Ctrlk

Personal data

Learn what personal data is.

Definition of personal data

According to the ICO, personal data is any information relating to an identified or identifiable natural person. In other words, it is any information that allows an individual to be identified directly or indirectly.

A natural person can be identified:

  • Directly: by a name, first name, photo, identification number, etc.

  • Indirectly: by cross-referencing information such as a phone number, email address, vehicle registration plate, voice or image.

Identification can therefore be achieved:

  • from a single piece of data (e.g. national insurance number);

  • or by combining multiple elements (e.g. a woman born on a certain date, living in a certain city, working at a certain company).

πŸ’‘ A company's general contact details are not, in principle, personal data (e.g. [email protected]). However, a named email address such as [email protected] is personal data.

πŸ—‚οΈ Categories of personal data

Categories of personal data group information according to its nature or use.

Some common examples:

  • Identity: name, first name, date of birth, photo, signature

  • Personal life: address, family situation, hobbies

  • Professional life: CV, job title, performance reviews, salary

  • Economic or financial situation: income, bank accounts, transactions

  • Connection and usage: IP address, login identifier, logs, cookies

  • Location: GPS coordinates, travel history, movement records

πŸ” These categories are essential for structuring your record of processing activities and identifying the risks associated with each type of data.

⚠️ Special category data ("sensitive data")

Certain personal data benefits from enhanced protection: these are special category data, as their use can have a significant impact on individuals' rights and freedoms.

They reveal in particular:

  • Racial or ethnic origin,

  • Political opinions,

  • Religious or philosophical beliefs,

  • Trade union membership,

  • Genetic or biometric data,

  • Health data,

  • Sexual orientation or sex life of a person.

Examples: fingerprints (biometrics), medical records, DNA, religious affiliation, professional badge photos containing biometric data.

🚫 The prohibition principle and exceptions

The processing of special category data is prohibited, except as provided by the GDPR (Article 9). These exceptions include in particular:

  • The data subject's explicit consent,

  • Data manifestly made public by the individual,

  • Processing necessary to protect vital interests,

  • Processing carried out by associations with political, religious, philosophical or trade union purposes for their members,

  • Processing necessary for reasons of substantial public interest.

These cases must always be documented in the record and accompanied by appropriate security measures.

πŸ€– Personal data and artificial intelligence

Artificial intelligence systems frequently use personal data for model training, testing or operation. The AI Act complements the GDPR by imposing traceability and documentation of data used by AI systems.

Examples:

  • Training data containing facial images (biometrics);

  • Text data drawn from private communications;

  • Behavioural data from sensors or browsing activity.

Dastra allows you to link personal data to its uses in AI systems, within the AI systems register, to ensure cross-compliance between GDPR and the AI Act.

AI Systems

πŸ” Go further

πŸ’‘ Good practice: Identify, classify and document your data categories from the design phase of your processing activities or AI systems. This will make it easier to maintain your record and comply with the privacy by design principle.

Last updated

Was this helpful?