Two surveillance cameras collect personal data according to GDPR

Personal data

According to the GDPR, personal data is all information relating to an identified or identifiable natural person. (Article 4(1) GDPR)

All information that can be assigned to a specific person or makes a person identifiable is personal data. Not only name, address or telephone number have personal reference, but under certain circumstances also already pseudonymised data such as a customer number or the IP address.

What is personal data?

The term "personal data" includes any data that can be attributed to an identified or identifiable natural person. Natural persons are considered to be identifiable if they can be identified directly or indirectly, for example by means of an allocation of identification numbers, etc.

If such identification is theoretically possible, these data are considered personal data and must be processed accordingly. An actual identification does not have to be carried out.

BDSG, DSGVO and examples

The Federal Data Protection Act already dealt with this in §3 with personal data.

Defined in the General Data Protection Regulation Article 4 para. 1 personal data as information which, when attributed to a natural person, provides insight into that person's physical, physiological, genetic, mental, economic, cultural or social identity.

Examples of personal data include names, telephone numbers and IP addresses, but also the appearance of a person and their working hours.

Types of personal data

Personal data can be divided into numerous types. These include, but are not limited to:

  • Name
  • Date of birth
  • Age
  • Marital status
  • Address
  • E-mail address
  • IP addresses
  • Phone number
  • Account details
  • License plate
  • Identity card number
  • Social security number
  • Location data
  • Criminal record
  • Health data
  • Cultural / social characteristics
  • Biometric data (e.g. fingerprint)

In addition, a distinction is made between special personal data with increased protection requirements. These data requiring special protection are divided into Art. 9 para. 1 DSGVO defined as: Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.

The processing of genetic data, biometric data uniquely identifying a natural person, health data or data concerning a natural person's sex life or sexual orientation is also prohibited under the GDPR.

The basic processing of personal data according to the GDPR is subject to special rules. If special categories of personal data are involved, the GDPR prohibits them, with the exception of the cases mentioned in Art. 9(2).

It also includes information relating to the specific characteristics of a natural person, such as their physical, physiological, genetic, mental, economic, cultural or social identity, and even requires particularly sensitive handling of such information.

If personal data is encrypted, this is referred to as pseudonymised data. These in turn differ from anonymised data.

What does not fall under personal data?

Information on legal entities such as companies, associations and foundations are not protected by the GDPR and do not fall under personal data.

Data that is completely anonymised and therefore does not allow any conclusions to be drawn about a person is also not considered personal data.

Personal data in the company and in practice

In addition to information that can be unambiguously linked to a person, such as a name or telephone number, there is also less clear information that must nevertheless be taken into account. For example, the question arose as to whether working hours fall under personal data. The European Court of Justice ruled on this:

"Records of working hours (...) which include the indication of the time at which a worker begins and ends his working day, as well as breaks or non-working time, fall within the notion of personal data (...)". 

If companies process personal data, the provisions of the GDPR must be complied with according to Article 5 para. 1 to be observed. The principles for processing stated therein are:

  • Lawfulness, processing in good faith, transparency
  • Earmarking
  • Data minimisation
  • Correctness
  • Memory limitation
  • Integrity and confidentiality
  • Accountability

Why must personal data be protected?

Personal data according to the GDPR make it possible to identify natural persons and thus draw conclusions about their lifestyle. Based on this, targeted marketing and sales strategies, such as targeted advertisements, can be implemented, which are worth hard cash for companies.
But this data is not only valuable for companies; criminals are also interested in accessing bank data, for example. To protect those affected, it is important to protect personal data from unauthorised access with increased care.

Handling personal data

Art. 5 GDPR regulates the processing of personal data for public and non-public bodies. Accordingly, lawfulness, fair processing, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, as well as accountability are crucial when dealing with these data. Lawfulness of processing is given if at least one condition of Art. 6 DSGVO is fulfilled.

Disclosure of personal data

If personal data is disclosed, this represents a lasting encroachment on the rights of the data subjects. In order to avoid legal sanctions, it must be checked prior to disclosure whether the disclosure is lawful according to Article 6 of the GDPR. Otherwise, there is a risk of fines for the processing company as well as consequences for those affected by the disclosure.

Specific guide on the misuse of personal data

Address trading

Address trading is a component of direct marketing and represents the analogue form of individualist advertising. The aim of address trading, also known as list broking, is to expand the customer base through potential customers by means of advertising in the form of flyers, vouchers and the like. Companies turn specifically to address brokers, who provide not only private addresses but also company addresses. If a certain target group is aimed at, it is possible to include certain criteria in the creation of the address list. For example, only addresses from certain neighbourhoods and streets can be passed on. No consent is required from the persons concerned, so the trade in addresses and customer data is not illegal (according to §28 BDSG). This concerns both the purchase and the sale.


Phishing describes the fishing of access data and identities directly from the person concerned. In the process, victims are requested to enter access data on a website via a link in an email or also via SMS. This website was created specifically for phishing the data and often looks confusingly similar to the corresponding legitimate site. The data entered is then intercepted by the fraudsters and used for their own purposes. It is not uncommon for bank websites to be copied for this purpose. If bank data is actually entered, the fraudsters have the opportunity to transfer money or even steal the identity.

How can I recognise phishing emails? 

  • Watch out for spelling mistakes - texts are often translated mindlessly using translation programmes. This results in strange characters, unconverted umlauts, forgotten letters or even incorrect punctuation.
  • A certain urgency is conveyed to those affected. The aim is to act quickly to avoid consequences such as the blocking of the account.
  • The text may be in a foreign language. If you are not a customer of a foreign company, you should be sceptical.
  • The lack of a direct personal form of address is also conspicuous. Fraudsters often resort to the formulation "customer" or "user".

How can you protect yourself from phishing? 

Many anti-virus programmes warn victims of the phishing website. The computer or browser can also warn of such a danger. It is important that all available security updates are installed. This applies to the computer as well as the anti-virus programme and the browser.

A certain amount of scepticism also helps. If you do not know the website or if there are strange characters in the URL, you should not click on the link and certainly not enter any data.

If the phishing is particularly disguised, it is also called pharming. When entering the URL in the browser, the victim is redirected to a fake website. A conspicuous feature is a request to enter new data and numbers in the URL.

The following applies here: secure websites usually begin with "https" and have a small lock in front of the URL.

Data trading

Data trading is a lucrative business in which customer data is sold to companies. The seller makes a profit and the buyer has a list of potential new customers. In return, companies send out advertising material to expand their customer base. This approach is called direct marketing. The most widespread form is address trading.

Often, such an intention to sell is announced in a privacy policy, which is usually accepted by data subjects without being read. This consent makes it legal to resell the data of the data subjects. An exception is special personal data such as health data. These may only be stored, used, processed or even passed on in very rare exceptional cases.

Identity theft

If third parties access personal data with the aim of misusing it, this is called identity theft. In this case, third parties can shop online under false names or even book money from a person's account to their own. The person concerned is still able to use his or her own identity.

How can it be determined whether the identity has been stolen? 

Clues that point to identity theft are:

  • Login to a supposedly genuine website using password and email is not possible,
  • Receiving payment requests or reminders for orders that have not been placed,
  • Debit entries on the account by unknown companies,
  • Or also claims from debt collection agencies for the settlement of outstanding sums

How should you react to identity theft? 

  • Report to the police, this is often a prerequisite for having accounts blocked.
  • Contact the companies concerned and report your identity theft.
  • To avoid negative entries, you should also inform Schufa.
  • If you have not already done so, change all passwords.

What are the penalties for identity theft? 

Identity theft is not a specific offence in Germany. Consequently, there is no specific punishment, but fraudsters are liable to other criminal offences. For example, forgery of documents according to §267 StGB or false suspicion (§164 StGB), if crimes are committed online under another name. This has legal consequences for the perpetrators in the form of fines and imprisonment (up to 10 years). However, this only applies insofar as the perpetrators can be identified.

How can you protect yourself from identity theft? 

  • Use strong passwords - pay attention to criteria for strong passwords (length, characters used).
  • Do not share your passwords, and it is not advisable to write passwords on loose leaf. Instead, use an online password manager.
  • Activate two-factor authentication for important accounts. By leaving a mobile phone number, you will receive a confirmation message every time you log in to your account.
  • Watch out for phishing emails and do not respond to them.
  • Keep your computer up to date and perform the security updates.
  • Anti-virus programmes also contribute to protection.

Important rights of the data subjects

Data subjects whose data is collected, stored and processed have many rights. The three most important are the right to informational self-determination, the right to information and the right to correction, deletion and blocking of data.

Right to informational self-determination

The right to informational self-determination falls under the right of personality and is thus protected by Article 1 of the Basic Law. It allows those affected to decide for themselves which data may be stored and processed. Active consent to the given purpose is necessary.

Right of access to the processing of personal data

§19 and the §34 BDSG give those affected the right to inspect their stored data at companies and authorities. Both public and non-public bodies are obliged to provide information.

Right to rectification, erasure and blocking of personal data

If stored data is incorrect, outdated or has been stored or passed on unlawfully, there is a duty to block, correct or completely delete it in good time. Data subjects can demand these processes.

In addition, those affected have the right to be forgotten. This provides that deleted data cannot be restored. This is regulated by Art. 17 GDPR. Relevant deletion facts are therefore:

  • The purpose of the data processing has ceased, which means that the data are no longer needed.
  • The data subject/data owner has revoked consent to data collection
  • Data controller has objected to data processing
  • Determination that personal data were unlawfully collected or processed in the first place
  • Erasure process necessary in fulfilment of a legal obligation under EU law or on a national legal basis
  • It concerns personal data of a child

The article does not specify which technical measures are to be used to delete or destroy the data.

As soon as a reason for cancellation is given, it must be carried out without delay. At the latest within one month of receipt of the request for cancellation, applicants must be informed of the appropriate measures for cancellation or of the reasons for refusal of the request.

How can I request the deletion of my data?

According to Art. 17 of the GDPR, every data subject has the right to have their data deleted. To do so, the company concerned must request the deletion of the data in writing or revoke the permission to process the data. In addition, a confirmation of the action can be requested. Within one month, the company must comply with the request. If the company refuses the request, a valid justification for the retention of the data must be provided (e.g. a legal obligation).

Caroline Schwabe

This might interest you too:

IT security incident

TISAX requirements: Prepare certification step by step

TISAX® requirements: Information on the question catalogue, maturity levels and certification. Prepare the assessment level and audit.

Audit management: Implementing audits more efficiently

Understanding and implementing audit management: Step-by-step explanation, background information, examples and definitions. Read now!

NIS2: EU directive for more cyber security

What does the NIS-2 Directive mean for organisations in Germany? Implementation obligations, sanctions, tips for implementation.