In detail

The same piece of data may be personal data in the hands of one organisation, while it may not be personal data in another organisation’s hands. This depends on the purpose the organisation is processing the information for.

Example

A journalist takes a photograph of the beach on a sunny day to publish in a local newspaper alongside a story about record-breaking temperatures. The photograph includes some individuals who are relaxing on the beach and is of sufficient quality that some of the individuals may be identifiable.

The journalist is not processing the photograph to learn anything about any of the individuals whose images were captured, nor is it likely that the journalist would ever process the photograph for that purpose. Whilst processed by the photographer, the photograph would not be personal data as it is not used to record, learn or decide something about the individuals.

One of the individuals photographed on the beach had told their employer they needed to attend a funeral and had taken compassionate leave from work on that day.

Their colleague sees the photograph published in the newspaper, scans a copy and e-mails it to the manager of the individual photographed. The photograph is added to the individual’s personnel file in order to start disciplinary proceedings for taking compassionate leave under false pretences.

When being processed by the individual’s employer, the photograph is being used to record, learn or decide something about the individual. For this reason, it would be personal data when processed by the employer.

It is therefore necessary to consider carefully the purpose for which the controller is using the data in order to decide whether it relates to an individual.