PERSONAL DATA: DEFINITION, PROCESSING, AND RESPONSIBILITIES

July 10, 2025
Personal data and its protection have become topics of high importance for every individual, business, or institution.
However, what is equally important in this context is understanding:
- What qualifies as personal data?
- Do all personal data enjoy the same level of protection?
- Who bears the responsibility for collecting, processing, and safeguarding this data?
Below, we aim to explain these key issues in a simple and practical manner.
What is considered personal data under the Law on Personal Data Protection (LPDP)?
According to Law No. 06/L-082 on the Protection of Personal Data (LPDP), personal data is defined as any information relating to an identified or identifiable natural person, including:
– Name;
– Identification number;
– Location data;
– Online identifiers;
– One or more elements specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
This definition reflects a narrower view of what constitutes personal data. In a broader sense, any piece of information that can be used to identify a person, even if not explicitly listed above, may be considered personal data.
Sometimes, information that seems neutral or generic on its own may still be personal data when combined with other information or within a specific context. For example:
Clothing or shoe size: While this information alone may not identify a person, if used alongside other data that does identify them, it becomes personal data.
Written exam responses: The answers provided by a candidate during a professional exam, as well as any comments made by the evaluator about those responses, are considered personal data of the candidate.
This illustrates how personal data is defined under the LPDP. However, it’s important to note that not all data carry the same significance or fall into the same category.
The LPDP distinguishes between general personal data and special categories of personal data, often referred to as sensitive data.
What is considered sensitive personal data?
Sensitive personal data includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data, health-related data, and data concerning a person’s sex life or sexual orientation.
Examples of sensitive personal data include:
Health data: A medical report provided by an employer describing an employee’s health status, or survey results indicating a person has a disability;
Political opinions: A list of members of a political party revealing their political beliefs and affiliations;
Religious beliefs: Information indicating that a person fasts during Ramadan, or that a person identifies as Catholic, Orthodox, or Protestant, if such information leads to identifying that person.
By law, the processing of sensitive data is prohibited, except in very specific circumstances.
Sensitive data may be processed only if: The data subject has given explicit consent; processing is necessary for employment, social security, or social protection obligations; It is necessary to protect the vital interests of the data subject or another individual, especially when the subject is incapable of giving consent; The data has been made public by the subject; It is necessary for the establishment, exercise, or defense of legal claims, or when courts act in a judicial capacity; It is carried out for important public interest reasons, based on law; It serves preventive or occupational medicine purposes; It is necessary for archiving in the public interest, scientific or historical research, or statistical purposes; It is done by organizations such as unions, religious communities, or NGOs for the legitimate activities of their own members only.
In all such cases, sensitive data must be processed proportionally to the purpose, protected with special safeguards, and properly classified to prevent unauthorized access or misuse.
Personal Data of Children
Children’s personal data is subject to the same definition as adult data, but its processing and protection require special conditions.
Children’s data enjoys enhanced protection, especially when processed by information society services (e.g., websites, apps, or social media).
Processing may occur only if the child gives specific consent for one or more purposes. To give valid consent, the child must be at least 16 years old.
If the child is under 16, parental or guardian consent is required.
Data of Deceased Individuals
The LPDP does not apply to personal data of deceased individuals. Such data is not protected under this law.
Data of Legal Entities
The LPDP does not apply to legal entities. Therefore, data such as the name, registration number, tax ID, unique identifier, business address, email, or contact number of a company is not considered personal data.
Beyond understanding what qualifies as personal data and how it is categorized under the LPDP, it is crucial to define the roles of data controllers and data processors, as they are the parties held accountable for how personal data is handled.
Who is a Data Controller?
A data controller is any natural or legal person, from the public or private sector, who alone or jointly determines the purposes and means of processing personal data.
Examples: An online clothing retailer that collects customer data for orders and marketing purposes. A hospital that collects patient data for diagnostics and treatment.
Who is a Data Processor?
A data processor is any natural or legal person, from the public or private sector, who processes personal data on behalf of the controller.
Examples: A marketing company that sends promotional emails based on instructions from the online retailer. An IT company that hosts or maintains the hospital’s data systems, without determining the purpose of data processing.
Understanding what constitutes personal data, and recognizing who controls or processes it, is the first step toward protecting privacy and ensuring compliance with the law.
In our upcoming articles, we will explore the practical obligations of data controllers and processors in greater depth.
Author: Valmir Haziraj