What is personal data?
According to the General Data Protection Regulation (GDPR), the definition of personal data is very broad and goes beyond data that can directly identify a person (eg: surname, first name, address, email, etc.).
Any information allowing a person to be identified indirectly or directly or by cross-checking with other available data is considered personal data and falls within the scope of the GDPR.
For example, a fingerprint, a social security number, an internal number, an IP address, a computer connection identifier, a voice recording, etc., it does not matter whether this information is confidential or public.
The GDPR applies to personal data that may or may not be processed automatically and contained or intended to appear in a file (in paper or computer form).
What is processing of personal data?
The term “processing of personal data” includes all actions relating to such data, in particular:
- data collection;
- access to data by a person or a machine;
- data storage (even in the form of “paper” files);
- reproduction or copy of a document containing this data (eg: photocopies, etc.);
- transfer of data to a third party;
- data archiving;
- modification of data;
- data erasure.
A processing of personal data must have an objective, a purpose, i.e. you cannot collect or process personal data just in case it would be useful to you one day. Each data processing must be assigned a purpose, which must, of course, be legal and legitimate with regard to your professional activity.