Data Protection and GDPR: Understanding Data Subjects and Processing
Introduction
A data subject refers to a living individual who can be directly or indirectly identified by specific information. This definition has evolved to accommodate technological advancements.
Identifying Data Subjects
An online identifier, such as an IP address, cookie identifiers, RFID tags, or MAC addresses, when combined with unique identifiers and other server-received information, can create individual profiles and facilitate identification.
Personal Data under GDPR
Under GDPR, personal data encompasses any information pertaining to an identified or identifiable person. This includes their name, address, social media posts, photographs, email addresses, medical records, banking details, online identifiers, or computer IP addresses.
If the data being processed can uniquely identify an individual, it qualifies as personal data. This is often evident when possessing their name and address, corporate email address containing their full name, or similar identifying information.
Further guidance on identifying individuals is available on the Information Commissioner's website.
Sensitive Personal Data
GDPR also recognizes sensitive personal data, which includes racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, trade union memberships, medical conditions, and information regarding criminal convictions or offences. This category requires heightened protection.
Understanding Processing under GDPR
Processing, as defined under GDPR, encompasses any action performed on personal data, whether manual or automated. This includes data collection, storage, and deletion. Merely storing data without active manipulation still qualifies as processing under GDPR regulations.
- EDSQ Unit 5 LO 13.3