WIXLIB

What is personal data?At a glanceUnderstanding whether you are processing personal data is critical to understanding whether theGDPR applies to your activities.Personal data is information that relates to an identified or identifiable individual.What identifies an individual could be as simple as a name or a number or could include otheridentifiers such as an IP address or a cookie identifier, or other factors.If it is possible to identify an individual directly from the information you are processing, then thatinformation may be personal data.If you cannot directly identify an individual from that information, then you need to consider whetherthe individual is still identifiable. You should take into account the information you are processingtogether with all the means reasonably likely to be used by either you or any other person to identifythat individual.Even if an individual is identified or identifiable, directly or indirectly, from the data you areprocessing, it is not personal data unless it ‘relates to’ the individual.When considering whether information ‘relates to’ an individual, you need to take into account arange of factors, including the content of the information, the purpose or purposes for which you areprocessing it and the likely impact or effect of that processing on the individual.It is possible that the same information is personal data for one controller’s purposes but is notpersonal data for the purposes of another controller.Information which has had identifiers removed or replaced in order to pseudonymise the data is stillpersonal data for the purposes of GDPR.Information which is truly anonymous is not covered by the GDPR.If information that seems to relate to a particular individual is inaccurate (ie it is factually incorrect oris about a different individual), the information is still personal data, as it relates to that individual.In briefWhat is personal data?The GDPR applies to the processing of personal data that is:wholly or partly by automated means; orthe processing other than by automated means of personal data which forms part of, or isintended to form part of, a filing system.Personal data only includes information relating to natural persons who:can be identified or who are identifiable, directly from the information in question; orwho can be indirectly identified from that information in combination with other information.Personal data may also include special categories of personal data or criminal conviction andoffences data. These are considered to be more sensitive and you may only process them in more02 August 2018 - 1.0.24810

limited circumstances.Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals,but it is still personal data.If personal data can be truly anonymised then the anonymised data is not subject to the GDPR. It isimportant to understand what personal data is in order to understand if the data has beenanonymised.Information about a deceased person does not constitute personal data and therefore is not subjectto the GDPR.Information about companies or public authorities is not personal data.However, information about individuals acting as sole traders, employees, partners and companydirectors where they are individually identifiable and the information relates to them as an individualmay constitute personal data.What are identifiers and related factors?An individual is ‘identified’ or ‘identifiable’ if you can distinguish them from other individuals.A name is perhaps the most common means of identifying someone. However whether any potentialidentifier actually identifies an individual depends on the context.A combination of identifiers may be needed to identify an individual.The GDPR provides a non-exhaustive list of identifiers, including:name;identification number;location data; andan online identifier.‘Online identifiers’ includes IP addresses and cookie identifiers which may be personal data.Other factors can identify an individual.Can we identify an individual directly from the information we have?If, by looking solely at the information you are processing you can distinguish an individual fromother individuals, that individual will be identified (or identifiable).You don’t have to know someone’s name for them to be directly identifiable, a combination of otheridentifiers may be sufficient to identify the individual.If an individual is directly identifiable from the information, this may constitute personal data.Can we identify an individual indirectly from the information we have (together with otheravailable information)?It is important to be aware that information you hold may indirectly identify an individual andtherefore could constitute personal data.Even if you may need additional information to be able to identify someone, they may still beidentifiable.02 August 2018 - 1.0.24811

That additional information may be information you already hold, or it may be information that youneed to obtain from another source.In some circumstances there may be a slight hypothetical possibility that someone might be able toreconstruct the data in such a way that identifies the individual. However, this is not necessarilysufficient to make the individual identifiable in terms of GDPR. You must consider all the factors atstake.When considering whether individuals can be identified, you may have to assess the means thatcould be used by an interested and sufficiently determined person.You have a continuing obligation to consider whether the likelihood of identification has changed overtime (for example as a result of technological developments).What is the meaning of ‘relates to’?Information must ‘relate to’ the identifiable individual to be personal data.This means that it does more than simply identifying them – it must concern the individual in someway.To decide whether or not data relates to an individual, you may need to consider:the content of the data – is it directly about the individual or their activities?;the purpose you will process the data for; andthe results of or effects on the individual from processing the data.Data can reference an identifiable individual and not be personal data about that individual, as theinformation does not relate to them.There will be circumstances where it may be difficult to determine whether data is personal data. Ifthis is the case, as a matter of good practice, you should treat the information with care, ensure thatyou have a clear reason for processing the data and, in particular, ensure you hold and dispose of itsecurely.Inaccurate information may still be personal data if it relates to an identifiable individual.What happens when different organisations process the same data for different purposes?It is possible that although data does not relate to an identifiable individual for one controller, in thehands of another controller it does.This is particularly the case where, for the purposes of one controller, the identity of the individuals isirrelevant and the data therefore does not relate to them.However, when used for a different purpose, or in conjunction with additional information available toanother controller, the data does relate to the identifiable individual.It is therefore necessary to consider carefully the purpose for which the controller is using the data inorder to decide whether it relates to an individual.You should take care when you make an analysis of this nature.Further Reading Relevant provisions in the GDPR - See Articles 2, 4, 9, 10 and Recitals 1, 2, 26, 51 02 August 2018 - 1.0.24812

External linkIn more detail – ICO guidanceWe have published detailed guidance on determining what is personal data.02 August 2018 - 1.0.24813

PrinciplesAt a glanceThe GDPR sets out seven key principles:Lawfulness, fairness and transparencyPurpose limitationData minimisationAccuracyStorage limitationIntegrity and confidentiality (security)AccountabilityThese principles should lie at the heart of your approach to processing personal data.In briefWhat’s new under the GDPR?What are the principles?Why are the principles important?What’s new under the GDPR?The principles are broadly similar to the principles in the Data Protection Act 1998 (the 1998 Act).1998 Act:GDPR:Principle 1 – fair and lawfulPrinciple (a) – lawfulness, fairness andtransparencyPrinciple 2 – purposesPrinciple (b) – purpose limitationPrinciple 3 – adequacyPrinciple (c) – data minimisationPrinciple 4 – accuracyPrinciple (d) – accuracyPrinciple 5 - retentionPrinciple (e) – storage limitationPrinciple 6 – rightsNo principle – separate provisions in Chapter IIIPrinciple 7 – securityPrinciple (f) – integrity and confidentialityPrinciple 8 – internationaltransfersNo principle – separate provisions in Chapter V02 August 2018 - 1.0.24814

(no equivalent)Accountability principleHowever there are a few key changes. Most obviously:there is no principle for individuals’ rights. This is now dealt with separately in Chapter III of theGDPR;there is no principle for international transfers of personal data. This is now dealt with separately inChapter V of the GDPR; andthere is a new accountability principle. This specifically requires you to take responsibility forcomplying with the principles, and to have appropriate processes and records in place to demonstratethat you comply.What are the principles?Article 5 of the GDPR sets out seven key principles which lie at the heart of the general data protectionregime.Article 5(1) requires that personal data shall be: “(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness,fairness and transparency’);(b) collected for specified, explicit and legitimate purposes and not further processed in a mannerthat is incompatible with those purposes; further processing for archiving purposes in the publicinterest, scientific or historical research purposes or statistical purposes shall not be considered tobe incompatible with the initial purposes (‘purpose limitation’);(c) adequate, relevant and limited to what is necessary in relation to the purposes for which theyare processed (‘data minimisation’);(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensurethat personal data that are inaccurate, having regard to the purposes for which they are processed,are erased or rectified without delay (‘accuracy’);(e) kept in a form which permits identification of data subjects for no longer than is necessary forthe purposes for which the personal data are processed; personal data may be stored for longerperiods insofar as the personal data will be processed solely for archiving purposes in the publicinterest, scientific or historical research purposes or statistical purposes subject to implementation ofthe appropriate technical and organisational measures required by the GDPR in order to safeguardthe rights and freedoms of individuals (‘storage limitation’);(f) processed in a manner that ensures appropriate security of the personal data, includingprotection against unauthorised or unlawful processing and against accidental loss, destruction ordamage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”02 August 2018 - 1.0.24815

Article 5(2) adds that: “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1(‘accountability’).”For more detail on each principle, please read the relevant page of this guide.Why are the principles important?The principles lie at the heart of the GDPR. They are set out right at the start of the legislation, andinform everything that follows. They don’t give hard and fast rules, but rather embody the spirit of thegeneral data protection regime - and as such there are very limited exceptions.Compliance with the spirit of these key principles is therefore a fundamental building block for good dataprotection practice. It is also key to your compliance with the detailed provisions of the GPDR.Failure to comply with the principles may leave you open to substantial fines. Article 83(5)(a) states thatinfringements of the basic principles for processing personal data are subject to the highest tier ofadministrative fines. This could mean a fine of up to 20 million, or 4% of your total worldwide annualturnover, whichever is higher.Further Reading Relevant provisions in the GDPR - See Article 5 and Recital 39, and Chapter III (rights), Chapter V(international transfers) and Article 83 (fines) External linkFurther readingRead our individual rights and international transfers guidance02 August 2018 - 1.0.24816

Lawfulness, fairness and transparencyAt a glanceYou must identify valid grounds under the GDPR (known as a ‘lawful basis’) for collecting and usingpersonal data.You must ensure that you do not do anything with the data in breach of any other laws.You must use personal data in a way that is fair. This means you must not process the data in a waythat is unduly detrimental, unexpected or misleading to the individuals concerned.You must be clear, open and honest with people from the start about how you will use their personaldata.ChecklistLawfulness We have identified an appropriate lawful basis (or bases) for our processing. If we are processing special category data or criminal offence data, we have identified acondition for processing this type of data. We don’t do anything generally unlawful with personal data.Fairness We have considered how the processing may affect the individuals concerned and can justifyany adverse impact. We only handle people’s data in ways they would reasonably expect, or we can explain whyany unexpected processing is justified. We do not deceive or mislead people when we collect their personal data.Transparency We are open and honest, and comply with the transparency obligations of the right to beinformed.In briefWhat’s new under the GDPR?What is the lawfulness, fairness and transparency principle?What is lawfulness?02 August 2018 - 1.0.24817

What is fairness?What is transparency?What’s new under the GDPR?The lawfulness, fairness and transparency principle is broadly similar to the first principle of the 1998Act. Fairness is still fundamental. You still need to process personal data fairly and lawfully, but therequirement to be transparent about what you do with people’s data is now more clearly signposted.As with the 1998 Act, you still need to identify valid grounds to process people’s data. This is now knownas a ‘lawful basis’ rather than a ‘condition for processing’, but the principle is the same. Identifying alawful basis is essential for you to comply with the ‘lawfulness’ aspect of this principle.The concept of ‘fair processing information’ is no longer incorporated into the concept of fairness.Although transparency is still a fundamental part of this overarching principle, the detail of transparencyobligations is now set out in separate provisions on a new ‘right to be informed’.What is the lawfulness, fairness and transparency principle?Article 5(1) of the GDPR says: “1. Personal data shall be:(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness,fairness, transparency’)”There are more detailed provisions on lawfulness and having a ‘lawful basis for processing’ set out inArticles 6 to 10.There are more detailed transparency obligations set out in Articles 13 and 14, as part of the ‘right to beinformed’.The three elements of lawfulness, fairness and transparency overlap, but you must make sure yousatisfy all three. It’s not enough to show your processing is lawful if it is fundamentally unfair to orhidden from the individuals concerned.What is lawfulness?For processing of personal data to be lawful, you need to identify specific grounds for the processing.This is called a ‘lawful basis’ for processing, and there are six options which depend on your purposeand your relationship with the individual. There are also specific additional conditions for processingsome especially sensitive types of data. For more information, see the lawful basis section of this guide.If no lawful basis applies then your processing will be unlawful and in breach of this principle.02 August 2018 - 1.0.24818

Lawfulness also means that you don’t do anything with the personal data which is unlawful in a moregeneral sense. This includes statute and common law obligations, whether criminal or civil. If processinginvolves committing a criminal offence, it will obviously be unlawful. However, processing may also beunlawful if it results in:a breach of a duty of confidence;your organisation exceeding its legal powers or exercising those powers improperly;an infringement of copyright;a breach of an enforceable contractual agreement;a breach of industry-specific legislation or regulations; ora breach of the Human Rights Act 1998.These are just examples, and this list is not exhaustive. You may need to take your own legal advice onother relevant legal requirements.Although processing personal data in breach of copyright or industry regulations (for example) willinvolve unlawful processing in breach of this principle, this does not mean that the ICO can pursueallegations which are primarily about breaches of copyright, financial regulations or other laws outsideour remit and expertise as data protection regulator. In this situation there are likely to be other legal orregulatory routes of redress where the issues can be considered in a more appropriate forum.If you have processed personal data unlawfully, the GDPR gives individuals the right to erase that dataor restrict your processing of it.What is fairness?Processing of personal data must always be fair as well as lawful. If any aspect of your processing isunfair you will be in breach of this principle – even if you can show that you have a lawful basis for theprocessing.In general, fairness means that you should only handle personal data in ways that people wouldreasonably expect and not use it in ways that have unjustified adverse effects on them. You need tostop and think not just about how you can use personal data, but also about whether you should.Assessing whether you are processing information fairly depends partly on how you obtain it. Inparticular, if anyone is deceived or misled when the personal data is obtained, then this is unlikely to befair.In order to assess whether or not you are processing personal data fairly, you must consider moregenerally how it affects the interests of the people concerned – as a group and individua

,qwurgxfwlrq,qwurgxfwlrq hosrujdqlvdwlrqvfrpso\zlwklwv uhtxluhphqwv ,wlviruwkrvhzkrkdyhgd\ wr gd\uhvsrqvlelolw .