26 Sep '23
When you start a business, you have to deal with a lot of things that you don't have to deal with as an individual, or at least not as quickly, or not in the same way. One of those things is the General Data Protection Regulation (GDPR). Whereas as an individual you can generally benefit from the so-called household exception (if you process personal data at all, you process it for non-business purposes) which means the GDPR does not apply, the GDPR shall mostly apply to the processing activities you carry out as a business owner. For this reason, it is very important as a (starting) entrepreneur to have a clear understanding of what personal data you process, so that you can ensure that you process those personal data in a way that is permitted by the GDPR.
There is another big advantage to being clear about which personal data you are processing too. In practice, we often see that certain data are assumed to be personal data, when that is not the case at all. That data can actually be used much more freely, for example for more purposes, than thought. To make full use of these data, it is very important to properly distinguish which data do and which data do not qualify as personal data. The remainder of this blog will address the question of which data qualify as personal data and provide guidance on how to apply this concept in practice.
The GDPR defines "personal data" in Article 4. According to the GDPR, personal data is "any information relating to an identified or identifiable natural person". Two conditions follow from this definition that information must meet to qualify as personal data, namely:
The first condition is met if data says something about a particular natural person. It should be borne in mind that data tells us something about a particular natural person fairly quickly. For example, a house number is a (very concrete) indicator of where someone lives.
Besides the fact that a house number says something about a person (namely, where they live), it is also possible to identify a person (partly) on the basis of a house number. With a house number alone, this is obviously difficult (after all, this is no more than a number), but when you know you are looking for a man or woman who lives in a certain street, the house number makes it possible to identify that person in many cases. The house number therefore makes it (potentially) possible to identify a natural person in almost all cases. For this reason, a house number is therefore, in principle, personal data.
In many cases, personal data is only useful if you can link it to the person the personal data relates to. For example, when a customer has placed an order and you need the house number to deliver the order to the right place. So when processing the house number, the rules given by the GDPR must be taken into account.
One such rule is that you have to protect the privacy of those to whom the personal data relates. One way to do this is to pseudonymise the data. Pseudonymised data are still traceable to a person, but this is made more difficult. For example, instead of the customer's name, you can give the order a certain code. The house number is then linked to a code instead of a person, making the data less useful to malicious third parties.
You can also anonymise personal data. When you anonymise personal data, you ensure that it is no longer traceable to a person. Anonymised data are therefore no longer personal data and the AVG no longer applies to the processing of the data. This is possible, for example, if you would like to do a survey on the house numbers of your customers, in order to identify the house numbers where your customers live. You can then note only the house numbers, leaving you with just the numbers. These number can no longer be traced back to natural persons, but they do provide insight into which house numbers your customers live on.
This may be a ridicule example of the possibility of anonymisation because this research is unlikely to provide useful insights. However, for the results of many surveys, by completely disconnecting inputs from individuals, anonymous data can be created. Once this has been done, personal data is no longer personal data, making the AVG inapplicable. The data has therefore become much more widely useful.
As a full-service law firm, our expertise includes advising on the processing of personal data. We are happy to point out that, even under the GDPR, there is still plenty of room to use data in a useful way. In doing so, however, it is important to ensure that you comply with the GDPR.
Are you curious about which data you are or are not allowed to use, or do you want to know whether your current processing activities meet the requirements of the GDPR, please contact Lars Boer: l.boer@ploum.nl.
02 May 24
08 Apr 24
04 Apr 24
21 Mar 24
19 Mar 24
18 Mar 24
15 Mar 24
14 Mar 24
14 Mar 24
14 Mar 24
11 Mar 24
11 Mar 24
Met uw inschrijving blijft u op de hoogte van de laatste juridische ontwikkelingen op dit gebied. Vul hieronder uw gegevens in om per e-mail op te hoogte te blijven.
Stay up to date with the latest legal developments in your sector. Fill in your personal details below to receive invitations to events and legal updates that matches your interest.
Follow what you find interesting
Receive recommendations based on your interests
{phrase:advantage_3}
{phrase:advantage_4}
We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.
A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.
