Search

How can we help?

Icon

Personal Data FAQs

What is personal data?

Personal data refers to any information related to an identifiable living individual.

That individual has to be identified or identifiable, directly or indirectly, from one or more identifiers (such as  a name, an identification number, location data, an online identifier) or from factors specific to the individual (such as physical, physiological, genetic, mental, economic, cultural or social identity).

The person in question is often referred to as a ‘data subject’.

 Are there different categories of personal data?

Some personal data, referred to as ‘special category data’ is treated as being more sensitive, and therefore requires a greater level of protection.  This is information about the data subject’s:

  • Race
  • Ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Sexual orientation or sex life
  • Genetic data
  • Biometric data
  • Trade union membership
  • Health data

Information about criminal convictions and offences is also treated as requiring greater protection.

What is a data controller and a data processor?

A data controller is a legal person, public authority, agency or other body that determines the purposes and means of processing personal data.

A data processor is a person, public authority, agency or other body that processes data on behalf of the data controller.

An entity can be both a data controller and data processor.

Personal data refers to any information related to an identifiable living individual.

 What is the legal basis for processing personal data?

Data controllers must have a valid legal basis to process personal data. There are six legal bases:

  • Consent – the data subject has given consent to the processing
  • Contract – the processing is necessary for the performance of a contract to which the data subject is a party (or in order to take steps at the request of the data subject prior to entering the contract)
  • Legal Obligation – the processing is necessary to comply with a legal obligation to which the data controller is subject
  • Vital Interests – the processing is necessary to protect the vital interests of the data subject or another person (this is usually used in cases of life and death)
  • Public Task – the processing is necessary to perform a task in the public interest or in the exercise of official authority vested in the data controller
  • Legitimate Interests – the processing is necessary for the controllers (or third party’s) legitimate interests except where these are overridden by the interests or fundamental rights and freedoms of the data subject. This involves balancing the data controller’s interests against the data subject’s rights.

If a data controller is processing special category data or data related to criminal convictions, it needs to identify a lawful basis for the processing but also satisfy an additional condition relating to the processing.

What rights do individuals have regarding their personal data?

Right to be informed: individuals have a right to be given certain information about their personal data and how it is processed. This includes information on the purposes for processing personal data, details of who has access to this and retention periods that apply to that data.

Right of access: individuals may request access to their personal data held by an organisation.  Requests are made via a data subject access request.

Right to rectification: individuals may request that inaccurate or incomplete personal data held about them is rectified or completed.

Right to erasure: individuals may request the deletion of their personal data in certain circumstances.

Right to restrict processing: individuals may request that the processing of their personal data is restricted in certain circumstances.

Right to data portability: individuals have the right to receive their personal data (which they provided to the data controller) in a structured, commonly used and machine-readable format.  They also have the right to request that the data controller transmit this data to another data controller.

Right to object: individuals have the right to object to specific processing activities in certain circumstances.

Rights related to automated decision making: individuals have the right not to be subject to a decision based solely on automated means without any human involvement, if the decision produces legal effects concerning the individual or similarly significantly affects them.

If your organisation needs help, contact our Data Protection lawyers.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

art
  • 10 December 2024
  • Corporate and M&A

The value of cyber security for mergers and acquisitions

Developing a robust cybersecurity strategy is essential to ensuring value retention, securing sensitive data, minimising risks and a seamless transfer during and after the merger or acquisition.

Pub
  • 10 December 2024
  • Privacy and Data Protection

UK Data Protection: What happened in 2024 and what’s in store in 2025?

It’s been a year of political change and uncertainty for data protection. Join our data protection webinar, where we will discuss the implications of the Data Protection and Digital Information Bill not passing and the upcoming Digital Information and Smart Data Bill from the King’s Speech, which will affect existing laws.

art
  • 03 December 2024
  • Privacy and Data Protection

Data Use and Access Bill – how will it impact businesses and their dealings with Data Protection?

Clearly documenting and regularly reviewing data protection policies and procedures is paramount to demonstrating compliance with the UK GDPR. It is essential that such policies are communicated within an entity and staff are regularly trained on these.

art
  • 02 December 2024
  • Litigation and dispute resolution

The Era of AI

In this recent case, the First-Tier Tribunal gave a stark warning to litigants about use of AI in litigation.

Pub
  • 26 November 2024
  • Privacy and Data Protection

Key FAQs on Data Subject Access Requests (DSARs)

Understanding Data Subject Access Requests (DSARs) is crucial for businesses. In this podcast, Lucy Densham Brown and Jacob Montague, members of the Data Protection team, have narrowed down the top frequently asked questions we receive regarding DSARs.

art
  • 18 November 2024
  • Privacy and Data Protection

FAQs – Privacy Documentation

Clearly documenting and regularly reviewing data protection policies and procedures is paramount to demonstrating compliance with the UK GDPR. It is essential that such policies are communicated within an entity and staff are regularly trained on these.