What is personal data?

Personal data is information that relates to an identified or identifiable person who could be identified, directly or indirectly based on the information.

For example, your name, address, and date of birth were all already considered personal identifiers under the Data Protection Act 1998.

Personal data is regulated by the Data Protection Act. The EU-wide General Data Protection Regulation (GDPR), brought into UK law on 25 May 2018 under the newly revised Data Protection Act 2018, broadened the definition of what counts as personal data.

Personal data includes an identifier such as

  • your name
  • an identification number, such as your National Insurance or passport number
  • your location data, such as your home address or mobile phone GPS data
  • an online identifier, such as your IP or email address.

Sensitive personal data is also covered in GDPR as special categories of personal data. The special categories specifically include:

  • genetic data relating to the inherited or acquired genetic characteristics which give unique information about a person’s physiology or the health of that natural person
  • biometric data for the purpose of uniquely identifying a natural person, including facial images and fingerprints
  • data concerning health which reveals information about your health status, including both physical and mental health and the provision of health care services
  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • sex life or sexual orientation.

Under existing and new data protection rules anyone who processes personal information must make sure that the information is (amongst other things):

  • adequate, relevant and not excessive
  • processed fairly and lawfully
  • obtained only for one or more specified and lawful purposes, and not further processed in any manner incompatible with that purpose or those purposes
  • accurate and up to date
  • processed in accordance with the rights of data subjects under the Data Protection Act
  • kept for no longer than is necessary
  • secure (ie using appropriate technical or organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data).

Data Protection: jargon buster

  • Processing is the act of obtaining, recording, holding or using data.
  • Data subject is an individual who is the subject of personal data.
  • Data controller is a person or organisation that decides how personal data is processed. In many cases they will need the consent of the data subject to do this.
  • Data processor is any person or organisation that processes data on behalf of the data controller.

How do companies use my personal data?

Organisations and businesses which also includes clubs, societies and charities, both large and small, use your personal data for a range of reasons.

Personal data for service or task

Organisations hold personal data for a range of useful reasons necessary to provide a service, not just for marketing.

For many purposes, you would want companies to continue handling your personal information to perform the tasks you need them to.

Personal data for profiling

Companies might also use your personal information to profile you in a way that many would find useful.

For example, Netflix uses personal data to recommend films and TV programmes that it thinks you’re likely to enjoy, and Amazon uses your shopping history to suggest similar products you might be interested in.

Facebook also collects information on how you use its services. This could be the type of content you view and engage with, the devices you use, your language and time zone, and when you visit third-party websites which use Facebook services (even when just hitting the 'like' button).

Read our guide for more information on how to control your personal data on Facebook, remove consent from third-party apps and manage which ads target you.

Personalised offers and recommendations may well be welcomed by individuals who want a more tailored service.

Other retailers might use information on your shopping habits and social interactions to inform direct marketing and suggest other products to you.

Many retailers also use profiling to market directly to you using emails, texts and messages.

You have the right to object to profiling, including if it is used for direct marketing purposes, and companies must inform you of your right to object at the latest at their point of first communication with you and in their privacy notice.  

If they receive an objection to processing personal data for marketing purposes, they must ensure that your personal data is no longer processed for such purposes.

How can I ask a company to stop processing my personal data?

You have a right to have personal data erased and to prevent processing in specific circumstances.

These include, but are not limited to:

  • where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
  • where the personal data was unlawfully processed
  • where you withdraw consent
  • where the basis for processing is that it is in the organisation’s legitimate interests, but you object to the processing and there is no overriding legitimate interest for continuing the processing

Read our guide on how to stop companies from using your personal data for more information on how to make a request to an organisation to stop processing your data for the purposes of direct marketing.

Under the GDPR, you have the right not to be subject to a decision based solely on automated processing if it affects you legally or substantively. Read our guide on your right to appeal automated decisions.

How do I find out which personal data a company has?

You have the right to make a ‘subject of access request’, which allows you to act on your right to obtain access to your personal data held by a company. You can make them for free.

Read our dedicated subject access request guide for more information on how to make a subject access request

Can I ask to get my personal data?

If the data you've provided is digitally processed, you’ll have the right to request that data in a machine-readable format and the right to have that transmitted to another data controller.

This right exists if you have provided your personal data to the company and either:

  1. the company processes that personal data with your consent or in order to fulfil a contract; or
  2. the processing of your personal data is being carried out by automated means.

In theory, the right to personal data portability will allow you to move, copy or transfer personal data more easily from one IT environment to another in a safer and more secure way.

This also enables you to take advantage of applications and services such as price comparison websites, which can use this data to find you a better deal.

For example, this could include the best energy provider to switch to, getting a competitive broadband package or finding the best mortgage deals through price comparison websites.

Please tell us what you think of the Which? Consumer Rights website.

Your feedback is vital in helping us improve this site. All data will be treated confidentially. This survey will take approximately 5 minutes to complete.

Please take our survey so we can improve our website for you and others like you.