unit' under the GDPR?
For comments on the concept of 'main organisational unit', please see the commentary on GDPR Article 56.
Who is a 'representative' under the GDPR?
For comments on the concept of 'representative', please see the commentary on GDPR Article 27.
What are 'binding corporate rules' under the GDPR?
For comments on the concept of 'binding corporate rules', please see the commentary on GDPR Article 47.
What is 'cross-border processing' of personal data under the GDPR?
For comments on the concept of ‘cross-border processing’ of personal data, please see the commentary on GDPR Article 56.
What are 'information society services' under the GDPR?
The term 'information society services' is defined in Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and rules on information society services. This means any service normally provided for remuneration, at a distance, by electronic means and at the individual request of the recipient of the service.
At the same time, the aforementioned Directive states that:
From a practical point of view, in the context of personal data, the processing of personal data in relation to the provision of information society services will most often occur when personal data is processed in relation to services provided over the Internet.
For more on such services, please see the commentary on GDPR Article 8.