All organisations collect data, Privacy Label distinguishes four types of data, and five ways of collecting it.
In our label we also distinguish different ways organisations could collect your personal data
‘We receive from others’: This is personal data your organisation received from another organisation.
‘We observe’: This is personal data your organisation observed, for instance by surveillance or tracking.
‘We created’: This is personal data your organisation created, for instance by scoring someone or new insights by combining information.
‘We purchase’: Personal data your organisation purchased or ‘rents’ from another organisation. For instance, when you buy a dataset or when you pay for excess to personal data.
collect personal data. In Privacy Label we distinguish four different sorts of
'Personal data' contains all sorts of personal data. That is any information relating to an identified or identifiable natural person. This sort of personal data distinguished by Privacy Label does not consist sensitive data or a special category of personal data under the GDPR.
'Sensitive personal data' is personal data which it touches upon the dignity, could lead to stigmatisation or discrimination of the data subject. This includes special categories of personal data. Special categories of personal data have a special status in the GDPR. It is a fixed list of personal data categories which cannot be processed unless there is a good reason.
These are: Racial or ethnic origin, Political views, Religion or philosophy, Membership of a trade union, Genetic data. (This data relates to a person's genes and is unique to a person. For example, a person's DNA.), Biometric data, used to identify a person (These are bodily characteristics that can be used to identify a person, such as DNA, a fingerprint or an iris scan), Medical data, Information about a person's sexual behaviour or sexual orientation.
Find out more about personal data and its collection by organisations below.
Aggregated data is generalised or pseudonymised data which doesn’t connect directly to you but does describe you in a manner. For instance, the first two digits of your area code, the general level of education within your company or a chart of spending patterns in your supermarket.
Personal data is usually aggregated in order to protect your privacy. The first to digits of your area code are less likely to invade your privacy than your whole address. However, by combining different sorts of aggregated personal information, someone might still identify you.
In the General Data Protection Regulation (GDPR) personal data is described as any information, relating or related to, an identified or identifiable natural person.
But, what does that mean?
Any information: not only written down or digital, but anything giving you information...
Relating or related to: which tells you something about someone...
An identified or identifiable: someone who can be pointed out in any way...
Natural person: a living human being.
In conclusion: Personal data is all information that makes you, you.
In Privacy Label we call all non-sensitive information about you (normal) personal data. Non-sensitive personal data is data which is not likely to harm or embarrass you when it is out in the open. For instance, information about who you are, where you live, your (online) behaviour or what you like and don’t like.
SENSITIVE PERSONAL DATA
Some personal data is more sensitive than others. Sensitive data could lead to stigmatisation or exclusion of the data subject.
Examples of sensitive data:
- Usernames, passwords and other login details
- Data concerning a financial or economic situation
- Relationship problems, school performance of children
- Data which can be used for (identity) fraud
SPECIAL CATEGORIES OF PERSONAL DATA
Special categories of personal data have a separate status within the GDPR. There are strict rules attached to processing these kinds of personal data. A hack or a data breach of this data can pose a major risk to the persons involved. This is why ,in principle, there is a general prohibition on the processing of these data.The data may only be processed if there is a specific exception in the law. One of these exceptions is when someone has given his or her explicit consent.
The GDPR specifies a strict list of what are special categories of personal data.
These special categories of personal data are:
Racial or ethnic origin
Religious or philosophical beliefs
Trade union membership
Data concerning someone’s sex life or sexual orientation
And criminal records