Two of the most frequent questions asked about GDPR, especially from non-EU-based organizations, are:
If you’ve been asking these questions but can’t seem to find a clear answer, you are not alone. The answer to these questions can determine whether or not GDPR applies to your organization and to what extent it applies.
Let’s take a closer look at GDPR personal data and data subjects with everything you need to know at a high-level, starting with a couple of basic definitions.
What is a Natural Person According to GDPR?
Under the GDPR, a natural person is a living, breathing human being. Natural persons are contrasted with legal persons, which are entities that are not natural persons, but that have some of their legal rights. Examples include corporations and partnerships. The GDPR protects the personal data of data subjects who are natural persons. However, both natural and legal persons can be data controllers and data processors.
What is GDPR Personal Data?
In Article 4(1), GDPR specifically states that “personal data” means any information relating to an identified or identifiable natural person, which is someone who can be directly or indirectly identified. This includes:
- Identification number
- Location data
- Physical address
- Email address
- IP address
- Radio frequency identification tag
- Voice recording
- Biometric data (eye retina, fingerprint, etc.)
- An online identifier of one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person.
There are a few challenges that keep the definition of personal data under GDPR from being cut-and-dry, including:
Data from Devices
Recital 30 says that there are some online identifiers provided by devices, applications, tools, and protocols that leave traces which, when combined with unique identifiers and other information, may be used to identify natural persons. This broadens the traditional scope and definition of personal data to address the general lack of transparency when it comes to data use from devices and IoT.
A single element might not be considered personal data in some contexts, but when it is used in conjunction with other elements, it’s able to identify a data subject. Understanding what personal data is under GDPR isn’t just knowing a list of elements; it’s considering what you can do with those elements once you use them together.
Personal Data that isn’t always Personal Data
If you have a common name, so much so that 500,000 people in one country have the same name, then that name may not be personal data on its own. Again, when the name is used in conjunction with the name of an employer or a telephone number, then the data is more likely to identify a person, and therefore, the combination of very general data and more specific data may constitute personal data under GDPR.
Inferred and Derived Data
Article 29 Data Protection Working Party says that “a credit score or the outcome of an assessment regarding the health of a user is a typical example of inferred data” and is personal data that “does not fall within the scope of the right to data portability.” If we extend the concept that derived data is personal data that is not subject to all of GDPR, data from the right to data portability to the entirety of GDPR, then we may have an additional loophole or exception for GDPR compliance.
One thing about GDPR personal data is clear. Article 26 states anonymous data is not subject to the requirements of the law.
Despite the challenges, we do know that defining what personal data is under GDPR depends on the element, context, and reasonable likelihood of identification generated by the data.
Defining Data Subjects Under GDPR
Here’s the issue: the law uses the term “data subject” but doesn’t define the term. Some may assume that data subjects are EU citizens, but that analysis seems to exclude the explicit language of the law and practical considerations. There’s tourism, travel, residencies, students abroad, and much more to consider.
Because GDPR uses inconsistent qualifiers when referring to data subjects and informal descriptions of who a data subject is, the public has been left with varying interpretations and significant challenges.
When reviewing the law, you can see several different interpretations:
- Article 3(2) states, “This Regulation applies to the processing of personal data of data subjects who are in the Union…”
- Recital 2 gets a little more granular than Article 3(2), “The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data.”
- Recital 14 states, “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.”
- Recital 24 states, “The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behavior of such data subjects in so far as their behavior takes place within the Union.”
Who is a GDPR Data Subject?
Based on the language of the law above, we generally see five definitions proposed for “data subjects,” varying from any personal data physically located in the EU to citizens of the EU.
- Located in the EU
- Resident of the EU
- Citizen of the EU
- An EU Resident/Citizen Located Anywhere
- Personal Data in the EU
Located in the EU
A data subject is anyone physically within the borders of the EU whose data is being processed while that individual is physically within the Union. For example, a citizen of the EU, who is physically located in the EU, who provides personal information through the purchase of a product.
Resident of the EU
A data subject is anyone who formally resides within the Union, regardless of citizenship, while that individual is physically within the Union. For example, a non-EU citizen who is studying abroad in the EU.
Citizen of the EU
A data subject who has formal citizenship in the EU while that individual is physically within the Union.
An EU Resident/Citizen Located Anywhere
A data subject is anyone who has residency/citizenship in the EU whose data is being processed, regardless of where the resident/citizen is physically located at the time of processing. For example, a data subject could be an EU citizen, who is located in the US, and who provides personal information during the purchase of a product.
Personal Data in the EU
A data subject is anyone whose personal data is located in the EU, regardless of the residence, citizenship, or physical location of the data subject. For example, a non-EU citizen, who is located in the EU, provides personal information through the purchase of a product.
Next Steps for Complying with GDPR
Here’s what we know: the law is not clear. Reasonable, intelligent, educated people disagree about what constitutes a data subject, but it’s crucial that organizations determine their definition of a data subject.
We believe that data subject location is important in defining GDPR scope, but we also know that practical realities, such as a desire to interpret and enforce the law broadly, will impact interpretation perhaps even more than the letter of the law.
So, now that you know who a data subject is and what personal data is under GDPR, what do you do next?
Make Defensible Definitions
First, we suggest that you retain competent legal counsel that understands your organization’s role in personal data and can help you determine what constitutes a data subject and personal data at your organization. You’ll want someone supporting your efforts, especially as the public learns from enforcement activity. Monitoring and learning from GDPR developments and enforcement action is crucial to your GDPR compliance.
Your organization also needs to make a defensible business decision around what constitutes a data subject and personal data. Organizations generally know when they’re making a decision that’s defensible or risky, and we encourage you to make this decision as defensible as possible.
Identify Vulnerabilities and Risk
Second, think through the risk.
Where are you most likely to experience a data subject complaint or inquiry? Where are you most likely to experience the threat of unauthorized access or disclosure? These are the places where you should prioritize your time and resources when determining who data subjects are and what personal data is.
Have a Compliance Plan
Finally, apply what you’ve learned from these concepts to your organization, especially if you don’t regularly process EU data subjects’ personal data but have the potential to process such data. You must have a plan of action in place to meet GDPR compliance.
Need help beginning your journey towards GDPR compliance? Contact us today.