Imagine the following: You’ve got a mess on your head again and it’s definitely time to make an appointment at your trusted hair salon. You quickly pick up the phone, dial the number, wait for the friendly hello on the other end and make an appointment within a minute.
Sounds easy, doesn’t it?
But now imagine that before you can even mention your name, the nice employee reads you a 30-page privacy policy of the hair salon. Strictly speaking, according to the General Data Protection Regulation, customers have the right to transparent information and disclosure. One minute can then quickly turn into an eternity.
Sounds absurd, doesn’t it?
But according to the law, that’s how it should be – with the emphasis on should. Because wherever so-called personal data are handled (even if they are not processed digitally), Mother Data Protection comes into play.
But which data is personal data? And what do you, as a website operator, have to consider when dealing with such data? We explain it to you!
What is considered as personal data?
Whether in the World Wide Web or in the analogue world – the handling of personal data takes place almost everywhere. Personal data is collected and stored in abundance every day. In order to protect this data in the best possible way, legislators have come up with strict requirements.
According to Article 4 of the General Data Protection Regulation (GDPR) personal data are
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Accordingly, a natural person is identifiable not only on the basis of name and physical characteristics, but also on the basis of political orientation and religious views.
All information mentioned in the GDPR that indicates the identity of a person is considered personal data. It does not matter whether identification is possible directly or indirectly.
For legal persons – such as associations or foundations – the GDPR law on personal data does not apply. The situation is different, however, if the individual details of a legal person refer to a natural person behind it (example: managing director of a company).
Examples of personal data
There are many types of personal data. We have listed a few examples below for your easy understanding:
- General data about a person (e.g. name, date and place of birth, age, address, e-mail address, telephone number, …)
- Bank data (e.g. account number, account balance)
- Identification numbers (e.g. tax ID, national insurance number, identity card number, passport number, matriculation number, vehicle registration number)
- IP address
- Location data
- Physical characteristics (e.g. gender, skin colour, stature, gait)
- and much more…
The (dynamic) IP address is a special case of personal data. In the USA as a whole, there are still no uniform regulations on data protection. Therefore, it is also not clear how to deal with personal data such as the IP address.
The difference between a dynamic and a static IP address is easily explained: A static IP address is permanently assigned to an Internet connection or device. A dynamic IP address, on the other hand, is valid from the time it is dialled in until it is disconnected from the network. This means that a new IP address is assigned each time a device is dialled in.
According to the ECJ, dynamic IP addresses can be personal data. Theoretically, identification by a third party – the access provider – is possible. Insofar as the website operator has the theoretical right to request such information, the dynamic IP address is considered a personal data.
The storage of data may only be collected and used without the consent of the user after the end of the usage process if this is necessary to ensure the basic functionality of the services. This must be done in consideration of the user’s fundamental rights and freedoms.
While we’re at it: What about the issue of tracking?
Tracking data is enormously valuable for website operators, as it can provide concrete information about their users, upon which optimized marketing measures can be derived. Since personal data is at the core of tracking, data protection also plays an essential role here. Accordingly, tracking cannot simply take place without a legal basis. Often, the only legal basis is the explicit consent of the person concerned – the website visitor.
Which date is not a personal date?
As already mentioned, data on legal persons – such as the date of foundation of an association – does not count as personal data.
What are the categories of personal data?
The European General Data Protection Regulation (GDPR) distinguishes between different types of personal data. Depending on the respective category, different regulations apply to the processing and destruction of such data.
Specific personal data can be particularly sensitive and require special protection. According to Article 9 of the GDPR, these include, for example, religious or philosophical beliefs, health data or data on sexual life.
Personal data and data protection
What data needs to be protected? Sensitive data such as personal data are worth protecting. Their protection falls under the right to informational self-determination. This means that every person may decide for themselves what personal data they disclose and who is authorised to view and use it.
If personal data falls into the wrong hands, this can lead to immense damage.
The processing of personal data
As a general rule, you are not permitted to process personal data without their consent. The same applies to the transfer of personal data to third parties. However, according to GDPR Art. 6, the processing of personal data is permitted in the following cases, among others: consent of the data subject, in the case of a contractual or legal obligation or for the protection of vital interests.
You are also allowed to process personal data if there is a so-called legitimate interest – provided that the data subject’s fundamental freedoms and rights are not significantly affected.
Consent of the data subject
On websites, consent is often requested for e.g. cookies and the processing of personal data. Consent is the legal basis that is often used to process personal data when none of the other legal bases mentioned above can be used. The data subject must be free to decide whether to consent or not.
However, no consent can also mean that certain functions of, for example, a website cannot be offered if they depend on the processing of personal data. For example, you cannot send an enquiry in a contact form without the name you entered and the corresponding telephone number being stored.
Contractual obligation
When you make a purchase in an online shop, personal data is required in order to complete the purchase and, for example, to send you the T-shirt by post.
Legal obligation
Owners of a company are obliged to provide personal data of their employees – such as monthly income – to a responsible authority in the context of social security.
Protection of vital interests
Emergency doctors who have to treat a life-threateningly injured patient are allowed to access the patient’s personal data and search the database for further medical information, even without the patient’s consent.
Legitimate interest
Company owners are authorized to process personal data of their employees in order to ensure the security of internal IT systems or to prevent fraud.
Which personal data may NOT be processed?
The GDPR specifies in Article 9 which personal data may not be processed:
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
☝️ This rule does not apply if at least one of the cases explained in the previous section applies.
When is personal data allowed to be processed?
The principles on how personal data may be processed are set out in Article 5 of the GDPR. These include:
Lawfulness, Fairness and Transparency
Personal data must be processed in a legal manner. The processing of the data must be explained in an understandable and comprehensible manner.
Purpose limitation
If you want to process personal data, you must define the specific purpose. This must be clear and legitimate. Processing in a way that is not agreed upon is not allowed. It is not allowed to change the purpose afterwards.
Data minimisation
The processing of personal data must be reduced to the minimum necessary for the purpose.
Accuracy
Personal data must be up to date as well as accurate. All inaccurate or outdated personal data must be deleted.
Storage limitation
In principle, the storage of personal data is limited in time. Personal data identifying a person may only be stored until it is no longer needed. Subsequently, the personal data must be deleted. This does not apply if a legal obligation to retain the data applies. In this case, the data may not be deleted, but it may also not be used beyond the determined legal obligation.
Integrity and Confidentiality
It is important to keep personal data confidential. It is the responsibility of the processor to take concrete security measures to prevent unauthorised access to this data.
Accountability
The data controller must ensure and be able to demonstrate to supervisory authorities that it complies with the requirements of the GDPR.
Manage the processing of personal data in a legally compliant way!
As a website operator, you are certainly more than interested in collecting and processing personal data about your visitors. Or you may unknowingly use services that quietly and secretly do just that or even pass on data to third parties without your knowledge. Here, you can lose the overview faster than you think and quickly drift into the spectrum of the illegal.
In your privacy policy, you should provide detailed information on the processing of personal data. Furthermore, in many cases you must ensure that this processing only takes place after consent has been given.
So-called cookie banners help you tremendously here. With the consent management plugin Real Cookie Banner for WordPress, you can manage the consents for services used and for the processing of personal data quickly and easily. More than 100 already created templates for popular services and associated content blockers help you to manage your website in compliance with the GDPR and the ePrivacy Directive.