Personal data is at the heart of the GDPR (General Data Protection Regulation). However, many organisations are still unsure exactly what ‘personal data’ is.
That’s a concern, because if organisations don’t meet their compliance requirements, they risk data breaches and disciplinary action.
Yet, we can understand why organisations continue to struggle with this aspect of the GDPR – particularly if they don’t have a dedicated data protection professional on their books.
The issue is that the Regulation doesn’t provide a definitive list of what is or isn’t personal data. It is up to organisations to correctly interpret the GDPR’s definition:
[P]ersonal data’ means any information relating to an identified or identifiable natural person (‘data subject’)
In other words, personal data is defined as any information that is clearly about a particular person.
The GDPR further clarifies that information is considered personal data whenever an individual can be identified, directly or indirectly, “by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
That’s an awful lot of information. In certain circumstances, someone’s IP address, hair colour, job or political opinions could be considered personal data.
The qualifier ‘certain circumstances’ is worth highlighting, because whether information is considered personal data often comes down to the context in which it is collected.
Context is everything
Organisations usually collect many different types of information on people, and even if one piece of data doesn’t individuate someone, it could become relevant alongside other information.
For example, a data controller that requests information on people who download products from their website might ask them to state their occupation.
This doesn’t fall under the GDPR’s scope of personal data, because, in all likelihood, a job title isn’t unique to one person.
Similarly, an organisation might ask what company they work for, which, again, couldn’t be used to identify someone unless they were the only employee.
Get expert guidance on meeting your GDPR compliance requirements with IT Governance’s DPO as a service.
This service is ideal organisations looking for the data protection expertise and knowledge required to fulfil their DPO obligations.
One of our experts will act as your DPO, completing the necessary tasks for your organisation and providing you with guidance whenever you need it.
However, in many instances, these pieces of information could be used together to narrow down the number of natural, living persons to such an extent that you could reasonably establish someone’s identity.
In other words, if you refer to someone with a specific job title at a specific organisation, there may only be one person who fits that description.
Of course, that’s not always the case. Knowing that someone is a barista at Starbucks doesn’t narrow things down much, for example.
In these cases, those two pieces of information together wouldn’t be considered personal data. However, it’s highly unlikely that this information would be stored without a specific identifier, such as the person’s name or payroll number.
Names aren’t always considered personal data
You might think that someone’s name is as clear an example of personal data as it gets; it is literally what defines you as you. But it’s not always that simple, as the UK’s Information Commissioner’s Office explains:
“By itself the name John Smith may not always be personal data because there are many individuals with that name.
“However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.”
However, the ICO also notes that names aren’t necessarily required to identify someone:
“Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them.”
See also:
- GDPR: When do you need to seek consent?
- The GDPR: What is sensitive personal data?
- The GDPR: Legitimate interest – what is it and when does it apply?
A guide to what is (or could be) personal data
As we’ve explained, it can be hard to say whether certain information meets the GDPR’s definition of personal data.
However, Cloud services company Boxcryptor provides a list of things that could be considered personal data, either on their own or in combination with additional information:
- Biographical information or current living situation, including dates of birth, Social Security numbers, phone numbers and email addresses.
- Looks, appearance and behaviour, including eye colour, weight and character traits.
- Workplace data and information about education, including salary, tax information and student numbers.
- Private and subjective data, including religion, political opinions and geo-tracking data.
- Health, sickness and genetics, including medical history, genetic data and information about sick leave.
How organisations should handle personal data
If you’re unsure whether the information you store is personal data or not, it’s best to err on the side of caution.
This means making sure that the processing of personal data is limited to what is necessary and keeping data for only as long as it meets its purpose.
You should also strongly consider pseudonymising and/or encrypting information – particularly if it is a special category of personal data.
Pseudonymisation masks data by replacing identifying information with artificial identifiers.
Although it is central to protecting data – being mentioned 15 times in the GDPR – and can help protect the privacy and security of personal data, pseudonymisation has its limits, which is why the GDPR also mentions encryption.
Encryption also obscures information by replacing identifiers with something else. But whereas pseudonymisation allows anyone with access to the data to view part of the data set, encryption allows only approved users to access the full data set.
Pseudonymisation and encryption can be used simultaneously or separately.
Ask a DPO if you’re unsure
Those looking for ongoing advice on how to manage the personal data they collect should consult a DPO (data protection officer).
A DPO is an independent expert hired to guide organisations on their GDPR compliance requirements. They are responsible for many tasks, including:
- Informing and advising the organisation and its employees of their obligations;
- Monitoring the organisation’s data protection policies and procedures;
- Recommending to management when DPIAs (data protection impact assessments) are necessary; and
- Acting as a point of contact between the organisation and its supervisory authority.
The GDPR states that certain organisations must appoint a DPO – but even if you don’t fill those criteria, it can be hugely beneficial to appoint one anyway.
Become a GDPR expert
You can learn more about your organisation’s data protection requirements by taking our Certified GDPR Foundation Self-Paced Online Training Course
This one-day course is delivered by an experienced data protection expert, and provides a comprehensive introduction to the Regulation and its rules.
It is ideal for managers who want to understand how the Regulation affects their organisation and employees who are responsible for GDPR compliance, and is available in a variety of forms, including online and self-paced.
A version of this blog was originally published on 17 February 2018.
In a private tennis club with an online court booking system available ONLY to members, would it transgress GDPR to show the names (and no other information) of those booked to play at a given time? After all, you would only have to be there at the given time to see who is on court and with whom.
Dear Des,
GDPR does not prohibit making such information available to the members of the club, however, while doing so you need to follow the data protection principles. For instance, you need to:
– clearly determine what is the purpose of such processing (as you said yourself, ‘you would only have to be there at the given time to see who is on court and with whom’)
– identify a legal basis for processing (maybe you’ve obtained a consent from the members? or perhaps you are relying on a legitimate interest basis?)
– make sure that the members are aware of both the purpose and the legal basis. This shoud be clearly spelled out in the privacy notice. You can find some useful tips on how to write a privacy notice in our blog.
I have applied to a company who collect data using roadside cameras (and it is my belief that the data is then processed for ANPR) for a Subject Access Request which has been declined on the basis that as they do not have access to the DVLA registered keeper database they cannot see the individual and therefore this is not ‘personal data’.
I am disinclined to agree with this but have written back to them requesting information in relation to their client’s to establish if they would have access to such a register or if any other Company within their group have access to the DVLA database. I have also requested that they advise if their client constitutes a Public Sector Organisation to allow me to make a Freedom of Information request from them.
Views?
Hi Steve,
It would be important for you to determine who is the data controller of the data that you are requesting, as it is the data controller who is in the best position to respond to DSAR. The company you’ve contacted might be a procesor in this scenario – in such case, you may request that they forward your inquiry to the data controller. If the data controller fails to respond to your request, or if you are not satified with their response, you may escalate your complaint to the national data protection authority.
Please note that FOI requests are about providing access to public information, whereas DSAR is about access to information which the legal entity holds about you. Normally, FOI does not provide access to information which cannot be accessed under the GDPR or national data protection laws.
Our U3A organisation (700 members) has full details of members’ names, addresses, email IDs and phone numbers, as well as a 4 digit membership number.
If we keep a publicly available list on our website, would it be considered personal data if we restricted each record simply to FORENAME, SURNAME and MEMBERSHIP NUMBER?
I would say so John, as though there could be a few ‘John Smiths’ in there, there are potentially enough unique names that it should be thought of as personal data.
What I would think about is why is that list publicly available? If the purpose is to help members identify each other then that sort of answers the question – it is personal data.
Yes, John, it would still be considered personal data as the record refers to individuals who are or can be identified. However, GDPR does not prohibit making personal information public – you may still have a good reason to publish it on the website. To make sure that your processing is lawful, you need to:
– Identify a purpose for this activity (why this information is on the website?),
– Determine a lawful basis for it (maybe the member have provided their consent? Or do you have a legitimate interest for making the information public?),
– And make sure that the members are aware of this processing (it should be included in your privacy notice).
Hi there, just wondering does an agent in a company need to give their surname when asked?
I think someone that works for my landlord is telling family members (that I don’t speak to, and cut out of my life 3 years ago) things that are happening in my home life. I.E that I had to change benefits, any repairs that need doing around the house that I rent. Does this fall under a breatch of GDPR? The person works for the landlords company.
Many thanks
Hi Laura,
That’s a breach of the GDPR if your landlord is processing that information (i.e. writing it down and storing it somewhere). Even if he isn’t, the landlord might be breaching other laws. We recommend that you speak to a legal expert or contact your local citizens’ advice service.
Hi is it a data breech if a neighbourmakes phone video of me in my home in main door hall way as iam drunk and dont notice
Hi, John — that’s not subject to the GDPR, because it’s not part of an organisation’s practices.
Are Limited company names protected under GDPR?
If a developer sold a property to Mrs Smith, I could understand Mrs Smith’s name would be redacted from a Land registry search but would there be a requirement to redact the developer/builders name if it was a limited company?
Hi Daniel,
GDPR does not cover the processing of personal data which concerns legal persons (such as limited companies), including the name and the form of the legal person and the contact details of the legal person. Therefore, there is no requirement in the Regulation to redact the data about legal persons.
Hope this helps!
In a company we have a newsletter which publishes birthday greetings with the person’s name and date of birth (day and month NOT year) -does thisd require consent?
Hi Glenn,
You’re probably fine (a birthday without a year arguably isn’t personal information), but it’s worth covering yourself by listing this activity in your organisation’s HR policies along with a legal basis for processing. You can’t use consent between an employer and employee, but legitimate interests should suffice.
Dear Sophie,
Does GDPR cover an email address such as: name.surname@company.com or name.surname@gmail.com or contact@namesurname.com, if they were given, as a contact email address, by the administrator of a company, at the moment of signing a contract (and mentioned in the contract) between that company and a service provider? Does that service provider company have any obligations under GDPR in relation to that email address?
Hi Beatrice,
The email address examples that you list are considered personal data in any context. Both the company and the service provider store this information and are required to protect it in line with the GDPR’s requirements.
I run a fitness studio and I have my customers sign into a paper register when they arrive for class. At the end of the month my colleague takes a screen shot on her phone of the names from different classes that month and uses whatsapp to send me these so that i can work from home and cross reference against our booking system online (it is easier for her to do this as she is in the studio on the last working day of the month) As whatsapp is encrypted and it is just names..no other personal details..could you tell me if this acceptable under GDPR? The photos of the names are deleted on both phones once cross referenced. Thank you.
Hi Laura,
You’re probably fine, given that you’re only collecting customers’ names. However, it’s worth remembering that the spirit of the GDPR is transparency. With that in mind, we’d suggest creating a privacy notice explaining the data you collect, why you need it, where its stored/shared with (WhatsApp) and how long you keep it for.
This can be simply be a printed document alongside your paper register. We can’t imagine anyone will have a problem, but it’s nice to let people know what you’re doing with their information.
If I process personal data which is public, not private, does the GDPR apply?
Example
I want to collect the email address of different websites and blogs which focus on posting news and information about bands from a music genre that relates to the one of my band.
Once I collect these email addresses, I want to add them to the newsletter of my band because I think it could be of their interest. When these email addresses are referred to the name of the company or something that doesn’t identify an individual, for example info@rollingstones.com, I understand GDPR doesn’t apply. But, does GDPR apply if the email address identifies or seems to identify an individual, for example john_weirdsurname@rollingstones.com, even if it’s public and provided by themselves to be contacted?
Thanks.
Hi Franco,
There’s a distinct difference between posting an email address on your own website and putting them on a newsletter without their consent. In the latter example, the data is being used for a purpose that the owner of the information isn’t aware of.
We’d suggest emailing each person individually, explaining how you got their information and asking if you can use it for your newsletter.
I wrote an email of complaint to the manager of a members only golf club (but the public can access it for social activities) and it was discussed and minuted in a directors meeting. The directors then named me fully in the minutes and posted it on the notice board so members and potentially the public could see it stating that I had complained. (I have a very unusual surname so could be fully identified) is this a breach of GDPR?
Hi Marie,
That’s a good question! The directors were entitled to refer to your name during the meeting (at that point the data isn’t stored and only shared internally), but this information should have been redacted when posted on the noticeboard. We’d suggest checking their privacy policy (it should be on their website or wherever you got the contact address) to see if they explain that data could be used in this way. If they don’t address this, it’s a breach of the GDPR.
Thank you in advance for your information. I am brand new to GDPR and I have two questions.
My organization has member families and one of the things we do is run programs for children. (Possibly relevant Background: We do not sell our data. We annually open registration for the next year’s program in Springtime and send a couple of emails about that to past year and one-year-prior participants. )
1. We keep family records and the children’s registration and attendance records in our system. We keep names and dates of courses attended in our system. Some courses are prerequisites for others (also prerequisites for courses offered by other organizations who request transcripts). If a family’s data has been “forgotten” we lose that historical knowledge. Does GDPR apply to this kind of information? Note: This is not information we share with anyone who does not have a legitimate need for the information. Would we have to wipe out this type of data if someone makes a GDPR request?
2. We bill our families for these courses. Are bookkeeping records included in GDPR? Example: Johnny’s family paid 50 € as a deposit for a 125 € course. The course started Sept. 1. Full payment is due by December 30. Johnny begins the class in September. In October Mr. Johnny requested that the Family’s data be forgotten. Does this require that their name and address be eliminated from my billing system as well? (It is all tied together in one software package.) How do I bill/record payments from Mr. Johnny if they are not in my electronic records system?
Hi Bernadette,
Thank you for your message.
The right to erasure (‘the right to be forgotten’) under the GDPR is not absolute, and applies only in specific circumstances. For example, you might be under obligation to delete the data of a particular individual if ‘the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed’. Conversely, if you still need the data to effectively provide the services to your members/clients, you won’t be under the obligation to satisfy the request for erasure.
All personal data, related to identified or identifiable individual is in scope of the GDPR. Thus, where bookkeeping records allow to identify an individual, they have to be processed in line with the requirements of the Regulation. This does not mean that you have to delete or redact the records, however, you need to inform the individuals about how their data is being pocessed (e.g., in the privacy notice), ensure that it is stored securely and kept no longer than necessary.
Our webinar explains obligations of the data controllers in more detail: https://www.youtube.com/watch?v=cyUPGGD3iVg
Hello,
I am increasingly frustrated by some very simple things that are being denied because of “it’s GDPR” for example our GP surgery is refusing to allow anyone other than the patient book an appointment and yesterday a dental receptionist cited GDPR as a reason not to tell me that my husband’s appointment for today has been cancelled. Could you explain why they think this,as I fail to see what this has to do with personal information? Thank you .
Hi Karin,
Thank you for your message. GDPR is a complex piece of legislation and, naturally, it is subjected to many interpretations. To address the most common misconceptions, just last week, the Irish Data Protection Commissioner published an article explaining what GDPR does and does not say. It also covers questions related to medical data, thus, in light of your situation, you might find it interesting: https://www.dataprotection.ie/news-media/blogs/does-gdpr-really-say
In general, you can always approach a supervisory authority of the country of your residence, work or a place of an alleged infringement, and complain about specific instances of data processing which you consider unlawful.
I am an artist and I was to give a talk at a state-funded art gallery. The talk was organised by an independent arts organisation. They told me that there were complaints about some of my previous work being offensive and the talk was being cancelled. I wasn’t given any details of what had caused the offence. Can I request this information from the arts organisation under GDPR?
Thanks.
Hi John,
The Right of Access under the GDPR art.12 allows individuals to obtain a confirmation as to whether or not a given data controller, such as an organisation, is processing personal data about them. If this is the case the individual shall be provided with a copy of personal data undergoing processing.
I have a mail merge document that generates receipts for my customers. It contains their name, address and the item that they purchased (plus cost) If my bank manager wanted to see that list as evidence that I have those sales is that permitted or not?
Hi Julie
Personal data is any information that a living individual can be identified from. So from your question below, it is clear that both name and address are considered personal data. The receipt number or reference would also be considered personal data as it is a number that is unique to that customer.
With regards to your bank manager’s request – from the information in your question below, it appears that the purpose for requesting this information is to confirm sales figures. I would recommend that you provide your sales information with the personal data redacted or removed. Alternatively, you could provide a monthly sales report with zero personal data included in the report. From the detail you have provided in your question below, I do not believe that your bank manager has a right to view your customers’ personal data.
I hope this helps.
Hello
Is a video or photographs of someone used as a testimonial for a business deemed as falling under GDPR? If so, can the use of that video or photographs be retracted from used by the client (i.e. so the business can no longer use them)?
Thanks.
Hi Maria,
Video or picture are within the scope of the GDPR as long as they consist of or reveal “any information relating to an identified or identifiable natural person” (art.4 GDPR).
Being that the case, the use (processing) of those personal data, among other possible applicable requirements, must have a lawful basis of processing. There are several lawful basis listed in article 6 GDPR that cover different situations. Certainly one of them applies to the described processing activity.
Consider, for example, whether the collection and use of the testimonies may fall under the lawful ground covered in article 6 paragraph 1 f) GDPR, to the extent that this processing may be “necessary for the purposes of the legitimate interests pursued by the controller”. If this was the case, the data subject – the person whose videos or photographs relate to – would have a right to object to their processing.
Consider also that, if no other lawful basis applies to the situation described, you or organisation can rely on consent of the data subject to process this data (under art. 6 paragraph 1 a) GDPR). If this would be the case, then it is possible for the data subject to revoke his or her consent at any given time. This would also trigger different requirements relating to consent covered in article 7.
The fulfilment of all these requirements are under the responsibility of the data controller – the natural or legal person who determines the purposes and means of the processing of personal data – so I suggest to clarify the lawful basis for the processing activity first and then consider the consequences in terms of what data subjects can do in terms of controlling the use of their data by your organisation.
Hope this helps.
Can our company still use and display statistical graphs on the noticeboard showing employees overtime, sick time and paid back bank days ?
Hi Mandy,
The introduction of the GDPR is not intended to hinder basic business activities as this so normally there should be a ground to do this under GDPR.
Generally, the basic assessment that needs to be conducted to understand whether a personal data processing activity with a given purpose can take place lawfully is to ascertain whether the organisation has a lawful basis in Article 6 GDPR.
Among others, article 6 lists the lawful basis for a processing activity that is necessary for the purposes of the legitimate interests pursued by the controller. Therefore, a controller, such as a company as an employer can process (use, consult, organise personal data) about its employees where the purpose of that use is necessary for legitimate purposes of the company.
The only exception to this is where such interests are overridden by the interests or fundamental rights and freedoms of the data subject – in this case the employee. In fact, they have the right to object to this processing based on the legitimate interests of the employer.
The legitimate interest of the organisation must be valid and carefully considered. Also, it must be disclosed in the relevant Privacy Notice – for example, an Employee Privacy Notice could cover this.
Another possibility is to frame this processing activity under another article 6 lawful basis, for example, it is possible to do so if the processing is necessary for the performance of a contract to which the data subject is party – such as an employment contract.
Both these lawful basis, if appropriate to the case at hand can legitimise the processing activity. It is up to organisations to understand whether a given processing activity can take place and if so under which lawful basis. Also, consider that this is not the whole story, but rather the first step to address this situation.
Hope this helps.
I work with a group of volunteers feeding homeless rough-sleepers on nightly runs around our town. Everything we do is organised through a private Facebook page.
We used to record the users/clients we meet and what items we gave them, using only their forenames or nicknames, but have recently been told we can’t use any names at all.
Is this correct ?
Hi Art,
As per the General Data Protection Regulation (GDPR), “personal data” is any information from which a person (a data subject) can be identified or potentially identified from. This would include surnames and nicknames.
As per the GDPR, you can process (store, collect, use etc) personal data once you have one of the six lawful bases/reasons for doing so. The six lawful basis are:
1. When the data subject has given consent to the processing of his or her personal data – you must be able to prove that you have his/her consent.
2. When the processing is necessary for the performance of a contract to which the data subject is a party of, or in order to enter into a contract with the data subject.
3. When processing is necessary for compliance with a legal obligation.
4. When processing is necessary in order to protect the vital interests of the data subject or of another natural person.
5. When processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
6. When processing is necessary for the purposes of the legitimate interests pursued by the controller or third party, except where those interests are overridden by the interests or rights of the data subject.
You need to assess why you are capturing the personal data and whether you can apply one of the above lawful basis to this processing.
I hope this helps.
A colleague has sent on *an extract* from an email from a third party which concerns my work. I have twice requested a copy of the original message and the colleague has refused to send it on, saying that there is nothing further in the email that concerns me. Am I entitled to request a copy of the whole text of the email under GDPR. Very grateful for your help.
Hi Ruth,
As a data subject you have the right of access under the GDPR. This right allows you to obtain a copy of your personal data from the data controller along with the information you would usually find in a privacy notice.
If the original email contains information that allows to identify you and/or information that relates to you as an individual, then arguably you should receive a full copy. The GDPR also sets out an exception to this rule where the right to obtain the copy may adversely affect the rights of others. However, if this is the case the data controller should be able to explain this to you in a transparent manner.
In fact, it is important to consider who is the data controller in this situation and ask for information on how to exercise your rights. If you are not satisfied with how the data controller handled your request, you can voice your objection with them and hopefully come to a friendly resolution. In case this is not possible then you can formally lodge a complaint with a Supervisory Authority. All of this information should be made available to you by means of a privacy notice provided by the data controller.
Hello,
I am currently working in a project where we need to process some information extracted from a Hospital Information System (the information is provided by the Hospital itself). Our objective is to identify potential points for improvement in the processes (e.g. analyzing how much time a patient has spent in the waiting area) so we don’t need any patient identifier. As long as we are processing logs where we have data like:
RegisterID (nothing to do with any patient identifier)
Timestamp
LocationArea (watingin room, medical consultation, etc.)
When processing this information…can this be considered as personal data? I assume that it is possible to consider that this is completely anonymous data and the GDPR doesn’t apply but I really appreciate your feedback.
Thanks in advance,
Ángel
My potential mortgage company has sent me the valuation report of another person (name address and address of the property they wish to buy), which in turn means mine has been sent to someone else.
is this a GDPR breach. (The documents only contain name and address of residence and potential purchase address with a valuation of the property).
Hi David
Under Article 4 of the General Data Protection Regulation (GDPR), a personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
It is my opinion that the mortgage company has accidentally disclosed someone else’s personal data to you, which is a personal data breach for that other person. You should return the documentation to the mortgage company as soon as possible and make them aware of this breach.
At the moment, you do not know for certain that you have been subject to a data breach as you don’t know that your information was disclosed to another party – this is something that you need to clarify with the mortgage company. If your documentation was sent to another party, then it is considered a personal data breach under Article 4, GDPR and the mortgage company should advise you of your rights in this circumstance.
hi basically my employer has lost a policy document which has my name and signature on it and obviously the company that I work for. im concerned as to what someone could do with this information if it were to get into the wrong hands? is this a breach of data protection?
Hi Carl
Under Article 4 of the General Data Protection Regulation (GDPR), a personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
As per this definition, a loss of your personal data is considered a personal data breach. Your name is your personal data so the incident you describe below is considered a personal data breach under Article 4, GDPR and your company should advise you of your rights in this circumstance. You should also have a read of your company’s Privacy Notice as this should detail your rights also.
I hope this helps.
I formerly played football in a local league and stopped playing with a red card ban incomplete. 6 years later this is still listed in their bans to serve list published publicly online. They believe they can retain this indefinitely as a legitimate interest. What’s your thoughts?
Hi Ian,
Based on the information provided, it seems you may make a valid argument to the league claiming that there is no reasonable purpose to keep the data for such a long period after a player has stopped playing in the league. At least not online, where this data may cause some distress such as reputation damage.
Keeping records to ensure the accurate applications of league statutes and rules is arguably a purpose for the use of this data that can be based on a legitimate interest. However, it seems that the league has not considered or has not applied correctly an appropriate retention period for this data.
The League may want to retain the information in case you wish to resume your career if that is still a real possibility or may have other reasonable arguments for retaining the data. Regardless, it’s the League’s obligation to consider the application of data protection principles and explain, by means of a privacy notice, their legitimate interest in processing the personal together with the envisaged retention period.
Consider that you may consult the league’s privacy notice or request one along with the information that is not clear to you. You have certain rights under the GDPR that may help you in this case such as the right to be informed and the right of access (arts. 13-15 GDPR).
I hope this helps and you achieve a friendly resolution to the matter.
Hi everyone
My friend works for a company and he asked me something I wasn’t sure about. Their receptionist is unhappy as his full name and ethnicity was discussed with a client on the phone. Would this count as a breach of GDPR as it was only done verbally? There is no paper trail linking the event but I suppose the client could identify the receptionist with ease if he wanted now.
Hi Chris
Your friend is well within his rights to ask why his name and ethnicity was discussed with a client – in fact he should request to know the purpose and the lawful basis for sharing this information. His name is considered personal data, however his ethnic origin is considered to be a special category of personal data which warrants a higher level of security. To share this information with a third party, without a purpose, lawful basis nor a relevant Article 9 GDPR exception (such as having consent) could be considered a data breach (I say “could” as I do not have the full particulars surrounding this circumstance).
I would recommend that your friend request the following:
1. The purpose for sharing this data.
2. The lawful basis for sharing this data – GDPR requires that at least one (of six) lawful bases must be appropriate.
3. The relevant Article 9 GDPR exception that permits the disclosure of his ethnic origin, without his permission.
I hope this helps.
Hi,
It’s not clear to me what happens when people use their controls to enable access to data about others. Let’s say that Mario and John are two siblings and they are browsing the Internet from two different devices. Mario does not give his consent to use and share his data, whereas John enables access to all his data (John’s surname, home address, family members, etc). As sharing this information might help track Mario, does it qualify as a data breach?
Hi Sofia
If the information that John shares enables Mario to be identified, then this would fall under the definition of personal data, as per Article 4.1 of the GDPR:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
However, the GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity. As per Recital 18 of the GDPR:
This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities.
The ePrivacy Regulation is currently being drafted and I would hope that this legislation will take into account a scenario such as the one you have put forward.
In the meantime however, in my opinion, I would suggest that Mario ask John to remove any data which would allow Mario to be identified.
I work in a language school where students are expected to have 80% attendance of their classes. We keep a register of each class where students are named and their attendance is recorded.
Students are constantly asking what their current attendance score is. This is often so they can game the system and ensure that they do not dip below 80%.
Because of the numbers of students who ask, we have a policy that says that we do not give out this information. At the end of their studies, a certificate is produced that contains their final attendance score.
Some people are now concerned that the attendance percentage is personal data and that therefre students have a right to demand it. Is this concern justified?
Hi Diarmuid
Under Article 4.1 GDPR, personal data is defined as:
personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Based on the above definition of personal data, it would appear that attendance percentage could be considered personal data, as the definition refers to “any information relating to an identified … natural person”. This is an extremely broad definition which will be open to challenge via the legal system over time.
Your privacy notice should outline the purpose for recording the attendance record and the reason (one of six lawful bases as listed in Article 6 of the GDPR) for why this is not provided to the data subject.
However, based on the information that you have provided in your query below, I believe students do have a right to request this information.
When students are applying for courses they have to apply online, the school has to ask consent for taking images and videos for marketing purposes.
Does consent have to be collected and recorded physically? or can it be collected and recorded through an online application form?
Hi Gemma,
Thanks for getting in touch. Collection of consent can be complete by both means.
Hi Gemma
Consent can be collected and recorded through an online application form (see wording in bold in extract from Recital 32, GDPR below). You need to ensure that you are also meeting all other requirements in relation to consent, particularly the requirement in Recital 42, GDPR which states:
“Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”
Recital 32 – “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes.”
Hi
Can birthday cards be sent to residents in a nursing home by organisations that are involved with eldery people or is consent required from patients.
Hi Ann
In order to process someone personal data, you need to ensure you have a lawful basis (one of the six lawful basis as documented under Article 5, GDPR, of which consent is one) and a genuine purpose for this processing.
Without having more information i.e. knowing what type of organisation you are referring to, the purposes of having their personal in the first place etc, I will have to make some assumptions:
1. I am assuming that you are an organisation that is involved in assisting the elderly and therefore have their personal data (name, address and data of birth) for a legitimate reason.
2. Sending a birthday card is outside of your normal day-to-day processing of the residents’ data.
Some questions you should consider – has each resident already consented to your contacting them directly for other communication or do you contact them via the nursing home normally? What have you advised in your privacy notice regarding contacting residents?
While it is a really nice thoughtful idea to send a birthday card, you may actually be “further processing” their personal data and if you don’t have a lawful basis for this processing, then it would be considered in breach of the GDPR.
I’m wondering – if a sneaky employee emails a customer list to their personal email address before leaving the business, does a personal data breach occur as soon as they have that information, or only if they go on and do something with it/ publish it?
Thank you
Hi Fred
Would an employee have any lawful reason or a genuine purpose for emailing a customer list to their personal email address? I.e. is it a work practice that is documented within the workplace procedures? Is it something that is documented within the employer’s Privacy Notice? I.e. have customers been told that their contact details (i.e. their personal data) could be shared in this manner?
If the answer to the above questions is no, then the employee should be considered as acting outside of their employer’s instructions and the transfer of the customer list to the employee’s personal email is considered a personal data breach. The breach should be treated as occurring at the time the data was sent outside of the business unlawfully.
Hi,
Can a company director be named through a media query ?
I organise running events. People who take part are sent an email inviting them to review their experience. The review process is not anonymous but only the name of the reviewer is published alongside the review, no other identifiers.
Is this allowed, bearing in mind the reviewer has responded to an invitation to provide a review!
Hello,
I would like to kindly ask what’s the extent of right to access personal data.
Should the company sent me at my request, indeed all the documents in the company where my name is mentioned? All the emails to me and from me? All the preparatory documents of a decision concerning me?
What is the extent of the “personal data”?
Thank you,
Curcu
Hi Curcu
Personal data is defined under the GDPR as:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
The English data protection supervisory authority (The Information Commissioner’s Office) provides very good advice in relation to submitting a subject access request, what your request should say, what you can expect to receive etc. This advice is located here: https://ico.org.uk/your-data-matters/your-right-to-get-copies-of-your-data/
Kind regards
Hi,
I have just found out by accident that the court in Scotland is publishing online the list of hearings scheduled for the day using full names of both sides.
I had a civil hearing just the last week; nevertheless, nobody has ever asked me if I would like my full name (plus variation of the surname) to be published online in the detailed list. Is this ok that nobody has ever mentioned it or asked for the permission?
Hi Monika
The Scottish Court may have a legitimate lawful basis for processing your personal data in such a manner. This lawful basis should be outlined in their Data Privacy Notice. I suggest you read the data privacy notice on the below link, which I obtained from the Scottish Courts and Tribunals website:
https://www.scotcourts.gov.uk/docs/default-source/aboutscs/contact-us/freedom-of-information/privacy-notice-v1-5—master-january-2020.pdf?sfvrsn=2
If you are still unsure of how they are processing your information, I would suggest that you contact the DPO for the Scottish Courts and Tribunals directly via their contact us page:
https://www.scotcourts.gov.uk/about-the-scottish-court-service/contact-us/data-protection
Is it permitted to quote a persons position, in this case Chief Executive of a Government body, without using the persons name?
Thanks.
Hi,
If my company only stores personal data concerning employees of a different company which we work with (we do not monitor or process the said information in any way)- does the GDPR still apply?
Thanks,
Justin
Hi Justin
Yes, the GDPR still applies. Storing data is considered processing as per the definition of processing within Article 4(2) of the GDPR:
“‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
Hi Luke,
Firstly, this is a great read and many thanks for sharing such useful information.
I’d like to ask you the following three questions as I am working on a project with students and I need to explain these questions to them in the easiest way possible. These are the questions: What is Personal Data? How to recognise a Data Subject Right? How to recognise a personal data breach?
Hi
Firstly, what is personal data?
As per the GDPR definition, personal data:
“means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
While the above is quite a mouthful, it essential means that any information which can potential identity someone is considered to be personal data.
Secondly, how to recognise a data subject right?
In order to recognise a data subject right you need to know the rights. There are eight in total:
1. Right to be informed
2. Right of access
3. Right to rectification
4. Right to erasure
5. Right to restriction
6. Right to object
7. Right to portability
8. Right to object to automated processing and profiling
I would suggest that you review Sections 2 and 3 of the GDPR to gain more information on each of these rights. It’s only by making people aware of their rights, that they will then know how to recognise them.
Finally, how to recognise a personal data breach.
As per the GDPR (Article 4(12)), a personal data breach:
“means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;”
I recommend you read Articles 33 and 34) from the GDPR which will provide you with more information. In addition, the European Data Protection Board (formerly Article 29 Working Party) have issued guidance in relation to data breaches. This guidance can be found here:
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612052
Hi.
I have read the website and comments but still a little hazy, this GDPR and personnel data is a mind field.
If you are dismissed from a company and going to disciplinary / appeal, all evidence against you is sent prior to the meeting so you can prepare. If a spreadsheet is sent containing a list of customers seen including details of date and time visited, reference number, what they were seen for ( in brief, like premises licence / parking permit ) would this be classed as a breach to GDPR? Thanks
Hi Marie
As per the definition of a personal data breach in the GDPR Article 4(12), a personal data breach:
“means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;”
The definition of personal data is documented in Article 4(1), but essentially, personal data is any information that can be used to identify a person.
Keeping the above in mind, if a list of customer names was provided to you as part of a response to your data subject access request, and these are not company names, (i.e. they are individuals) then the names would be considered the personal data of a third party, which should not have been provided to you unless the third party has consented to this disclosure. If they have not consented, then it falls under the definition of a personal data breach under the GDPR.
Hello. Similar question to Justin: I am a sole trader but limited company. I work within a specialised maintenance environment whereby my two major clients provide me with contact names and phone numbers of their customers so I may contact them direct to organise service visits. I keep these as a database on a PC and it is updated as needed. One of these end customers has asked my client for their GDPR policy, and they have rolled this down to me. I am struggling to find a template that does not refer to data collected online; and how can I possibly inform these few hundred contacts that I have their information, especially as the site contacts change so frequently? As the data has been shared WITH me, should my client manage the compliance and communication with the individuals about their data?
Hi Pete
The GDPR, in Article 24.2 which discusses the data controller’s responsibilities, states:
“…shall include the implementation of appropriate data protection policies by the controller.”
It is the data controller’s responsibility to implement a data protection policy.
From my understanding of the information that you have provided in your query, you appear to be the data processor in this arrangement with your client i.e. your client (the data controller) is providing you with the contact lists and you are acting on behalf of your client. Therefore you are the data processor.
The GDPR puts the obligation to have a data protection policy in place, on the controller (i.e. your client) and not the data processor (i.e. you).
Hi ,
In respect to a computer system username and email addresses that contain a real person’s name for example username: john.doe and john.doe@company.com , the above are used in during a life span of an employee’s employment.
can the company argues that this information is used for a business purpose / function and will retain this information indefinitely even if a person is no longer with the company , is this correct in terms of GDPR ?
Hi James
Firstly, an email which incorporates a part of (or all of) a person’s name is considered their personal information even when it is a business email address. This is because they can be potentially identified from it.
One of the six data protection principles advises that personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary …”
I would suggest you ask your company what their legal basis (i.e. lawful reason) is for retaining an employee’s email address indefinitely. I think it will be hard for a company to come up with a legal reason for retaining this data indefinitely. If you are not happy with their answer you can submit a complaint to the data protection supervisory authority.
Can a Director refuse to disclose his directorships in other companies under the GDPR?
Is privacy right a statutory right or contractual?
Hi DJ
Regarding your first question – This is more a company law query rather than a data protection one. You will need to check the company law within your own country for further clarification on this.
Regarding your second question – Data protection is a fundamental right set out in Article 8 of the EU Charter of Fundamental Rights, which states;
Everyone has the right to the protection of personal data concerning him or her.
Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned, or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
Compliance with these rules shall be subject to control by an independent authority.
I hope this helps.
Hi there
I have just received a letter from the DSS in a window envelope with my name and address on it (as you would expect) set within an outlined black box which had typed above it the following:
“Deductions from Income Support regarding:”
Next Line: My full name, address and postcode
I have put this in the envelope many times myself with different folds and it doesn’t matter how hard I try, this information is clearly visible.
This may seem a tad inconsequential to someone else but I live in a small village; people gossip and I am pushing 70 years of age and clearly something is array here as I am an OAP anyway. However, this has happened and in this circumstance could it be classified as linking my supposed situation and supposed means to my specific name and address, therefore violating the terms of the GDPR by clearly identifying me?
Obviously, whoever saw this before and during delivery, i.e. the local postman and the local post office would now have seen this misinformation. That is not to say they have, nor that they would necessarily pass comment, but the possibility is clearly there. I find the whole thing somewhat belittling.
I really would appreciate your advice as I wish to contact the sender and lodge a formal complaint about how they have disclosed personal details, however inaccurate, about me.
Thank you in anticipation of your reply and kind regards
Hi Anne,
Yes, I can certainly understand your unease. The first thing to do query with the DSS (or DWP as it is now) whether it’s a genuine letter from them. If they’ve got your information wrong, it could be a scam.
There’s not really a set process for what you must do when contacting an organisation with a query/complaint; you can simply explain what happened like you’ve done here.
If you don’t get a response within a few weeks, you should take your complaint to your national data protection watchdog (it’s the Information Commissioner’s Office in the UK), which has the power to launch an investigation.
As part of my job i need to ascertain the competence of a contractor, i required a Forklift certificate which forms proof of training and will stand up in a court of law, it will show the name of the recipient the date of training and usually cert id number that`s it. i was surprised to receive a reply from one company stating, it bearched Article 6 of GDPR, the information is basic and essential
Any thoughts?
Hi Paul
Article 6 refers to having a lawful reason for processing personal data and the GDPR advises that you have one of six lawful basis in order to lawfully process personal data. In summary, these are:
1. With the individual’s consent.
2. In order to meet a legal obligation.
3. Processing is necessary for the performance of a contract.
4. Processing is necessary to protect the vital interests of the individual.
5. Processing is necessary for the performance of a task carried out in the public interest.
6. Processing is necessary for the legitimate interests of the controller.
Can you use one of the above lawful reasons for why you need to obtain the certificate? It may be required by your insurers also – if so, then you would have a contractual reason for obtaining it. I presume you only keep a copy of it. Also, you should ensure that you are deleting these some time after the work with the contractor has ceased.
Hey Luke, i hope you can help me with this question.
We have also a lot of users which is using WhatsApp, some of them are using their private phones (BYOD) and the others are using company phones. we wont deny to use private apps and we are also not able to do so, because they are paying a small part of the cost to beeing allowed for a private usage of the phone. Are we already against the GDPR if we dont deny WhatsApp? We managing the phones via Intune but if we would use an App protection policy to deny any business data sync like GAL to third party apps, they would also not beeing able use the handsfree service on cars anymore.
Hi Nuri
There are a number of things that you need to consider:
Do you, as a business use WhatsApp for communicating with employees? If so, you need to consider the purpose for this and the legal basis under Article 6 of the GDPR. You should update your Data Protection Policy to reflect your use of WhatsApp and consider if your Privacy Policy needs to be updated also. I would suggest that you create a WhatsApp policy so that personal data in the app is kept to a minimum and to what is actually needed.
If the WhatsApp is being used privately by your employees, i.e. not for business use, then again, I would update your data protection policy to reflect this and to call out that employees are using WhatsApp themselves and that its not for work purposes and document that the company should not be held liable for employees using WhatsApp for personal purposes.
I think its a very good idea to use the App Protection policy that you have suggested.
I keep receiving statements and debt letters for a person who no longer lives at my property. I have lived in this property for over a year now. I have contacted each company to inform them and produced proof that I live there and now own the property. I have requested they remove my address from their system. They have sent me an email saying ” We are unable to alter any of our customer’s details without first confirming this with our customer. This is not a company policy, this is GDPR law and therefore, we are unable to contest this.”
These letters have a the person’s name, my address, reference numbers and what is owed by this person. I thought that would be breach of their GDPR and the company needs to rectify their records.
I am effectively a sole trader, running my business as a limited company, with only a couple of businesses as clients for now. The only “personal data” that I have is the contact details (names, work phone numbers and work email addresses) of the two or three people that I speak with for conversations about the work I am doing. These are stored on my password-locked mobile phone. I have just received a letter stating that I have to pay a data protection fee to the ICO here in the UK, which is apparently compulsory for any company that “holds personal information for work purposes”. It’s not a huge fee, but it does seem a bit of a racket? You just pay them the money and that’s it? Sounds like you get put on a register which makes it seem like you’re complying with data laws, even though there is no need to prove that you are? More selfishly, I’m wondering whether I really need to pay this fee just for having some client’s numbers on my phone?
Thank you for any other informative blog. The place else may just
I am getting that type of information written in such an ideal means?
I’ve a mission that I am simply now running on, and I have been at the glance out for such info.
Hey There. I discovered your blog using msn.
That is a really well written article. I’ll be sure to bookmark it and
come back to read extra of your helpful information. Thank you for the post.
I will definitely comeback.
Hi and thank you for an informative blog. I work for a Government Agency and when responding to Subject Requests some of my colleagues redact all email addresses, telephone numbers, and names of colleagues/employees of the agency who are included within the records and information. Some of them only remove email addresses and contact numbers of colleagues/employees but retain names and titles whilst others do not redact these details at all, citing that as the colleagues/employees identified were acting in an official capacity their details should remain unredacted so as to ensure transparency and accountability.
An example would be a colleague having written a report on the subject or mentioning the subject (e.g. a social enquiry report, a report on their conduct in the community, a record of a multi-disciplinary case conference). Surely if the author’s details are redacted then the report might as well have been authored by the invisible man! No transparency or accountability – with professionals able to hide behind GDPR unchallenged. And if an individual is willing to put their name to formal records – which one would expect of employees acting in an official capacity- then this should not be redacted.
Similarly, if I had been refused planning permission then I would want to know the details of the Planning Officer who submitted the planning report and recommending refusal and to be able to challenge their thinking if I felt it necessary.
Going on a bit, I know, however, formal documents do contain officials’ details, e.g. a trial judge report will include the name of the Sheriff who heard the case. Surely this would remain unredacted if provided as part of a Subject Request?…
Help!!!!!
Having a specialized website regarding medical billing benefits has been a revelation to numerous medical billers, however, this article has given even more dimensions to the understanding of concepts associated with medical billing. This article will be very beneficial for my understanding. If you want to know about the pros and cons of medical billing.
Hello
I have a broadband account with TalkTalk and am in the process of leaving. They are being difficult and our conversations are limited to private DM’s on Twitter. However, they have now addressed me in a public thread and used my name, not my Twitter handle. I’ve asked them repeatedly to take down the post (quoting the Data Protection Act) but they just repeat how important it is to secure data.
Where do I stand with this.
Hi there, I have a unique surname and my work place insisting to have it visible on my name badge. I work for the public many times with angry, unsatisfied people. Am concerned that the public should not know my unique surname, worried that their anger could extend to my personal life and identify and locate me.
Am I right to request to remove my surname from the I’d badge?
Many thanks
Right! Data privacy is important to every modern user. In 2020, it is very important not to forget about the need to increase the level of security of personal data. Since this can lead to problems and difficulties associated with hacking accounts by hackers. https://utopia.fans/blog/data-privacy-vs-data-protection-whats-the-difference/
Hello,
If scientific publications include contact information to the “corresponding author” and I find the article to be of significant interest, do I (or my company) have the right to contact the corresponding author to ask if he/she would like to participate in a scientific survey relating to the area of science that the author has published and article in?
Yes, you are permitted to do that, Lars! A one-off message to an email address that has been made publicly available — presumably for purposes such as the one you describe — isn’t subject to the GDPR.
I’d like to create a ‘map’ of which scientists are doing research of interest to the regulator that I work for. Why? So we can pick out the ones most relevant to our current and future research interests and contact them about collaborations, work. Some of them would be added after we’ve already worked with them, some because a colleague has flagged their work of potential relevance. My interpretation of GDPR is that such a record is impossible because…
1. I’d have to ask each scientist, often out of the blue, for permission to add them to the record “on the off chance that we might want to talk to you about your work”. Not very practical
2. I could do this without permission but only by omitting any personal information or combination of information that could collectively identify them. So I can include their name (as long as it it not very unusual) but cannot pair it with one or more of the following: their institution, their specific scientific specialism (‘physics’ is maybe ok but ‘medical physics’ is a bit too identifying?), links to any papers they’ve published (as following the link identifies them – as would a url to their professional blog or university profile page).
How can one plan future engagement work with other people if you can’t keep of record of who you might want to engage with and why you’d want to engage with them?
Hi,
I’ve just found out that my Ni number and d.o.b which I supplied to a work department necessary for ID checks was forwarded by them to a colleague via email thread, who then copied the thread to our line manager. GDPR rules have been clearly breached here and to be honest, I really have little confidence in this department’s ability to keep personal or confidential data just that. I’ve complained to them and to the manager. Just how serious is this and what further steps can I take to address it? Kind regards,
Hi Mona,
You did the right thing by bringing this up with the organisation. Your next step would be to lodge a complaint with the organisation’s supervisory authority — i.e. the body that oversees GDPR compliance in the country where the organisation is based.
You can find a full list of supervisory authorities in this blog: https://www.itgovernance.eu/blog/en/how-to-report-a-data-breach-to-your-supervisory-authority
Hi Luke,
Thanks for your reply. Following on from the previous incident a UUID number had subsequently been generated for me and an email confirming the UUID number was sent to a relevant department and my line manager and me were copied in. He states being in receipt of my UUID is not a breach of GDPR as the UUID was issued by the organisation – a work-related piece of data – that he would have a right to know if he had asked HR for it anyway (and in fact any other information being held on me in relation to my employment). Where does GDPR sit in this matter? Many thanks in advance.
I agree with you
Hi Luke,
Our manager is asking for our home address to be filled in Excel spread sheet stored in our company archive system to which potentially all employees of our company have an access. Is he allowed to demand the address from us, my home address would be shared within my team of 15 people. He offered that if we don’t want to fill the excel spread sheet to send the e-mail to him directly. (Our company has Human Resources department that holds this information). In addition now in the Covid 19 pandemic situation HR instructed us to check with our healhcare provider arranged by HR whether we or our family members are vulnerable and should therefore continue working from home. Again the same manager is asking us in advance of the assessment to inform him whether we are going to consult the health care provider. Is this breach of GDPR?
Hi Susanne,
Your line manager definitely cannot request your home address in the way you’ve described. As you probably suspect, the fact that anyone else in your team could view the document with employees’ addresses is a privacy violation.
They shouldn’t really ask you to email the information to them directly either. They might be your line manager, but that doesn’t give them the right to request this information (or whether you’ve consulted a health care provider).
By way of comparison, I recently talked to someone who asked their HR department for an employee’s address to send them a birthday present, but HR couldn’t provide it because the request didn’t meet the criteria for which the information was collected.
In the cases you’ve described and my example, the line manager may well have an understandable reason to ask for this information, but that’s not the same as a legal reason (what the GDPR calls a ‘lawful basis’).
Your best move from here would be to explain to your line manager that you’re not comfortable providing this information. It’s the line manager’s responsibility to justify and document a lawful basis for collecting this information.
I agree with you
Really Nice!! Thanks for Sharing… inspiredmediation.com/
If I tried signing up to a website and I was told by the website that someone in my household is already signed up, but there is only two people on my household l. Is that a data breach?
Hi, Alex. There’s no evidence that a data breach has occurred — at least if you or the other person in your household has signed up before. It sounds like the company’s system only allows one person per house to sign to its service.
This is a great website and good share. I want to thank you. very nice! You guys make a great blog, and have some great content. Keep up the good work.
Good morning, we have to send jobs via pda’s to our engineers which contain customers names & phone numbers for access – these are then shown on the completed job sheets which are sent out when we invoice, as they aren’t always forwarded to the same named person is this permitted?
Hi. Would the sharing of the names on a mailing list with no other identifiable data and no body of email included, be classed as a data breach? Thanks
Dear Sirs,
It is important to ensure that an individual can be identified reliably from the data by a third party. In my experience a third party does not have the information to reliably identify the individual at the first place and by contacting this individual is attempting to verify the identification and/or collect the missing information. For example, by revealing the first part of the postcode hackers aim to obtain the full postcode or by revealing the flat/house and street name they aim to collect the missing information i.e. town and post code.
Therefore, the data in initial possession, was not personal information and would never be without adding new bits of data obtained from the individual. This is also often referred to as ‘context’ : it must remain clear that context cannot be provided by an identifiable individual. The contextual data must be provided by a third party.
The details above are often overlooked in my experience .
question? if an employer has deleted emails that have personal information so to hide what they have sent and who they have sent it to do I have the right to ask for them to restored from the exchange server and a copy given to me?
Hi
I am interested in knowing the legal basis that third party websites have that extract data from Companies House about companies, directors etc. There is a market for people to set up these websites to profit from data which genuinely interested parties could obtain directly from Companies House for free as they have done in the past. However since Companies House uploaded information about director’s past and present highly sensitive information (Name, DOB, home address, signatures) to their website with no prior risk assessment a few years ago, it has led to numerous instances of identity fraud, stalking, cyber crime and other security risks as well as potential age discrimination for jobs etc. It provided an opportunity for unscrupulous companies to set up shop and many don’t even have contact details.
I think it is terrible that Companies House is not made accountable and forced to manage their data themselves which companies/directors have entrusted them with. There should be a law preventing third party companies from setting up online. They often don’t check that data is correct and just upload anything. There should be measures put in place to stop any fraudster or stalker being able to find details by just doing a search on Google. Genuinely interested parties should be made to provide their details to request information which they should not have a problem with as that is how it was done before the days of internet.
We are in dispute with one such company who refuse to remove the information- Names, DOB, address (incorrect) etc for a company that was dissolved over 10 years ago which did not even go ahead with trading so no company accounts. The company has also been archived by Companies House years ago which has been confirmed in writing. We are in the process of contacting ICO but we just wanted know where we stand from a GDPR perspective as they claim that they have a legal basis. Recently one of our directors found their name amongst porn website links when they searched their name on Google which is upsetting as that can affect reputation. Their name would have come from the info on these company data websites as that is the only online profile that they have. Many thanks.
Hi Luke. Please can you help me with a query? If an organisation held personal information on an individual which has since been deleted does the individual have the right to know why that data was on file and have access to the information if it can be provided? Thanks. – Senan
Hi. Just want to confirm, if for example i included the full name only of our customer to a third party engineers who will work on the broadband service of our customer. Does it mean that i did not violate the GDPR?
Our higher management accused me or violating the GDPR, which i believed is wrong, where can i consult to depend my side about their allegation.
I have co-founded a student organization in Finland that functions under the umbrella of the largest student union here. Part of the registration process involved a paper document that was signed by me and other future members. I have recently found out that document can be found freely online where my name and signature are fully visible. I have asked them to take it down or modify it they have said it is out of their hands. Surely this is a breach of GDPR, any advice?
An ebay seller is selling a car i once owned, and on their advert they are showing the log book for the car, which is clearly displaying my full name and address.
I no longer own this vehicle, or have anything to do with the sale of it.
Are they in breech of GDPR?
I must say that overall I am really impressed with this blog. It is easy to see that you are impassioned about your writing. I wish I had got your ability to write. I look forward to more updates and will be returning.
I am really thankful to you for sharing such useful info.
Hope you are sharing the same in future.
thanks
We are willing to collect the data of the key leaders of the various state governments for a Business intelligence tool that we are developing. I mean the names, roles, affiliations, characteristics etc. of the prime ministers, ministers or some heads of institutions. Does that constitute a breech of GDRP. All the data will be collected from open online sources.
Hi Luke. Thanks for all your very informative posts. Have you come across a situation, or do you have a view on a situation where a request for access to personal data is refused as it is (in my view wrongly) considered to be ‘third party data’ but is potentially the personal data of two people, that cannot be severed.
Person A (the requester) is definitely identifiable in the data held, but some of the data withheld is the ‘opinion’ of Person B about Person A and (false) allegations about Person A’s conduct. It also potentially contains other data which may reveal the identity of Person B, who, because of their actions (making a false and malicious complaint about Person A) presumably does not want his/her identity (it could be revealed either because he/she gave his/her name or it could be discernable by virtue of some information they relayed to the data controller, e.g. that only that person, or a limited number of people may know).
I would greatly appreciate any thoughts/references or assistance!
Many thanks
M
At its most basic form, whenever you differentiate one individual from others, you are identifying that individual. Any individual who can be distinguished from others is considered identifiable.
I work at a school of mature students and one of them put an SAR in for all emails containing their name.
Is it acceptable for us to use just their initials in emails going forward, so when we search for emails about them, it’s not picking up quite so many that we then have to go through and redact?
Would it be acceptable for them to then request all emails containing their initials (I’m thinking not!!)
We’ve nothing to hide, but I was wondering if it was practice to just not mention people by their names in emails and just use their initials so the recipient knows who we are talking about but anyone else who might see the communication, doesn’t know.
Thanks in advance!
Although emails may contain personal data (the sender’s name, email address and, in some circumstances, their occupation), you don’t need to collect each individual message when completing a DSAR.
With the GDPR, you are looking specifically at information that’s stored in databases/filing systems. It’s only the information in these systems that must be catalogued in a DSAR. You don’t need to break down each specific instance where that information is used (such as every time you email them/receive an email from them).
Is an audit trail in a business application, which records which employee performed which transaction and when, considered personal data? And if so, does the employee have the right to request to be “forgotten” when they leave the company i.e. by having all the audit trail deleted?
An audit trail shouldn’t contain personal data, so it’s unlikely that the GDPR applies here. An audit trail is more likely to be be intellectual property, which belongs to the organisation.
I received a letter from my employer and included with my Letter was a letter for another employee including their name, address and the fact that they had not provided a sick note and therefore were required to attend an absence management meeting. Is this a data breach?
Yes, this is a data breach.
Would a personal home address alone be classed as personal data under GDPR? For example, if I walked around a town and made a database of all the houses with blue doors (using just the houses’ addresses), would that be considered personal data?
Hi Jo,
An address is personal data, because people can be contacted directly with that information. (Indeed, many organisations send letters without the person’s name). For the same reason, an email address is personal data.
It’s worth remembering, though, that the GDPR applies strictly to organisations collecting data in filing systems — so your specific example falls outside of the Regulation’s scope.
The GDPR holds processors liable for breaches or non-compliance. It’s possible, then, that both your company and processing partner such as a cloud provider will be liable for penalties even if the fault is entirely on the processing partner.
I am a club secretary and have been asked by a member to forward names and addresses of all members to him. Does this breach Data Protection rules?
That would absolutely be a breach of the GDPR.
Hi
Are initials also classed as PII and will they cause GDPR issues? (like using JS instead of John Smith)
It’s unlikely that initials can be classed as personal data.
Hey, I appreciate your quality stuff and I would like to read more quality stuff like this. keep sharing.
Hello there, my boss has posted a screen shot of the company WhatsApp group conversation on her own private Facebook Page. This screenshot has my name and telephone number on it along with the company that we both work for. I have made a complaint to her line manager who has told me that there is nothing they can do because it’s a private Facebook page. Surely this can’t be correct?
Hi Zoe. This is a tricky one — it will depend on whether the company WhatsApp group is considered a formal, work-related communication channel (as opposed to a group for employees to communicate outside of work). That will determine whether it’s an organisational breach or simply someone sharing information about someone they know. Either way, you’re right that your boss shouldn’t have done it, and the fact that it was shared to a private Facebook page doesn’t change that.
I am really thankful to you for sharing such useful info.
Hope you are sharing the same in future.
thanks
Hey, I appreciate your quality stuff and I would like to read more quality stuff like this. keep sharing.
Good day very cool web site!! Man .. Beautiful
.. Wonderful .. I’ll bookmark your website and take the feeds also?
I am satisfied to find so many helpful info here in the put up, we want
work out more strategies on this regard, thank you for sharing.
This is a great website and good share. I want to thank you. very nice! You guys make a great blog
I am really thankful to you for sharing such useful info.
Hope you are sharing the same in future.
thanks
Hey, I appreciate your quality stuff and I would like to read more quality stuff like this. keep sharing.
I am really thankful to you for sharing such useful info.
Hope you are sharing the same in future.
thanks
This is a great website and good share. I want to thank you. very nice! You guys make a great blog
This is a great website and good share. I want to thank you. very nice! You guys make a great blog
I am really thankful to you for sharing such useful info.
Hope you are sharing the same in future.
This article offers clear idea in support of the new people of blogging, that genuinely how to do running a blog.
A colleague has asked if having a list of internal extension numbers with names alongside them pinned to the wall where the public may be able to see these whilst attending the work location is considered a breach of GDPR?
It’s not advisable to have people’s extension numbers be publicly visible, no. Could you not put this information on a work portal? Or even in a restricted part of the building where members of the public wouldn’t enter.
Hi,
Can you please explain how internal corporate user information (zero exposure to external customers or public), is considered in GDPR and the new Chinese privacy law?
Our mantra, as the identity and access team, has been that no sensitive information is stored in our systems (OKTA and Active Directory). We have told HR we do. It want nor will accept social security or concomitant national identifiers, personal email addresses, personal phone numbers etc. Sure, HR has to be extremely careful, as they possess these data and more (salary, home addresses, etc) but no where in the IT systems do we allow this.
Why then am I being told by others that first name, last, corporate email address and corporate phone numbers etc. are private data? They are not, how can I send you an email if I don’t know your name? How can I call you, on your business phone (only) if I can’t look you up in the corporate directory?
Thank you in advance!
Sorry, typo…
“We have told HR we do not want, nor will accept social security or concomitant national identifiers, personal email addresses, personal phone numbers etc.”
Appreciate the effort and information you have given in writing this article .
Hard to ignore such an amazing article like this. You really amazed me with your writing talent. Thank you for sharing again.
Such an amazing and helpful post. I really really love it.
Thank you for sharing this useful article. Keep it up! Regards!
This was an extremely nice post. Taking a few minutes and actual effort to generate a top notch article.
Its an amazing website, I really enjoy reading your articles.
Hi. For my business I have my supplier’s and customer’s name address and email address on my software package Sage. We don’t sell online so no card details entered on our website etc. We do take payment over the phone by card but the card details are entered as we speak never written down anywhere. We don’t store any card details ever, and only the details of our customers on sage as said above.
Do you know if I have to PAY the ICO Data protection fee or would I be exempt.
Hi. In the course my self employed business activities(kleeneze distributor) I try to build a rapport with everyone within my designated area. Say for instance Seaford, East Sussex. If, in the course of my business, to build rapport with the individuals within that area, I make a personal note of their names, hobbies that they have mentioned, medical history and family goings on, but I keep that information to myself, privy to no one else, is that a breach of data protection laws?
If I go house to house in the UK building a rapport with householders to build business for a kleeneze delivery service, is it breaking data protection if I keep ‘personal’ notes on individual households collating tastes, hobbies, physical descriptions etc without their knowledge?
My name and job role appear on the website of my school. Is this ok?
If John Doe MD forms an LLC, opens a practice or a clinic and names it John Doe’s Clinic, is the legal entity subject to the same level of personal data protection as Dr John Doe the person? Should other legal entities, Corporations/Organizations/Vendors who sell healthcare supplies to the clinic treat the clinic’s data the same way they treat the person in their data bases?
May I say what an excellent article that gives clarity for a complex piece of legislation.
Can I ask your opinion as to whether the following would amount to breach namely
author of a letter from a Limited Company stating that a resident (not named but capable of identification by way of location/address) suffered from ‘health issues’.
In my respectful opinion this is adverse to the privacy of the other party but I welcome a second view.
Regards
Excellent post. I was reviewing this blog continuously, and I am impressed! Extremely helpful information especially this page.
8/23/21 I belong to a registered charity in the UK. They publish quarterly in their bulletin a list of new members. The most recent listing for those members in the USA includes the new member’s name, the city in which they live and “USA.” I questioned why the state was not shown and they advised that due to GDPR they cannot publish the state. Is that correct information? Thank you very much.
Hi Luke,
I was line manager for an employee and a new manager took over that area. I received an e mail from the new line manager asking if I had any information on agreeing to a 3pm start for the colleague. I replied that i had agreed a 3 pm start. Last week the employee e mailed me and requested a copy of the email. There is no personal data on it so would I be breaching any DPA laws in sending her the e mail? Thanks
Hi, my previous employer is still publishing my name and other employees that have left on their website. The names are being displayed in the following format: title initial surname. Is this a breach, have emailed them and requested that this be updated.
I think this is one of the most important information for me.
And i’m glad reading your article
Can you refuse to answer a question on a GDPR form which you consider intrusive and unnecessary? For instance, can a tennis or ukulele club legitimately ask for your date of birth?
Hi, as an IT contractor I typically work through an agency/intermediary. I have a contract with agency X and X also has an “upper-level” contract with the end client. Historically it has been extremely difficult, if not impossible, for contractors to get visibility of such upper-level contracts as they are deemed “commercially sensitive”. As such, the agency’s margin and other terms of agreement with the end-client are totally opaque. Under GDPR legislation, is it now legally enforceable to make a Subject Access Request to get sight of such a document which undoubtedly contains personal information about the contractor?
I help run a small non-commercial company and we have had an ongoing issue with a fellow director (none of us are employees) who has been behaving in an erratic manner and we suspect has psychological problems. The other directors including myself have had ongoing discussions, verbal but also via email, to work out how best to manage this tricky colleague. The person has got wind of this back-channel communication and is demanding to see all our internal emails that relate to them. All were sent and received via our personal email accounts and we have no company email system or data controller. Is there a case under GDPR to disclose such communication? All our written communication has been strictly internal/personal and could be justified by the situation we have found ourselves in but it does ultimately relate to the company.
I work for an organisation that is closing down the current branch and setting up a smaller entity with a different name. We send out a newsletter from the current branch and have a mailing lsit with 5,000 members. Can we transfer the mailing list to the new entity so that people still receive a newsletter? They have signed up but the new entity will be different and registered to a different address, the content of the newsletter will be the same.
Hi, Thanks for sharing a thorough and simple-to-understand post about GDPR. It’s excellent and gave me many good ideas about the GDPR Learning process. Thank you for this valuable knowledge.
I have recently moved and there is an issue with some doors that are still under warranty. It seems the problem is not with the product itself but with the way they were installed. I have reached out to the company stated in the warranty as the suppliers and installers and asked them to confirm which company installed them so I can follow up with them but they are citing GDPR and non-disclosure of personal to not provide it. I already know the purchaser, i.e. the previous owner of the house whom with I have no further contact so I am not sure why they are mentioning the disclosure of personal data. Are they right to not provide the commercial details of the company which installed a product I am the legal owner of?
Hello Des, could you answer a quick question please. In a recent disiplary meeting the people holding the meeting gave my an anothers name to the person being displined as sources of information. This was in the form of a statement by a third person. No information was varifed and i wasnt contacted to check its validation or if my name could be used. I take this as a breach of GDPR. Am i correc?
Hi GDPR,
I’m Galina,we have such a situation,my husband sued a person in court with some problem and during the investigation of the case the judge requested me that all statements and explanations as evidence for trial must be made in three copies so that the Defendant, the judge and I have the same packages and also from the Defendant was request,such is the procedure when investigating a case,after the trial was over and judge’s decision was made,my packet of copies documents remained at the debtor…and he uses the data in that package of documents that I used to investigate the case as statements in my defense,but debtor without my permission uses information from that package of documents for his personal purposes….we beg you to give us some advice on how to proceed in this case and how to protect our personal data and documents from this debtor??
We wanted to sue the debtor,but we don’t know what the indictment should be in this case???
We will be very grateful if you will help us with any advice,please
This debtor is a person of distrust and he is good at cheating!!
Please,any advice will be us very useful in our case
Thank you in advance
Hi Luke
My client files…
Coding:
If i code by only using the first initial of a clients name/ followed by the year I took them on (i.e 21) followed by the first initial of the course they are taking/ ( I work in MH), followed by the first initial of the support company that funds the support / is that acceptable or to many identifiers, I use that code on.my diary for appointment bookings us on my phone book linked to their phone number as I need to make calls!
Hence as an example J/21/O/PM.
Am I breaking any rules….. x
Excellent post. I was reviewing this blog continuously, and I am impressed! Extremely helpful information especially this page.
Hi, Thanks for sharing a thorough and simple-to-understand post about GDPR. It’s excellent and gave me many good ideas about the GDPR Learning process. Thank you for this valuable knowledge.
Our local Parish Council pay a small winter fuel allowance to people living in the village who are eligible, they put a list of names of those people on the local notice boards that are situated around the village where anyone can see them.
Is this against GDPR?
I work for an organisation and information has been supplied to me as part of a process. I have noticed that someone, who was our “Information Governance Manager (Data Protection Officer)” at the time, had altered the subject heading of correspondence she had been involved in, ironically with the ICO and removed the reference to my actual surname. Instead, she changed it to an abbreviation that would have made it virtually impossible for any subsequent SAR search to pick that up unless I knew what she had done. Even then, that abbreviation could then potentially refer to hundreds of people in our organisation. The initial correspondence was initiated by the ICO so she was changing their subject heading, although they didn’t seem to notice. That definitely does not seem right to me and currently she has declined to respond to my query about this. Any advice would be much appreciated. N.B. I submitted a previous SAR and some quite inappropriate management behaviours were subsequently identified and I am concerned in case this was done in order to try and conceal any communications about me.
Very good article. It provides a great information on GDPR and all. Thanks for sharing…
Thanks for the great article on GDPR and other services
Does providing the first name of a staff member on a work rota word document constitute a breach of GDPR guidelines? My child is a special needs person who has 24 hours care in his own home and we as parents have had our request of the rota to include the first name of the staff on duty, declined by the service provider citing GDPR, when all we want know is the first name of the staff member who is on duty?
One of my agents has access to personal information regarding our clients overseas she uses this information on a work from home kit to communicate directly through our systems with the client.
she then takes that information and contacts him via her personal email at a later date
what would the legal ramifications for this be as its a breach of our PCI policies to do this?
You have done an excellent job of explaining the GDPR comprehensively and understandably. It’s incredible and provided me with a slew of new insights into approaching GDPR education.
Thanks for the information.
Firstly, thank you to all concerned for this wealth of information.
I have a question if I may: can the chair of a members club produce a table showing full names of committee members & trustees along with a broad age demographic (ie. 20-30, 30-40, 40-50, over 50). I had believed this was a contravention of personal data. I’d be much obliged if you could assist.
Hi, Laura. It’s possible that a breach occurred; it depends on the lawful basis the members’ club used to collect the data. Whenever you have an issue like this, you can file a complaint with your relevant supervisory authority. For example, in Ireland, this is the Data Protection Commission.
Hi,
Although an individual has the right to access information held via a DSAR, does the individual have the right to be advised how the information is stored, i.e. via a database, spreadsheet etc?
Many thanks
Hi, Dave. You don’t have to state how the information is stored. You only need to provide the information itself, details of how you obtained it (the legal basis you used, how long it will be stored, how it was obtained), and any relevant information about automated decision-making and profiling.
1. A technical report has been authored for a Company (either by an employee or a 3rd party consultant who has been contracted to author the report) and the content of the report is the intellectual property of the Company. The content of the report has nothing to do with people and could be on topics such as the environment, accounting principles, GDPR compliance, assessment of company operations, etc. The report exists as a PDF or scanned image file. The cover page of the report contains the the name, title, degrees/certifications (BA (Hons), PhD, etc.), company name, signature (handwritten or digital/electronic), business email address and date of the authors and the approvers of the report. Is the information on the cover page which identifies the authors and approvers of the report “personal data”?
2. If not, where is this explained?
Hi, Michelle. That’s a tricky one. Some of the information absolutely meets the GDPR’s definition of personal data — as it relates to specific, identifiable people. But crucially, personal data under the GDPR generally refers to information that is part of (is intended to be part of) a filing system. It’s not clear whether that’s the case here. It’s always best to err on the side of caution or to seek legal advice.
Way of explanation was great! I Good points raised by you.
Keep sharing these types of articles.
Dear Luke,
I tried to use Boots points more than a year ago. I was told I couldn’t deduct the monetary value from a large order because it wasn’t a TREAT. I made my order elsewhere and stopped shopping with Boots. I have since the end of last year been informed online that they were cancelling any points from Customers who hadn’t shopped in 12 months. I tried to use the site and they had changed their passwords so mine was not being accepted. Dozens of emails later and several people said they could help. I answered all the questions I was asked ( which no one else could have answered. Still no points and still not able to connect to site. Next I got someone else “in the team” who decided to asked me how I signed up to Boots. I am a Disabled pensioner and until Boots were sold out again had shopped unfettered. I missed out my middle name, which I no longer use on anything. I spent weeks trying to get this idiot to accept that They changed the sign in details blocking my account but he started quoting GDPR saying he had to have exactly what I signed up with. I was ill so gave up trying but this year I have had further emails telling me if I don’t use the points and shop at Boots They will just deduct them and close my account. I keep trying but no one in their Customers Service will respond to me and it seems this is just a ploy to not pay out to Customers who have accumulated a large number of points. Even the card I have is so old it has fewer letters numbers that my original card. My name is unusual anyway ( when they manage to spell it properly) I can’t for the life of me see that removing my Middle name as I asked them is likely to cause any breach but can you help. Its even more annoying as when I did have cause to contact the DPO about a serious breach they did not have enough staff to deal with all the questions they were being sent. Can you help tell me where I stand with this? Thank you
Hi, Lynda — the GDPR is only one aspect of this issue. Boots are within their right to ensure that the person trying to access the account is the true account holder. Otherwise it would be easy for people to simply claim to be other people and use their accounts. Given that the account has a large cash value accumulated, it’s in everyone’s interests to protect the account from unauthorised access.
It sounds as though the shop is reluctant to help, but that’s a matter of customer service rather than a GDPR violation.
Hi, if a company uses and displays a customer’s full name (first, middle and surname) and full address on a letter sent which is displayed in the window of the envelope, is this breaching GDPR?
Hi, Helen — probably not. This information is necessary for the letters to reach their destination.
Great article and good thread of Q&A.
My company is considering migrating our email system from being hosted on premise to the Cloud (one of the big global providers). Our customers will occasionally include personal data in an email to us such as a name and address. Would we be in breach of GDPR as our cloud provider is global meaning the email data could potentially be anywhere in the world?
Hi, Mike — *where* the information can be accessed is irrelevant in terms of the GDPR. If the information belongs to EU residents, it must be subject to adequate protections.
Hi Team, We have an end customer using a RFID loyalty scheme and those numbers get stored on our equipment for Diagnostic purposes for a period of time before being deleted. To our company, we have no knowledge or ability to reconcile who those numbers correlate to as PII. Its effectively only a number to our system. Is this a valid approach to say that this doesn’t constitute PII ?
Hi, John — based on the information you’ve provided, it sounds like this wouldn’t be classed as personal data. But it’s worth making absolutely sure that there is no way that the information can be linked to details such as names, address and contact numbers.
thanks !
Very nice article. Thanks for the information.
I have a question. In most IT systems we have audit logs, the logs track who has accessed the system and done whatever on it. We would store the employees name in the log, is that considered in the same way external customers. Do we have to mask the names of the employees too in this context?
You are allowed to store employees names for internal processes; it would be impossible to do business otherwise. But you need to implement protections appropriate to the level of risk. If the logs onto state the employees’ name and no other information of importance, there will be a low risk.
If my business is posting letters with clients personal details such as full name. address & DOB should I always use a secured tracked postage service? If i haven’t done this (tracked service) and the letter gets lost have I incurred a GDPR breach?
This probably falls outside the scope of the GDPR. The Regulation protects information within a filing system — physical records, databases, etc. If letters are sent to the wrong person because the organisation used incorrect information, that would be a data breach. But there’s not much they can do to mitigate against packages being misdelivered.
Hi, I appreciate you sharing this informative and easy-to-understand post about GDPR. It’s amazing and provided me with a lot of useful insights on the GDPR learning process. Thank you for sharing this useful information.
Not only that, businesses need to keep records showing the implementation of GDPR, with documents showing the data processing process, where the data is stored, and the individuals responsible.
Hi, Really good blog thanks for sharing this content. this will really help to understand the GDPR.
Hi, Is a bank in a violation of GDPR if they want me to tell them that they have to approve my mastercard payment on health web site like cancer-x dot com, so in this way implicitly disclosing people on the card support phone and on the website support, that I might have a health condition called cancer? Isn’t where we buy or purchase our products a personal thing?
Hi, Seb. That’s a good question. Information regarding medical equipment is, as you suggest, considered personal data under the GDPR. In fact, it’s considered special category personal data is subject to extra rules. However, it’s unlikely that the information the bank collect would contain any specific information. Moreover, the banks would argue that they need to know the organisations that took payments in order to operate.
Thank you for this blog, it is immensely valuable. As an officer of a small sports club, I have been asked by one member to make public a numerical breakdown of membership, which would be along the lines of “we have 50 city members, 20 country members, 10 overseas members and 4 honorary members”. I can’t see how this anonymised information could breach GDPR, but I am ultra-cautious and would welcome your views.
Hi, Robert. I’m glad that you find this article helpful. Regarding your question, a breakdown such as the one you listed is almost certainly fine. There’s no way to determine the identity of any particular member with that information alone.
I’m so impressed by the quality of the content on this blog – it’s really well researched and thought out.