Which information constitute personal data in the light of the GDPR?


Running a business inevitably involves collecting information about clients and contractors. Some of this information constitute personal data, then the entrepreneur is obliged to provide them with appropriate protection. It is required not only by professionalism, but also by legal provisions granting the entrepreneur the role of the personal data administrator. What is "personal data"? We explain below.

Personal data - statutory definition

The statutory definition of the concept of "personal data" is contained in Art. 6 sec. 1 of the Act of August 29, 1997 on the Protection of Personal Data (Journal of Laws No. 133, item 883, as amended; hereinafter: the Personal Data Protection Act), according to which personal data is considered any information relating to an identified or identifiable person physical.

Of 2 of the cited provision states that an identifiable person is a person whose identity can be identified directly or indirectly, in particular by reference to the identification number or one or more specific factors determining his physical, physiological, mental, economic, cultural or social characteristics.

On the other hand, information is not considered as making it possible to identify a person, if it would require excessive costs, time or activities (Article 6 (3) of the AUC).

On May 25, 2018, a new act on the protection of personal data came into force, replacing the existing regulations, however, this provision, exceptionally, has remained in force, therefore the legal definition of the term in question has not changed.

When formulating the legal definition of personal data, the legislator used a general clause containing an indefinite phrase, which makes the catalog of information constituting personal data open. Classifying a given information as a personal data set requires an individual assessment as to whether, in certain circumstances, it enables the identification of a natural person using specific means.

Most often, single pieces of information that are very general (e.g. salary) are not personal data. They become them when they are put together and allow for precise identification of the person they concern. For example, information about the amount of remuneration combined with address data and name.

However, there are times when even a single piece of information may constitute personal data. This is the case with the PESEL number, which, in accordance with Art. 15 sec. 2 of the Act of 24 September 2010 on population records (Journal of Laws of 2015, item 388) is an 11-digit numeric symbol that uniquely identifies a natural person, in which the first six digits indicate the date of birth (year, month, day), the next four - the ordinal number and gender of the person, and the last one is a check digit used for electronic control of the correctness of the assigned registration number.

Personal data according to the GDPR

On May 25, 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and the repeal of Directive 95/46 entered into force / WE (the so-called GDPR regulation).

Pursuant to Art. 4 of the GDPR, personal data means information relating to an identified or identifiable natural person ("data subject").

An identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an identifier such as:

  • first name and last name,

  • ID number,

  • location data,

  • Internet ID or

  • one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.

The preamble to the GDPR states that “The data protection principles should apply to any information relating to an identified or identifiable natural person. Pseudonymised personal data that can be traced to a natural person using additional information should be considered information about an identifiable natural person. In order to determine whether a natural person is identifiable, consideration should be given to any reasonably likely means (including the segregation of entries for the same person) that are reasonably likely to be used by the controller or another person for the direct purpose of or indirectly identifying a natural person. In order to determine whether a method can reasonably be used to identify an individual, all objective factors such as the cost and time needed to identify an individual should be taken into account, and the technology available at the time of data processing as well as technological advances should be taken into account.The data protection principles should therefore not apply to anonymous information, that is to say information which does not relate to an identified or identifiable natural person, or to personal data rendered anonymous in such a way that data subjects cannot be identified at all or no longer identifiable. This Regulation does not therefore apply to the processing of such anonymous information, including processing for statistical or scientific purposes. '

The GDPR regulation defines two categories of personal data: the so-called ordinary personal data and personal data belonging to special categories of data (formerly so-called sensitive data), which include data revealing:

  • racial or ethnic origin,

  • political views, religious or philosophical beliefs,

  • membership of trade unions,

  • genetic data,

  • biometric data to uniquely identify a natural person,

  • data relating to health, sexuality or sexual orientation.

Personal data that does not fall into any of the above-mentioned categories is ordinary data.

Do personal data also apply to legal persons?

No, personal data only relates to natural persons.

Is the e-mail address personal data?

Personal data is not only information that allows you to directly identify a specific person, but also such information that, with some expenditure, time or effort, will be sufficient to identify it.

Taking into account the above, it should be stated that, as a rule, an e-mail address does not constitute personal data within the meaning of Art. 6 sec. 1 u.o.d.o. On the other hand, if its content includes such information that allows, without excessive costs, time or activities, to establish the identity of a given person on their basis, it can be considered as personal data.

Example 1.

The e-mail address: [email protected] does not constitute personal data.

The e-mail address: [email protected] may constitute personal data.

Start a free 30-day trial period with no strings attached!

Is the computer's IP address personal data?

The Data Protection Working Party set up by the European Parliament and the European Council agreed that a computer's IP address should be considered as data relating to an identifiable person, stating that: "ISPs and local network managers may use reasonable means to identify internet users to which they assigned IP addresses because they systematically record the dates, duration, and dynamic IP address (that is, it changes every time you log in) assigned to a person in files. There is no doubt that in such cases it is possible to speak of personal data within the meaning of Article 2 of the Directive. "

What should the trader do if it turns out that the information he collects is personal data?

First of all, it should be emphasized that an entrepreneur who uses personal data in the course of running a business - becomes their administrator by law.

In the first place, the entrepreneur should determine what type of personal data he processes (whether they are ordinary data or special categories of data).

Next, you need to make sure that the collection of a specific category of data in the company is justified, and if its further processing is necessary, the obligations of the personal data administrator should be fulfilled.

Pursuant to Art. 36 of the Act of August 29, 1997 on the protection of personal data, the tasks of the personal data administrator include:

  • the use of technical and organizational measures to ensure the protection of the processed personal data appropriate to the threats and categories of data protected, in particular, securing data against unauthorized access, removal by an unauthorized person, processing in violation of the Act, as well as alteration, loss, damage or destruction;

  • keeping documentation describing the method of data processing and measures to ensure the protection of personal data.