The new General Data Protection Regulation (GDPR) came into force on Friday 25th May and since then has been generating a lot of controversy. We’ve prepared this practical and easy-to-understand guide to help you better understand the subject. This is the second of three articles we will publish on the subject with the help of the Portuguese Association in Defence of Consumer Rights (Associação de Defesa dos Direitos do Consumidor or DECO).
What is personal data?
- Personal data is information relating to an identified or identifiable natural person.
- In accordance with Article 4 of the GDPR, an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier. Examples of such identifiers are an identification number, a name, an electronic address (email), location data or even physical, economic, cultural, social, genetic or mental identification characteristics of a particular individual.
How do I know if the data is personal and what will change?
- In order to know whether or not certain data are considered personal, we must ask whether this data can be used to identify a person, directly or indirectly, because this identification is often made possible through the crossing of several identifiers.
- This means that, in practice, the new GDPR rules will oblige companies to reformulate their data collection and processing systems, adopting the necessary procedures to ensure that their customers are provided with express and informed consent as to the reasons and need for such processing of their data, guaranteeing the total security and integrity of these systems, either in the design of the systems themselves (by design) or in the procedures adopted (by default), with the entities being held liable for any unauthorised access or use, even if these entities are not domiciled in EU territory.