Personal data – concept / Processing of personal data / Rights of the data subject / Personal data controller / Technical and organisational measures / How we can help you
Personal data – concept
Personal data is any information which can lead to the identification of a natural person, by itself or in combination with other additional information.
Personal data includes a range of information about various aspects of an individual’s life:
- characteristics of the person – photo, video image, height, weight;
- medical condition – history of illnesses, treatments followed, periods of hospitalization, possible accidents;
- work activity – work phone, work email, place of work, job title;
- financial situation – the nature and amount of a person’s income, property and assets;
- online identification – IP of devices used online, user account of an online application, geolocation, etc.
A number of rules laid down both by law and by court practice, in particular by the practice of the European Court of Justice of the European Union, must be used to define whether or not information is personal data.
The notion of personal data is not limited to information which by itself can lead to the identification of a person.
The notion of personal data is assessed not by reference to the possibility for the data subject to identify a specific person, but by reference to the possibility for any person to identify a specific person.
The concept of personal data is assessed not by reference to the possibility for the holder of the data to identify a specific person on the basis of the data, but by reference to the possibility for any person to identify a specific person, both on the basis of the data and on the basis of additional information held by that person.
The notion of personal data covers not only confidential information, but even information that is already public.
Personal data concerns both:
- confidential information about a specific person;
- information relating to a specific person which, although not confidential, has not been made public;
- public information about a specific person.
The notion of personal data covers not only information about a person’s private life, but any kind of information, including information about their professional life.
It should be emphasised that the notion of ‘personal data’ is not equivalent to the notion of ‘information relating to private life’, as this is commonly understood, but includes the latter alongside any other information, including information relating to a person’s professional activity.
The notion of personal data also covers evaluations, i.e. opinions about a specific person.
As regards evaluations, i.e. opinions, in order for them to be classified as personal data, they must meet any of the following conditions:
- their content to concern a specific person;
- their purpose to look at a particular person;
- their effects to concern a particular person.
To the extent that a particular assessment/opinion, by its content and/or purpose and/or effects, relates to a specific individual it constitutes personal data.
Processing of personal data
Processing of personal data means any kind of use of data.
The category of data processing may include operations such as:
Rights of the data subject
The legislation on the processing of personal data recognises a number of rights for data subjects (persons whose personal data are processed in any way):
- the right to information;
- the right to transparency;
- right of access;
- the right to rectification;
- the right to erasure;
- the right to restriction;
- the right to portability, etc.
Based on the rights set out above, depending on the circumstances, data subjects may obtain control over their data (e.g. based on the right of access a person may receive video recordings of him/her from a certain time and location, based on the right of access a person may obtain from the controller a communication on the purposes for which his/her data are processed as well as the duration of the processing, based on the right to erasure a person may obtain his/her removal from the results displayed by an online search engine etc.).
Personal data controller
The controller of personal data is the natural person/legal entity/entity/public or private authority/institution or a group of them, which determines the purposes and means of the processing of personal data.
In other words, the personal data controller is the person/company or group of persons/companies that cumulatively determine the following:
- that they are going to process personal data;
- the reasons for processing personal data;
- the means by which they are to process personal data.
Technical and organisational measures
According to the specific legislation on the protection of personal data, the persons involved in data processing (those who directly or indirectly process the data – personal data controller, processor, etc.) are required to adopt and comply with a series of technical and organisational measures to ensure compliance with the relevant legislation and implicitly the rights of the data subjects.
In essence, the measures address three distinct but cumulative issues:
- drawing up policies and all acts establishing how data are processed;
- the adoption of physical and electronic data access and security measures;
- continuous training of all persons involved in data processing.
How we can help you
In the case of personal data controllers and data processors, our lawyers, together with various IT specialists, can provide you with legal advice, legal assistance and representation on all aspects required by law in order to achieve the highest level of compliance:
- identification of the personal data you process;
- establishing data traceability within the company;
- identifying and establishing the types of data access;
- drafting policies on data processing (both towards customers and employees);
- drafting confidentiality agreements;
- drafting data processing registers;
- drafting of operator-operator or joint operator agreements;
- drafting of operator – processor agreements;
- establishing mechanisms to ensure that data subjects can exercise their rights;
- establishing the mechanisms by which the evaluation of authorised persons can be carried out;
- drafting materials for the information of data subjects (e.g. camera signs, etc.);
- legal assistance and representation before the courts or the competent authority.
In the case of data subjects our lawyers can provide services such as:
- advice on your rights as a data subject;
- legal advice on exercising your rights;
- legal assistance and representation before the courts or the competent authority in the field (e.g. actions for damages).
Additional information on GDPR – personal data protection