‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’) an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
(7) Consent should be given by a clear affirmative act establishing a freely given specific informed and unambiguous indication of the subjects agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means or oral statement . This could include clicking a box on the internet
1 Processing shall be lawful only if and to the extent that at least one of the following applies (a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes
GDPR lawful purposes for ordinary data include processing on the basis of
The processing of “personal data”
by automated means and by non automated means
Are you answering yes to any of the following questions? If so, the data is likely to be ‘personal data’ for the purposes of the DPA.
1. Can a living individual be identified from the data, or, from the data and other information in the possession of, or likely to come into the possession of, the data controller?
2. Does the data ‘relate to’ the identifiable living individual, whether in personal or family life, business or profession?
3. Is the data ‘obviously about’ a particular individual?
4. Is the data ‘linked to’ an individual so that it provides particular information about that individual?
5. Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual?
6. Does the data have any biographical significance in relation to the individual?
7. Does the data focus or concentrate on the individual as its central theme rather than on some other person, or some object, transaction or event?
8. Does the data impact or have the potential to impact on an individual, whether in a personal, family, business or professional capacity?
If you answered no to all of the above questions, the data is not likely to be personal data for the purposes of the DPA.
Special note on financial data – data - special category
Other data types and definitions
If services are offered directly to children, you must communicate privacy information in a clear plain way that a child will understand.
If your business offers “Information Society services” directly to children, your business is required to have systems in place to verify the individuals ages and to obtain parental consent where required.
Not all information is personal data. For example, financial data about companies, or records of the performance of public services are obviously not personal data. Instead of relating to individuals, data may also relate, for example, to fauna or flora, buildings, civil structures, temperature, or quality of air or sea.
“data such as the service register of a car held by a garage containing the information about the car of an individual “
‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data
Anonymised data are not personal data to the extent that they have had all personal elements likely to identify an individual removed, such as name, address, date of birth, national insurance number, national health service number or tax reference number. De-identified data or pseudonymised data, sometimes called “key-coded data”, are a form of anonymised data presented at the individual level rather than aggregated, where individuals are distinguished by the use of a unique identifier which does not reveal their real identity. Among the different types of anonymised data, pseudonymised data pose a high level of reidentification risk.
'the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person.'
Review of Privacy notices
Set a Data Retention Policy
paper – electronic – third party services – archive or storage
Where processing is based on consent pursuant to directive 95/46/EC , it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is inline with the conditions of this regulation. ( Evidence )
Data Retention : a company will need to ensure that data concerning an individual should be “limited to what is necessary for the purpose for which they were processed”
Data controllers should establish that data due for erasure is reviewed with in a periodic review policy
Set policies and procedures to deal with enhanced rights to individuals
Subject Access Right changes and impact
Circumstances when request can be made by individual: