Even data without a birth number or name and surname are personal data under the GDPR

According to the GDPR, personal data is any information about an identified natural person. So it includes data that can be indirectly linked to a specific person.


You may have thought that if you remove data such as birth number or name from your database, you're all set. Unfortunately, it's not that simple. According to the GDPR, personal data is any information about an identified natural person. So this includes data that can be indirectly associated with a specific person.

So if you have personal information about an employee in your records such as age, education, qualifications, salary level, it is still personal data even if you remove the direct identifiers.

In practice, even data that the controller modifies, for example by a technique known as hashing, is personal data. Although no direct identifiers are contained thanks to this technique, the moment the controller passes it on to a third party, this data is again treated as personal data. Does this seem nonsensical to you? Not quite. Because the administrator is still able to make a retrospective identification based on the original data. If the controller removes the original data, then it will be pseudonymised data that is protected by a security measure, which means a significant reduction in risk, but still subject to GDPR.

The only way a controller can exempt certain data from the GDPR regime is by anonymising it. The data must be redacted in such a way that it cannot be associated with a specific individual.

Do you want to make sure you are handling your data correctly and following everything you need to be GDPR compliant? Our team is here for you!