Assessing personal data

The GDPR has defined personal data as ‘any information relating to an identified or identifiable natural person [1]’. This means that information such as the name, address and telephone number of the data subject is regarded as personal data, but also information such as an IP address. The definition of personal data also extends to clinical trials, as during a clinical trial you have access to a database containing information such as the site, diagnosis of the clinical participants, and the results from the clinical trial. This is considered personal data as it is easy to identify a person based on this information. Thus, the definition of personal data is very broad as it can apply to both direct and indirect identification of an individual.

Regular & special categories of personal data

The personal data that is collected can be divided into two categories. The first category contains regular personal data, and the second category contains special categories of personal data. Regular personal data are, for example, name, address and age. Special categories of personal data are more sensitive in nature as they include, but are not limited to, racial or ethnic origin, genetic data, biometric data for the purpose of uniquely identifying a data subject and health data.[2]