GDPR applies to all personal data which is wholly or partly automated. This means that all information held on a computer or other electronic means will be covered. This includes data that will be processed by automated means. It also applies to personal data that forms part of a filing system or intends to form part of a filing system. This includes paper or other manual records.
GDPR will apply to documents in a filing system that is structured in a way to allow access to personal data, whether easily or not. If a filing system appears unorganised but a member of staff can locate a document within it, by reference to an internal system, then this data will come under the scope of GDPR, even though at first glance the information may not appear to be in a structured filing system.
Any information that relates to an identified or identifiable natural person. This means that data belonging to a deceased person or corporate entity is not personal data. However, the data of a deceased person may be the personal data of the next of kin of the deceased person. Similarly, information about people in a corporate entity will be personal data.
An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as, name, number, location data, online identifier or one or more factors specific to the physical , physiological, genetic, mental, economic, cultural or social identity of the natural person. The person must be capable of being identified from the data in question. This will depend on the type of processing by the organisation.
When considering if the person is identifiable, the organisation must take into account all of the information under its control. If personal data is being published, a controller must consider the information that is already in the public domain, which may identify the data subject.
Where personal data is being processed by a controller, a relevant individual is entitled to:
The individual can also request, among other things: