We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.

Consumer Rights.

Updated: 5 Mar 2021

What counts as personal data?

What counts as personal data may include more than you initially realise – our guide explains what personal data is according to UK data protection law.
Which?Editorial team
What counts as personal data?

What is personal data?

Personal data is information that relates to an identified or identifiable person who could be identified, directly or indirectly based on the information.

The EU-wide rules in the Data Protection Act 2018 (GDPR) provides the legal definition of what counts as personal data in the UK.

Personal data includes an identifier like:

  • your name
  • an identification number, for example your National Insurance or passport number
  • your location data, for example your home address or mobile phone GPS data
  • an online identifier, for example your IP or email address.

Sensitive personal data is also covered in GDPR as special categories of personal data. The special categories specifically include:

  • genetic data relating to the inherited or acquired genetic characteristics which give unique information about a person’s physiology or the health of that natural person
  • biometric data for the purpose of uniquely identifying a natural person, including facial images and fingerprints
  • data concerning health which reveals information about your health status, including both physical and mental health and the provision of health care services
  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • sex life or sexual orientation.

Under existing and new data protection rules anyone who processes personal information must make sure that the information is (amongst other things):

  • adequate, relevant and not excessive
  • processed fairly and lawfully
  • obtained only for one or more specified and lawful purposes, and not further processed in any manner incompatible with that purpose or those purposes
  • accurate and up to date
  • processed in accordance with the rights of data subjects under the Data Protection Act 2018
  • kept for no longer than is necessary
  • secure (for example using appropriate technical or organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data).

Key Information

Data Protection: jargon buster

  • Processing is essentially anything that is done to or with personal data. This includes but is not limited to collecting, recording, organising, structuring, storing, adapting, altering, erasing or destroying.
  • A data subject is an identified or identifiable person.
  • A controller determines the purposes and means of the processing of personal data.
  • A processor processes data on behalf of a controller.

How do companies use my personal data?

Organisations and businesses (which also include clubs, societies and charities), both large and small, use your personal data for a range of reasons.

Personal data for service or task

Organisations hold personal data for a range of useful reasons necessary to provide a service, not just for marketing.

For many purposes, you would want companies to continue handling your personal information to perform the tasks you need them to.

Personal data for profiling

Companies might also use your personal information to profile you in a way that many would find useful.

For example, Netflix uses personal data to recommend films and TV programmes that it thinks you’re likely to enjoy, and Amazon uses your shopping history to suggest similar products you might be interested in.

Facebook also collects information on how you use its services. This could be the type of content you view and engage with, the devices you use, your language and time zone, and when you visit third-party websites which use Facebook services (even when just hitting the 'like' button).

Personalised offers and recommendations may well be welcomed by individuals who want a more tailored service. 

Other retailers might use information on your shopping habits and social interactions to inform direct marketing and suggest other products to you. Many retailers also use profiling to market directly to you using emails, texts and messages.

You have the right to object to profiling, including if it is used for direct marketing purposes, and companies must inform you of your right to object at the latest at their point of first communication with you and in their privacy notice.  

If they receive an objection to processing personal data for marketing purposes, they must ensure that your personal data is no longer processed for such purposes.

How can I ask a company to stop processing my personal data?

You have a right to have personal data erased and to prevent processing in specific circumstances.

These include, but are not limited to:

  • where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
  • where the personal data was unlawfully processed
  • where you withdraw consent
  • where the basis for processing is that it is in the organisation’s legitimate interests to do so, but you object to the processing and there is no overriding legitimate interest for continuing the processing

Read our guide on how to stop companies from using your personal data for more information on how to make a request to an organisation to stop processing your data for the purposes of direct marketing.

Under the GDPR, you have the right not to be subject to a decision based solely on automated processing if it affects you legally or substantively. Read our guide on your right to appeal automated decisions.

How do I find out which personal data a company has?

You have the right to make a ‘subject of access request’, which allows you to act on your right to obtain access to your personal data held by a company. You can make them for free.

Read our dedicated subject access request guide for more information on how to make a subject access request

Can I ask to get my personal data?

If the data you've provided is digitally processed, you’ll have the right to request that data in a machine-readable format and the right to have that transmitted to another data controller.

This right exists if you have provided your personal data to the company and:

  1. the company processes that personal data with your consent or in order to fulfil a contract; and
  2. the processing of your personal data is being carried out by automated means.

In theory, the right to personal data portability will allow you to move, copy or transfer personal data more easily from one IT environment to another in a safer and more secure way.

This also enables you to take advantage of applications and services such as price comparison websites, which can use this data to find you a better deal.

For example, this could include the best energy provider to switch to, getting a competitive broadband package or finding the best mortgage deals through price comparison websites.