Skip to main content
CLOSE

Charities

Close

Corporate and Commercial

Close

Employment and Immigration

Close

Fraud and Investigations

Close

Individuals

Close

Litigation

Close

Planning, Infrastructure and Regeneration

Close

Public Law

Close

Real Estate

Close

Restructuring and Insolvency

Close

Energy

Close

Entrepreneurs

Close

Private Wealth

Close

Real Estate

Close

Tech and Innovation

Close

Transport and Infrastructure

Close
Home / News and Insights / Insights / GDPR Advent Calendar (Door 3)

Previously on the GDPR Advent Calendar... ELF (the External Logistics Force) is a business appointed by my client Nick to process a substantial data set involving personal data belonging to children all around the world to support his toy and gift manufacturing and delivery operation. A data breach has resulted in a portion of this data being publicly available and a response plan has been put into effect. While Nick waits for ELF to respond with details of the nature and extent of the breach, it seems like an opportune moment to think about exactly what we mean by the terms ‘process’ and ‘personal data’ – both of them very significant concepts in relation to data protection, and sometimes inadequately understood.

Let’s open Door 3 and find out more:

First, personal data. Not all information about a person is necessarily personal data. If it is not processed (or intended to be processed) automatically, if it is not part of a non-electronic filing system or destined to become one or if it is not part of an ‘accessible’ health, education or local authority record or another public authority record, then it is not personal data. So, yes, pretty much all information about a person is personal data.

The data will be personal data if it “relates to” an identifiable individual. This means that it must be data which allows an individual to be identified, either on its own or in combination with other data in the possession of the controller. It doesn’t matter whether the data relates to the individual in their personal or family lives (as in the case of the children listed in my imaginary client’s database) or in connection with any business or profession. It can still be personal data even if the individual is not identified by name, where the data is being processed in order to establish or document something about the individual, or has an impact on them.

So, that begs the question, what does it mean to talk about data being processed. It is certainly true that applying a process to the data will qualify (for example using an e-mail address in order to send out a marketing communication or, as in the present case, using a name and address to deliver presents). But processing extends very much further. From the exercise of collecting the information, through storage and modification, and up to and including retention and ultimately deletion, all of this is included within the definition of processing. Keep in mind the point about deletion being processing, that will be important later.

These points about what personal data is, and how it is processed, are not merely semantic questions for lawyers to get excited about (although we definitely do). Defining these points helps a data controller to know what they have in their possession which needs to be protected under data protection legislation, and allows data subjects (provided that they read the privacy policy) to know how their data is going to be processed, before they hand their data across.

Come back tomorrow, as we start to consider how to deal with what has been uncovered so far, and Nick asks me to look at the terms of ELF’s processor agreement…

Related Articles

Our Offices

London
One Bartholomew Close
London
EC1A 7BL

Cambridge
50/60 Station Road
Cambridge
CB1 2JH

Reading
The Anchorage, 34 Bridge Street
Reading RG1 2LU

Southampton
Grosvenor House, Grosvenor Square
Southampton SO15 2BE

 

Reading
The Anchorage, 34 Bridge Street
Reading RG1 2LU

Southampton
Grosvenor House, Grosvenor Square
Southampton SO15 2BE

  • Lexcel
  • CYBER ESSENTIALS PLUS

© BDB Pitmans 2024. One Bartholomew Close, London EC1A 7BL - T +44 (0)345 222 9222

Our Services

Charities chevron
Corporate and Commercial chevron
Employment and Immigration chevron
Fraud and Investigations chevron
Individuals chevron
Litigation chevron
Planning, Infrastructure and Regeneration chevron
Public Law chevron
Real Estate chevron
Restructuring and Insolvency chevron

Sectors and Groups

Private Wealth chevron
Real Estate chevron
Transport and Infrastructure chevron