Skip to main content

Personal Data

Under the GDPR (General Data Protection Regulation), personal data is any information relating to an identified or identifiable natural person (Art. 4 GDPR).

Regular Personal Data

Regular personal data includes information that can directly or indirectly identify a person:

  • Name (first name, last name)
  • Address (street, city, postal code)
  • Email address
  • Phone number
  • Date of birth
  • IP address
  • Location data
  • Online identifiers (e.g. cookies, device IDs)
  • Bank account or credit card numbers
  • Customer or employee IDs

Special Categories of Personal Data

Special categories of personal data (Art. 9 GDPR) are particularly sensitive and subject to stricter processing requirements. Processing is generally prohibited unless a specific exception applies:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data used for unique identification (e.g. fingerprints, facial recognition)
  • Health data
  • Data concerning sex life or sexual orientation

Companies may only process personal data if at least one of the following legal bases applies:

  • Consent (Art. 6(1)(a) GDPR): The data subject has given explicit, informed, and voluntary consent to the processing of their data for one or more specific purposes. Consent can be withdrawn at any time.
  • Contract performance (Art. 6(1)(b) GDPR): Processing is necessary for the performance of a contract to which the data subject is a party, or to take pre-contractual steps at their request (e.g. processing a purchase or employment contract).
  • Legal obligation (Art. 6(1)(c) GDPR): Processing is necessary to comply with a legal obligation (e.g. tax or accounting requirements).
  • Vital interests (Art. 6(1)(d) GDPR): Processing is necessary to protect the vital interests of the data subject or another person (e.g. in a medical emergency).
  • Public task (Art. 6(1)(e) GDPR): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
  • Legitimate interests (Art. 6(1)(f) GDPR): Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights, or freedoms of the data subject. This requires a balancing test and cannot be used by public authorities. (e.g. IT-Security)

Rights of Data Subjects

Individuals have the following rights regarding their personal data under the GDPR:

  • Right of access (Art. 15 GDPR): The right to obtain confirmation of whether personal data is being processed, and if so, to receive a copy of that data along with information about the processing.
  • Right to rectification (Art. 16 GDPR): The right to have inaccurate or incomplete personal data corrected without undue delay.
  • Right to erasure / "Right to be forgotten" (Art. 17 GDPR): The right to have personal data deleted, e.g. if it is no longer necessary for the original purpose, consent has been withdrawn, or processing was unlawful.
  • Right to restriction of processing (Art. 18 GDPR): The right to have the processing of personal data restricted in certain circumstances, e.g. while the accuracy of the data is contested.
  • Right to data portability (Art. 20 GDPR): The right to receive personal data in a structured, commonly used, machine-readable format and to transmit it to another controller (applies to consent- or contract-based processing).
  • Right to object (Art. 21 GDPR): The right to object to processing based on legitimate interests or a public task, as well as to processing for direct marketing purposes (which must always be honored without balancing test).
  • Right not to be subject to automated decisions (Art. 22 GDPR): The right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.
  • Right to lodge a complaint (Art. 77 GDPR): The right to lodge a complaint with a supervisory authority if the data subject believes that processing violates the GDPR.