3. Description of the Categories of Personal Data
Summary: The aim of this description is to describe all types of personal data that is processed by the activities of the project. This is necessary to demonstrate that each type of processed data is indeed necessary to reach the goal of the project, and that only a justifiable minimum amount of personal data is processed.
Step 3 describes the types of data collected from data subjects described in step 2, also describing the specific purpose each one fulfils. Whereas the general purpose of the project has been already explained in step 1, these descriptions now describe each type of processed data, and will explain why each one of them is needed – to provide their specific purposes. In addition, these descriptions provide an idea of the possible risks associated with them – risks that are then described and assessed in Step 11 of the Privacy Scan.
As it is described here, personal data covers everything linked or related to individuals, so the list of personal data should include not only directly identifiable information like name, address, email, etc., it should also include indirect identifiers like demographic information, opinions, knowledge, professional or academic interests, etc.
Data is listed as categories – the type of data is described, not the content of it. Data descriptions that have the same justification are listed together, and any additional comments are listed too as necessary. When possible, it is advisable to provide access to the questions/topic guide/script used to collect data, as these provide a more accurate picture of the nature of collected data.
Special categories of personal data
Special categories of personal data include the following types of data: Racial or ethnic origin; Political opinions; Religious or philosophical beliefs; Trade union membership; Genetic data; Biometric data for the purpose of uniquely identifying a person; Health data; Data about sexual behavior or sexual orientation. If the processing activity intends to process these special categories of personal data, ensure this is clearly stated in the data description.
This type of personal data is in principle prohibited to process, unless one of the GDPR Art. 9(2) exceptions apply. The applicability of these exceptions is later addressed in Step 7 of the Privacy Scan.
An example of a description of data collected for interviews may look like this:
Description | Justification | Comments | |
Name, email address | Necessary to invite and to arrange interview appointment | Name & email is processed independently of interview transcripts. Participants are identified by pseudonyms | |
Participant number | Identify participant’s data within the project research dataset | Name – pseudonym reidentification link table is maintained while interviews are ongoing | |
Age, nationality, gender | Necessary to provide context to the participant’s responses, including experiences of aggression or exclusion. | Age brackets are used. Nationality collected by multiple choice. Gender is likely a special category of personal data | |
Home address | Necessary to link a participant to a specific geographical region. | Only the four digit postcode is used | |
Opinions and experiences on sustainable mobility | Necessary to collect participants views on the study topic. | Interview guide is available in the project’s shared folder (link to document) | |
Interview audio & transcript | Necessary to maintain the integrity of the interview’s content |
Previous: Description of Data Subjects | Next: Description of the Processing of Personal Data
- Description of the Project’s Purpose
- Description of Data Subjects
- Description of the Categories and Purposes of Personal Data
- Description of the Processing of Personal Data
- Description of Information Provided to Data Subjects
- Description of How Data Subjects Can Exercise Their Data Subject Rights
- Description of Lawful Basis for Processing
- Description of Measures to Ensure Compliance By Processors and/or Joint Controllers
- Description of Planned Transfers of Personal Data to Other Countries Outside the EU
- Obtaining, Consulting, and Dealing with Data Subjects’ Views of the Processing
- Preliminary Risk Assessment