Personal Data

Definition

Personal data is defined under Article 4(1) of the General Data Protection Regulation (GDPR) as any information relating to an identified or identifiable natural person. A person is identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to that person's physical, physiological, genetic, mental, economic, cultural, or social identity.

The GDPR distinguishes between general personal data and special categories of personal data (Article 9 GDPR). Special categories include data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic and biometric data, health data, and data concerning a person's sex life or sexual orientation. Stricter processing conditions apply to these data categories.

Simply Explained

Think of a business card. It has your name, your company, your phone number, and your email address. All of these are personal data because someone can directly identify you from them.

But personal data goes far beyond the business card. Your IP address, which you use to browse the internet, is also personal because your internet provider can link it to you. Your tax identification number, your license plate, your medical records, and even your smartphone's location history are all personal data. In essence, almost any information that can somehow be connected to you is personal data.

Why Does It Matter?

Personal data is the central concept of all data protection law. The GDPR exists specifically to protect this data:

• Ubiquity: Companies constantly process personal data, often without consciously realizing it. Every customer list, every email, every document containing names or addresses holds personal data.
• Legal Basis Required: Every processing of personal data requires a legal basis under Article 6 GDPR (e.g., consent, contract, legitimate interest). Without a legal basis, processing is unlawful.
• Data Subject Rights: Individuals have extensive rights regarding their data: access, rectification, erasure, restriction of processing, data portability, and the right to object.
• Document Transfer: The exchange of documents almost always involves the transmission of personal data. Tax documents, contracts, job applications, medical reports, and many other documents contain personal information.
• Fine Risk: Improper handling of personal data can lead to significant fines. The GDPR provides for penalties of up to 20 million euros or 4% of global annual revenue.

Practical Example

An auditing firm regularly receives documents from its clients via email: annual reports, payroll statements, partnership agreements, and bank statements. Each of these documents contains personal data: names of employees and business partners, salary information, account numbers, and tax identification numbers.

An employee of the firm accidentally forwards an email containing payroll statements to the wrong recipient. This constitutes a data breach: personal data of third parties has been disclosed without authorization. The firm must report the breach to the supervisory authority within 72 hours and notify the affected individuals.

With a secure upload platform, this risk would have been minimized: clients would upload their documents through protected upload links, and access to the files would be restricted to authorized staff. Accidental forwarding would be impossible.

How SendMeSafe Implements This

SendMeSafe was designed to make the secure handling of documents containing personal data as simple as possible:

• Data Minimization: Upload links can be created without collecting personal data from the uploader. Only the data necessary for the service is collected.
• Encryption: All uploaded files that may contain personal data are stored with AES-256 encryption and transferred over TLS 1.3.
• Access Controls: Role-based permissions ensure that only authorized individuals can access documents. Upload links and share links can additionally be password-protected.
• Deletion Policy: Files can be configured with automatic expiration dates. Organizations can specifically and completely delete personal data when the processing purpose no longer applies.
• Audit Trail: Every access to documents containing personal data is logged without gaps, ensuring it is always traceable who accessed which data and when.
• Hosting in Germany: All data remains on servers in Germany, ensuring compliance with the strict German and European data protection standards.

Frequently Asked Questions

Are company names also personal data?

No, company names of legal entities (e.g., a corporation or LLC) are generally not personal data under the GDPR, as the GDPR only protects natural persons. The situation is different for sole proprietorships or freelancers: here the business name is often identical to the natural person's name and is therefore personal data.

What are special categories of personal data?

Special categories encompass particularly sensitive data: health data, biometric data, genetic data, data on ethnic origin, political opinions, religious beliefs, trade union membership, and data concerning sex life. Their processing is generally prohibited under Article 9 GDPR unless one of the exceptions listed in Article 9(2) applies (e.g., explicit consent).

Is anonymized data still personal data?

No, fully anonymized data is no longer personal data and does not fall under the GDPR. However, anonymization must be irreversible. Pseudonymized data, on the other hand, continues to be considered personal data because it can be re-attributed to a person with the help of additional information.

How long may I store personal data?

The GDPR prescribes the principle of storage limitation: personal data may only be stored for as long as it is necessary for the processing purpose. After that, it must be deleted or anonymized. Statutory retention periods (e.g., 6 or 10 years for tax purposes) take precedence, but after their expiration, deletion must occur.