Many people are concerned about the processing of their personal data and want more security for sensitive data. What personal data is and how it is processed and stored is summarized in our article.
What is personal data?
Personal data is information that relates to a natural and living person. This includes all information that allows conclusions to be drawn about a person and identifies him or her. From a legal point of view, a natural person is any person who has concrete rights and obligations.
In Europe, the term personal data is often used in connection with data protection. The legal framework is set by the General Data Protection Regulation (DSGVO) and the Federal Data Protection Act (BDSG). The legal foundations protect consumers in particular from data misuse and from unauthorized access to their data. In addition, the requirements of the DSGVO and the BDSG support IT security.
Article 4 of the GDPR describes the very broad definition of personal data in more detail. According to this, we are talking about personal data if they provide information on identity based on several characteristics. This includes the following characteristics of a person:
- physical
- physiological
- genetic
- psychological
- economic
- cultural
- social
Article 4 of the GDPR also defines the extent to which biometric data is considered personal information. Biometric data is personal information that can be assigned to a specific person through special technical processes. These characteristics include facial images, fingerprints or the recognition of voices and eyes.
It is often not possible to clearly determine whether a single piece of information or several features identify a person. It usually depends on the context in which the personal data is placed. Date of birth and place of residence are therefore already sufficient examples for a person to be considered an identifiable person. For this reason, it can be assumed that any information is suitable for establishing a concrete reference to natural persons.
Examples of personal data
There are many types of personal data. The following overview lists the most important personal information:
- general personal data (name, address, date of birth, telephone number, e-mail address)
- identification numbers (passport number, tax ID, national insurance number)
- physical and genetic data (gender, height, stature, eye color)
- online identifiers (IP address, location data)
- Bank data (account number, credit card number)
- Assets (real estate, vehicles, license plates, registration data)
- Customer data (orders, account information)
- Value judgements (certificates, deeds)
In addition, the GDPR defines further information that belongs to personal data. What these are is shown in the second list:
- ethnic origin
- political opinions and attitudes
- ideological beliefs
- sexual orientation
- social identity
Special cases of personal data
Company-related data is considered a special category of personal data. This includes special characteristics that are related to the profession of a data subject. Typical of this type of personal data are the telephone extensions of employees or their e-mail addresses. They are suitable for identifying a person. Recorded and stored working hours and breaks are also subject to the rules of the GDPR and the BDSG on the processing of personal data.
In contrast, information from legal persons does not fall under the collective term of personal data. Legal persons are registered associations, corporations and companies. In exceptional cases, personal data is also present here if the natural person and the company are closely intertwined.
Protection of personal data
Data that helps to unambiguously identify persons is particularly worthy of protection. Especially the digital transformation and social networks lead to a legitimate interest in protecting data. Many people neglect to protect their data, opening the door to unauthorized access. When surfing the internet, anonymized data turns into personal data. Users are thus identifiable via an IP address.
Companies use the stored data for advertising purposes by creating personal user profiles. They then send out individualized advertising. Much more dangerous, however, is the fact that criminals often try to steal sensitive data. This is precisely why it is advisable to handle personal information sensitively. Above all, technical and organizational measures play a major role here. Anyone who stores data or works remotely, i.e. exchanges files with colleagues, needs well-encrypted clouds for processing.
When may personal data be stored?
Anyone who stores and processes sensitive data may only do so for specific purposes. The lawfulness of processing personal data is enshrined in Article 6 of the General Data Protection Regulation (GDPR). The Federal Data Protection Act (BDSG) also regulates the legal framework in Section 47 BDSG. It follows from Article 6 (1) of the DSGVO that a specific legal basis is necessary for the processing of data. The term processing of personal data includes any measure that is in the context of the data. In the following overview, we list all points that belong to the processing of data:
- collect
- arrange
- modify
- publish
- store
A legal basis for purposeful processing exists when there is consent from data subjects. Purposeful use of data ensures that it is used exclusively for the intended purpose. The consent of data subjects is the second criterion that determines the purpose. Processing for other reasons that deviate from the original reasons for collecting the data is not permitted. Any change of purpose also requires a new permission in addition to the legal basis.
Permission is often given when stored data is used to fulfill contracts or agreed obligations. Stored data are also legitimate if vital interests are protected or public interest is at stake. There are also other specific legal rules.
Storing data with a personal background is limited to defined periods of time. There are deadlines for deleting the data. Violations of these deadlines result in high fines. According to the GDPR, affected companies face sensitive penalties of up to 20 million euros or in the amount of four per cent of the global annual turnover.
Management of personal data in the cloud
Companies or authorities that collect and store personal data may only do so under strict rules and with the utmost care. Without cause, it is not permitted to record and store data with a personal reference. In addition, secure encryption must be ensured when storing.
These aspects play a role when personal information is stored in third-party systems such as a cloud. Here, there is a risk that third parties may access the contents without authorization. Such persons include administrators. They have no authority to view the data. Little attention is paid to the fact that data transfer out of the European Union is prohibited without the consent of the owners.
This risk exists with cloud providers who offer their services outside the European Union. These include companies such as Microsoft with OneDrive, Google with Google Drive or Amazon with its cloud. These companies process data on the legal basis of the USA. Thus, they do not meet the strict requirements of the GDPR to store personal data securely. The Cloud Act, which grants authorities access to sensitive information in certain cases, is a cautionary example. Furthermore, there is an obligation for cloud providers to inform about unauthorized access.
Rights in dealing with personal information
In court, personal data is considered to be the property of the respective natural person. Closely linked to this is the right to informational self-determination. This means that individuals must always consent when their data is processed. In addition, there is the right to information. This means that all data subjects are given the opportunity to view their stored data upon request. If data is not up to date, incorrect or wrongly held, it must be corrected or deleted in accordance with the GDPR.
The legislator protects personal data comprehensively. In particular, the GDPR, adopted by the EU Commission, regulates the handling of personal data very strictly. In view of the continuing digital transformation, this is an important signal for data protection and data security. In the meantime, companies and public authorities must provide binding information in a data protection declaration about what data is processed and for what purposes it is stored. People can thus check in advance whether they are willing to disclose their information. After all, secure handling of one’s own data starts with the owners themselves.
When companies collect and process personal data online, the strict rules of data protection apply. Even if the data is stored in a cloud. Storing customer or user data online is most secure with a cloud solution like TeamDrive. TeamDrive offers very complex encryption procedures with complete end-to-end encryption. The key for decryption remains exclusively with the user. All data is also stored on servers located in Germany or on the company’s own servers. TeamDrive thus meets the high data protection requirements of the DSGVO. Companies that use TeamDrive for their data management benefit from secure standards because the risk of data misuse is low.