Personal data: Personal data means any information concerning the personal or material circumenstances of an indentified person
Everyone has the right to the protection of personal data concerning him or her.
Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. Compliance with these rules shall be subject to control by an independent authority.
-> Article 8 Charter of Fundamental Rights of the European Union
Types of personal data
Personal data means all data that provide information about personal relationships or facts about an identified or identifiable natural person. They include:
- Personal relationships: name, address, occupation, e-mail, IP address, or personal number
- Factual circumstances: income, taxes, ownership
- Special kind of personal data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, or sex life. These data are subject to special protection.
Protected personal data does not include anonymized data, where the person’s identity is not discernible. Pseudonymized data (where the person’s name is replaced with a pseudonym) is protected by the BDSG, because the data relates to a person whose identity is discernible. The BDSG does not protect the data of legal persons, such as corporations, although some courts have extended protection to legal persons.
Data Processing: The legal term ‘data processing’ stands, in particular, for the collection, storage, modification and transfer of personal data. All modalities of data usage are restricted in the same way. Personal data may only be processed,
- if the data subject has unambiguously given his or her prior consent or
- if data processing is permissible under the statutory exemptions applying to data processing.
The above requirements of data processing do not in the same manner apply to sensitive data. In principle, such data may not be processed. Derogation is only permissible under very specific circumstances, e.g. with the data subject’s explicit consent (referring to the processing of sensitive data) or if the processing of such data is mandated by German employment law.
What are the key principles that apply to the processing of personal data?
- Lawful basics for processing
- Porpose limitation
- Data minisation