Working with personal data
Working with Personal Data: Understanding the GDPR
In providing our services, we frequently work with personal data. Under the General Data Protection Regulation (GDPR), this is referred to as "processing." But what does this actually mean? And what exactly constitutes personal data?
The General Data Protection Regulation (hereinafter GDPR) came into effect on May 25, 2018. This is a European regulation that governs the processing of personal data. The GDPR has significant implications for our organization because we constantly work with the personal data of individuals.
When does the GDPR apply?
The GDPR applies to the processing of personal data. The section below explains what personal data is. The GDPR does not apply to the data of deceased individuals.
First, you must determine if the actions you perform with data constitute "processing." According to the GDPR, processing is any operation or set of operations performed on personal data. Common operations include: collecting, recording, storing, altering, retrieving, consulting, using, disclosing, erasing, and destroying data.
In practice, this means that almost any handling of personal data is considered "processing" under the GDPR.
What is personal data?
The GDPR defines personal data as any information relating to an identified or identifiable natural person. 1 This means information that is directly about an individual or can be traced back to that individual. Data about organizations is not considered personal data under the GDPR.
Examples of Personal Data
There are many types of personal data. Obvious examples include a person's name, address, and place of residence. However, telephone numbers and postal codes combined with house numbers are also personal data.
Indirect personal data can also exist. This refers to data that, when combined with other information, reveals something about an individual or can be traced back to them.
Ordinary Personal Data Examples of ordinary personal data include names, file numbers, or contact details. Ensure that access to or viewing of this data is restricted only to individuals for whom it is necessary for their role.
Special Categories of Personal Data Sensitive data such as a person's race, religion, health, criminal record, and biometric data (e.g., fingerprints) are referred to as special categories of personal data. Processing special categories of personal data is prohibited unless a specific legal exception applies. Consult your designated privacy officer if you use or intend to use this type of data.
Sensitive Personal Data Some data may not be classified as "special category" by definition but is sensitive enough to warrant extra precautions. This includes data concerning:
* Electronic communications
* Location data
* Financial data (such as income or purchasing behavior)
* Citizen Service Numbers (BSN) / National Identification Numbers
Genetic personal data is also sensitive because it provides unique information about an individual's physiology or health, and/or the health of their family members, making the information particularly delicate. For instance, Citizen Service Numbers (BSN) may only be used for purposes prescribed by law. It is not permitted to process or use these numbers for other purposes. Exercise extreme caution when handling such data. Ensure that this data is stored in secure applications and not in unsecured files on local or shared drives.
BSN: Citizen Service Number (Burgerservicenummer)
A national identification number is a unique number established by law. In the Netherlands, the most well-known national identification number is the Citizen Service Number (BSN). These numbers may only be used for purposes prescribed by law. Processing them for purposes other than those legally specified for these numbers is not permitted.
Examples of Dutch laws regulating the use of the BSN include the General Provisions for Citizen Service Number Act (Wet algemene bepalingen burgerservicenummer), the Use of Citizen Service Number in Healthcare Act (Wet gebruik burgerservicenummer in de zorg), and the Personal Identification Numbers in Education Act (Wet persoonsgebonden nummers in het onderwijs).