Two of the most frequent questions asked about GDPR, especially from non-EU-based organizations, are: what is GDPR personal data and who is a GDPR data subject? If you’ve been asking these questions but can’t seem to find a clear answer, you are not alone. The answer to these questions can determine whether or not GDPR applies to your organization and to what extent it applies.
What is GDPR Personal Data?
In Article 4(1), GDPR specifically states that “personal data” means any information relating to an identified or identifiable natural person, which is someone who can be directly or indirectly identified. For further clarification, the law provides examples of personal data: a name, identification number, location data, physical address, email address, IP address, radio frequency identification tag, photograph, video, voice recording, biometric data (eye retina, fingerprint, etc.), or an online identifier of one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person.
There are a few challenges that keep the definition of personal data under GDPR from being cut-and-dry, including:
- Data from Devices: Recital 30 says that there are some online identifiers provided by devices, applications, tools, and protocols that leave traces which, when combined with unique identifiers and other information, may be used to identify natural persons. This broadens the traditional scope and definition of personal data to address the general lack of transparency when it comes to data use from devices and IoT.
- Indirect Identification: A single element might not be considered personal data in some contexts, but when it is used in conjunction with other elements, it’s able to identify a data subject. Understanding what personal data is under GDPR isn’t just knowing a list of elements; it’s considering what you can do with those elements once you use them together.
- Personal Data that isn’t always Personal Data: If you have a common name, so much so that 500,000 people in one country have the same name, then that name may not be personal data on its own. Again, when the name is used in conjunction with the name of an employer or a telephone number, then the data is more likely to identify a person, and therefore, the combination of very general data and more specific data may constitute personal data under GDPR.
- Inferred and Derived Data: Article 29 Data Protection Working Party says that “a credit score or the outcome of an assessment regarding the health of a user is a typical example of inferred data” and is personal data that “does not fall within the scope of the right to data portability.” If we extend the concept that derived data is personal data that is not subject to all of GDPR, data from the right to data portability to the entirety of GDPR, then we may have an additional loophole or exception for GDPR compliance.
- Anonymous Data: One thing about GDPR personal data is clear. Article 26 states anonymous data is not subject to the requirements of the law.
Despite the challenges, we do know that defining what personal data is under GDPR depends on the element, context, and reasonable likelihood of identification generated by the data.
Who is a GDPR Data Subject?
Here’s the issue: the law uses the term “data subject” but doesn’t define the term. Some may assume that data subjects are EU citizens, but that analysis seems to exclude the explicit language of the law and practical considerations. There’s tourism, travel, residencies, students abroad, and much more to consider. Because GDPR uses inconsistent qualifiers when referring to data subjects and informal descriptions of who a data subject is, the public has been left with varying interpretations and significant challenges. When reviewing the law, you can see the several different interpretations:
- Article 3(2) states, “This Regulation applies to the processing of personal data of data subjects who are in the Union…”
- Recital 2 gets a little more granular than Article 3(2), “The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data.”
- Recital 14 states, “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.”
- Recital 24 states, “The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behavior of such data subjects in so far as their behavior takes place within the Union.”
Based on the language of the law above, we generally see five definitions proposed for “data subjects,” varying from any personal data physically located in the EU to citizens of the EU.
- Located in the EU: A data subject is anyone physically within the borders of the EU whose data is being processed while that individual is physically within the Union. For example, a citizen of the EU, who is physically located in the EU, who provides personal information through the purchase of a product.
- Resident of the EU: A data subject is anyone who formally resides within the Union, regardless of citizenship, while that individual is physically within the Union. For example, a non-EU citizen who is studying abroad in the EU.
- Citizen of the EU: A data subject who has formal citizenship in the EU while that individual is physically within the Union.
- An EU Resident/Citizen Located Anywhere: A data subject is anyone who has residency/citizenship in the EU whose data is being processed, regardless of where the resident/citizen is physically located at the time of processing. For example, a data subject could be an EU citizen, who is located in the US, and who provides personal information during the purchase of a product.
- Personal Data in the EU: A data subject is anyone whose personal data is located in the EU, regardless of the residence, citizenship, or physical location of the data subject. For example, a non-EU citizen, who is located in the EU, provides personal information through the purchase of a product.
Here’s what we know: the law is not clear. Reasonable, intelligent, educated people disagree about what constitutes a data subject, but it’s crucial that organizations determine their definition of a data subject. We believe that data subject location is important in defining GDPR scope, but we also know that practical realities, such as a desire to interpret and enforce the law broadly, will impact interpretation perhaps even more than the letter of the law.
Next Steps for Complying with GDPR
Now that you know who a data subject is and what personal data is under GDPR, what do you do next? First, we suggest that you retain competent legal counsel that understands your organization’s role in personal data and can help you determine what constitutes a data subject and personal data at your organization. You’ll want someone supporting your efforts, especially as the public learns from enforcement activity. Monitoring and learning from GDPR developments and enforcement action is crucial to your GDPR compliance.
Your organization also needs to make a defensible business decision around what constitutes a data subject and personal data. Organizations generally know when they’re making a decision that’s defensible or risky, and we encourage you to make this decision as defensible as possible.
Second, think through the risk. Where are you most likely to experience a data subject complaint or inquiry? Where are you most likely to experience the threat of unauthorized access or disclosure? These are the places where you should prioritize your time and resources when determining who data subjects are and what personal data is.
Finally, apply what you’ve learned from these concepts to your organization, especially if you don’t regularly process EU data subjects’ personal data but have the potential to process such data. You must have a plan of action in place to meet GDPR compliance.
Need help beginning your journey towards GDPR compliance? Contact us today.