A broad definition of data, files and their processing

Excerpt from Bruno DUMAY's book: GDPR DECRYPTION – For Managers, Strategic Departments and employees of companies and organizations – Preface by Gaëlle MONTEILLER

We think we know what personal data is (note that the term is not used in the singular, probably because it is necessary to gather at least two pieces of data – a name and an address, for example – to begin processing them). But be careful, to avoid mistakes, let us take into account the definition as formulated in Article 4 of the Regulation: “any information relating to an identified or identifiable natural person; an “identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

While the wording is far from fluid, it leaves no doubt as to the broad meaning in which the term should be understood. "Any information" attached to a person constitutes personal data. The list of adjectives associated with the "identity" of the person underlines, if need be, the scope of the word information. 

The CNIL clarified the concept of personal data in a commentary on Article 2 of the Data Protection Act: "Data is considered "personal" when it concerns directly or indirectly identified natural persons. A person is identified when, for example, their name appears in a file.

A person is identifiable when a file contains information that indirectly allows their identification (e.g.: IP address, name, registration number, telephone number, photograph, biometric elements such as fingerprint, DNA, National Student Identification number (INE), set of information allowing a person to be discriminated against within a population (certain statistical files) such as, for example, place of residence and profession and sex and age). Data that you might consider anonymous may constitute personal data if it allows a specific person to be identified indirectly or by cross-referencing information. This may in fact be information that is not associated with a person's name but which easily allows them to be identified and their habits or tastes to be known.

In this sense, personal data also includes all information that, when cross-referenced, allows a specific person to be identified (e.g., a fingerprint, DNA, a date of birth associated with a municipality of residence)...

The GDPR excludes from its scope the activities of States related to their security (16^e recital), and of course activities of a purely domestic nature (art. 2). On the other hand, the regulation concerns all companies (and administrations and organizations and associations) that process data of European citizens, whether they are established on the continent or not. Similarly, if a company uses a subcontractor based outside the EU, the latter must also act in compliance (art. 3).

Since this data is stored in files, let us also note the definition of this word: "any structured set of personal data accessible according to specific criteria, whether this set is centralized, decentralized or distributed functionally or geographically." Here again, it is clear that we cannot be cunning in trying to store data in databases that could not be called "files." Not only would our tool be reclassified, but the supervisory authority would also undoubtedly consider this an aggravating circumstance.

Similarly, a craftsman who is resistant to computerisation and who keeps paper files on his customers in alphabetical order cannot avoid the GDPR (art. 2, paragraph 1).

It is because they are intended to be processed that the data constituting files must be protected. What is processing? “Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction” (Art. 4, para. 2). The list of words is almost exhaustive: as soon as we touch data, we process it, and we are therefore subject to the regulation. A fortiori, profiling – processing data in such a way as to evaluate or predict behavior – must be rigorously monitored.

The GDPR recommends pseudonymisation where possible, so that the data can no longer be attributed to a natural person without the use of additional information. “Pseudonymisation of personal data can reduce risks for data subjects and help controllers and processors fulfil their data protection obligations” (28).^e considering).  

Control over processing is pushed to the limit, since it extends beyond borders. Indeed, data transferred outside the European Union remains subject to European law, for the transfer of course, but also for any subsequent processing. One may also wonder whether legal disputes might arise, particularly with China or the United States. In order to inform partners established outside the EU in advance, the regulation recommends signing binding corporate rules (BCRs) or adopting standard contractual clauses, validated by the European body.

Finally, let us clarify that a personal data breach is a "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed" (art. 4, para. 12). Here again, the term is therefore to be understood in a very broad sense.