We live in a globalised world where we constantly interact with others. We communicate by using various devices which store information about our friends, families and ourselves.
However, there are different organizations and companies who would like to access this information and use it for their own purposes, such as direct marketing, website tracking or social media activities. The fundamental goal of the EU regulation known as the GDPR is to protect this information and to ensure that you are in charge of and can decide on your own personal data.
So, what constitutes personal data?
The GDPR classifies personal data as anything that relates to an identifiable living person. This includes your name, national identification number, address, email and phone number. It also includes a photo or video of you, as well as indirect information that may identify you, such as your IP-address, your location data and a user ID you use in a certain database, and even the number plate on your car.
All this information can be available in different forms –in writing, as graphics, videos or numbers –and can be stored on paper, computers or any other media.Therefore, every bit of information that can be used as part of identification is considered your personal data.
Special categories of personal data
Personaldata, meaning anything that relates to an identifiable living person, is protected under the GDPR. There are, however, certain categories of personal data that require a higher level of protection and that have specific rules under the GDPR.
These are sometimes referred to as sensitive data. In the GDPR, they’re called special categories of personal data and include personal data related to ethnicity, religion, political beliefs, sex life, sexual orientation and health information. It also includes trade union membership, and biometric data –for example your fingerprint, palm or iris –and genetic data.
Storing, handling, transferring or deleting sensitive data is by default unlawful. The GDPR sets specific requirements that need to be fulfilled to legally process these special categories of data, that you can read more about below.
Reflection question Do you feel that you have a full overview of where your personal data is being stored? |
There is another category of personal data that is sometimes referred to as sensitive, namely the national identification number, also known as the tax-or the social security number.
It consists of a unique set of symbols –for most of EU citizens it’s the date you were born and an additional sequence of numbers or letters. The national identification number is used for identifying individuals in national systems and authorities.
Your national identification number is not included in the special categories of personal data under the GDPR but is protected under national legislation. Similar applies to, among others, one’s PIN code, which is also very important to protect, however, is not included as neither sensitive nor special category under the GDPR. Storing or handling this data therefore isn’t unlawful per default but can only be used for specific purposes and requires a high level of protection.
Companies and organizations store sensitive personal data on their employees – for example regarding health information –and sometimes on their customers, suppliers and partners. This might be the case, when a company logs an employee’s sickness absence, or when a candidate in a recruitment process adds information about political engagement, health or trade union membership in their resume.
Reflection question Do you know what rules applies for handling the national identification number in your country? |
Why protect personal data?
So far, you have learned about what personal data is and that there are special categories of personal data that require a higher level of protection. We have also established that the purpose of the GDPR is to protect personal data and to ensure that you are in charge of your own personal data.
But why is it important to protect personal data?
Your right to your personal data and freedom to decide what it is used for is a fundamental human right. You have the right to be you, and to decide on what information about you others can use.
Ensuring lawful use of personal data is a way of avoiding discrimination and integrity-violating acts. In recruitment processes, a lawful use of personal data means that recruitment agencies or companies cannot ask for data that may be used for discriminating against or giving advantages to certain applicants.
But that’s not the only situation where the GDPR protects personal data from being used for intrusive or discriminating purposes.The protection of personal data under the GDPR also protects you from:
- Someone extracting all your money from your bank account
- Having your health information leaked or altered
- Insurance companies assessing you based on your genetics
- Companies or authorities keeping records of your religion or political view
- Having your personal data bought and sold without your knowledge
In summary, protection of personal data means protection of human rights, and ensures that you make decisions on your own personal data.
Reflection questions Can you come up with work examples where you have been in doubt on whether you were compliant with the GDPR? |
Book a demo with one of our experts and we will answer all your questions and show you how you can become GDPR compliant across all HR processes.