Due to Data Protection Regulation, many companies may ask themselves whether their databases are also subject to regulation. It is particularly unclear when the company does not have information that directly identifies a particular natural person, such as a name and surname, but has a substitute, e. g. a pseudonym or only the IP address from which the network connection is made. Is it necessary to secure the data also in this case? What types of data should be protected according to GDPR?

What information makes it possible to identify a person?

The traditionally understood response: "All personal data, including sensitive data" is insufficient according to GDPR . From May 25, 2018, any information that not only directly but also indirectly identifies a person shall be protected, including:

  • IP addresses
  • network identifiers
  • variables stored in cookies
  • - information related to the image (e. g. photographs)
  • telephone numbers
  • metadata for profiling behaviour and user preferences
  • location data to identify the whereabouts of the person concerned or to track his/her movement

The Court has ruled that when an organisation possesses data which are not capable of identifying an individual as such, these data may constitute personal data if the organisation has legal means to identify the data subject by combining them with other information in possession of at least one third party.

Special categories of data

Additional attention should be paid to the so-called special categories of data, whose processing will be prohibited. The definition of sensitive personal data encompasses as follows:

  • data of health status
  • data revealing racial or ethnic origin
  • political views
  • religious beliefs
  • trade union membership
  • genetic data
  • biometric data (e. g. voice, fingerprints, blood group)
  • sexual orientation data

Situations in which the processing of special categories of personal data will be permitted include, inter alia, the following:

  • Informed consent for processing this category of personal data, where “consent” is specified in Article 4, Section 11 of GDPR as “freely given specific and informed indication” of his or her wishes by which the individual signifies his or her agreement to this data processing, either by a statement or by a clear affirmative action.
  • Enforcement of rights or claims in the relevant proceedings, including the processing of data by courts in the course of the administration of justice.
  • Protecting the vital interests of the data subject (e. g. in relation to the provision of medical assistance).

In the light of this information, it is clear that many companies are currently facing a challenge of analysing their databases and determining whether the information they collect is necessary to take measures to safeguard them and to ensure their ongoing protection. In addition, according to the new Regulation, data that are often scattered and unconsolidated must be organized into collections. Companies must take measures to aggregate, locate, view, modify, transfer and delete information.

To conclude, if a company processes or stores any personal data, sensitive data or information generally related to the movement of people on the network, it is highly likely to be subject to regulations resulting from GDPR. The size of the entity is irrelevant. GDPR covers not only large auction portals and social networking sites, but also hospitals, small e-commerce shops and even local kindergartens.

Lemlock ebook. Expert Guidebook: Three vievs on cybersecurity
Are you interested in a comprehensive solution
for your data security?
Consent to  data processing for contact purposes
I confirm that I have read the  information clause of Sagiton Sp. z o.o.

I hereby give consent to the processing of my personal data by the Personal Data Controller (hereinafter: "PDC") – Sagiton Sp. z o.o. ul. Fabryczna 19, 53-609 Wrocław, within the scope of: full name, e-mail address or telephone number, for the purpose of sale of products and services of Sagiton Sp. z o.o. and for the purpose of sending me feedback and making contact with me by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the removal of my personal data from the PDC Sagiton Sp. z o.o. database, by sending an e-mail to hello@sagiton.pl, or a letter to Sagiton Sp. z o.o., ul. Fabryczna 19, 53-609 Wrocław, with a statement containing the relevant request, which shall result in the deletion of my personal data from the PDC Sagiton Sp. z o.o. database; I have the right to access my data; providing my data is voluntary, however refusal to provide it is tantamount to not receiving information regarding sale of products and services of Sagiton Sp. z o.o., as well as not receiving feedback and making contact with me by Sagiton Sp. z o.o.

In accordance with Art. 13 section 1 of the General Data Protection Regulation of 27 April 2016, (GDPR), we would like to inform you that the controller of your personal data is Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław, e-mail: hello@sagiton.pl.

Your personal data shall be processed within the scope of: full name, e-mail address and/or telephone number in order to answer your question/request for contact and send feedback – pursuant to Art. 6 section 1 (a) of the GDPR, i.e. consent to the processing of personal data.

The data controller would like to inform you that your personal data shall not be disclosed to third parties.

Your data shall not be transferred outside of the European Economic Area or to international organizations.

Your personal data shall be processed until you withdraw your consent to the processing of data, as well as if the purpose for processing this data shall no longer be applicable.

You have the right to access your personal data, rectify it, delete it, restrict its processing, the right to transfer it, as well as the right to object.

In the case of giving your consent, you have the right to withdraw it at any time. Exercising the right to withdraw the consent does not affect the processing carried out before the consent was withdrawn.

You have the right to lodge a complaint with the supervisory body, i.e. the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.

Providing your personal data is a prerequisite for making contact with you by Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław. In the case of not providing your personal data, Sagiton Sp. z o.o., shall not be able to contact you.

The Data Controller, Sagiton Sp. z o.o., would like to inform you that they shall not use your personal data for automated decision-making, which is based solely on automated processing, including profiling, and has legal effects for you or affects you significantly in a similar way.

Let's stay in contact