4.2.1 Comment on step 1

Step 1 - Must personal data be processed?

The first question is whether it is really necessary to process personal data? If the work to be done can be performed without processing personal data, then this is preferable. If you do not process personal data, then the requirements of the General Data Protection Regulation do not apply, which makes the work easier. However, it is important to remember that personal information includes all information that can be linked directly or indirectly to a living person, which means that it is not only names, national identification numbers, DNA or portrait photos that constitutes personal data, but it can also be a combination of more anonymous data, which together make it possible to identify an individual.

What is a personal data?

The definition of personal data in the Data Protection Regulation may seem complicated when it defines personal data as  “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”  To summarize the definition in a more accessible way, we can say that:

Personal data is any information that can be directly or indirectly attributed to a living person

This means that personal data is not just information that can be directly linked to a person, such as national identification numbers, names, phone numbers, DNA or portraits, but also combinations of information that together allow you to link the information to an individual. This means, for example, that the combination of age and shoe size together with group membership for a person is not personal data if we only know that it is a Swedish subject but may be if you know that the selection is limited to a small group like the Swedish Academy.

What constitutes processing?

The definition of processing is "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;” The list is long, and it can be concluded that processing is everything you can do with personal data, including just storing them. The person who handles personal data in any form also performs or takes part in its processing in the opinion of the law.

Should personal data be processed?

The first question that should be put to the students is why they may need to process personal data. In instances where you can get the necessary result without working with personal data, such as using anonymous data, this is preferable. Unless personal data is processed, the General Data Protection Regulation does not apply (but other legislation may be applicable depending on the circumstances). Information in the form of personal data should therefore not be used if it can be avoided.

It is also important to note that the General Data Protection Regulation has no preference in regard to what form the data is being handled in. Although we usually think of personal information as digital data, the rules apply regardless of the medium. Paper, film, tape, etc. are also included as long as the information contains personal data.