In order to understand well the rules about the data protection, it is important to clarify what is meant by personal data.
Indeed, often this aspect took it for granted, but it is essential to understand the rules and apply them correctly.
According to current legislation (EU Regulation No. 2016/679) personal data is any kind of information related to a person, identified or identifiable, even indirectly, by reference to any other information, including a personal identification number.
Personal data can be also an image, a sound and any kind of news or information that is referable to a determined or determinable subject.
All identification codes – the ones obtained from personal data (i.e. tax code), or the unique codes assigned to a person on the basis of predefined criteria (i.e. customer codes) – have to be considerate as personal data.
Personal data is therefore any information referred (or even simply referable by means of a code) to a person: it can be also the license number of a vehicle referred to an owner or the number of a policy related to an insurance. Another example of personal data can be the type of magazines to which the person is a subscriber or the type of some purchases ordered by mail or by telephone.
It is very common to think that personal data is identified with the name and surname of the person concerned but this is not a correct information. The name of the interested party can be considered simply the tool through which information can be attributed to a particular person. In this case it should be remembered that personal data are rarely managed in isolation and they are usually inserted in a “database” that is defined as any complex of personal data, divided into one or more units located in one or more websites and organized following a number of specific criteria to facilitate the treatment.
It may happen that in a database are contained only the name and surname of the interested person but in this case the name and surname of the interested person are not the “true” personal data. The real valuable information concerns about the fact that the database – where there are the collection of the personal details – have been included subjects that are united by a specific feature (for example, they are all buyers of products by correspondence).
A particular kind of category of personal data is the one related to sensitive data: that kind of personal data are suitable to reveal, for example, racial and ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade union nature, or other personal data useful to reveal the state of health and sexual life.
According to this definition, the quality of sensitive data is linked to the suitability of the data themselves to constitute an instrument of knowledge to reveal the racial and ethnic origin, religious beliefs, philosophical or otherwise, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade union nature and also to reveal the state of health and sexual life of the person.
Theoretically , any kind of data, even the one apparently more neutral and harmless, can be a suitable tool to reveal one of the abovementioned elements. For example, even a person’s name may be suitable for revealing certain “sensitive” aspects of his or her personal sphere. For example, analyzing the surname of the inhabitants of a city it can be possible to discriminate, with a good margin of approximation, the inhabitants that have a certain ethnic origin. For this reason it is not the personal data to be sensitive but it is the use of the data that a person can make of it.
Sensible data is subject to an higher level of protection than the one related to non-sensitive data.