Personal data & GDPR

Personal data and GDPR can be a tough nut to crack, but it’s so important. To be able to feel free when communicating and marketing, you must first of all lay the right foundations. This mainly means knowing who to contact, with what message and on what terms. But, what does GDPR actually mean? In this post, we will tell you everything you need to know about handling personal data under the GDPR .

What is personal data according to GDPR?

In the digital world we live in, the difference between an email address and a social security number is subtle. Just as only you have your social security number, only you have your email address. Most people quickly associate the GDPR and personal identification numbers as the typical personal data. But since you are the sole owner of your email address, it is also considered personal data.

What does the GDPR say about personal data?

So what is a what is personal data? Personal data is any information that can be used to identify a living person, including the combination of different data that can identify someone (e.g. in an analysis).

What personal data is covered by the GDPR?

What is personal data? Any information that can be directly or indirectly linked to a living natural person is considered personal data. Images and audio recordings can also be considered personal data if you can see or hear who they are, even if no names are mentioned. Encrypted or coded data is also personal data if someone has a key that can link it to a person.

Examples of information that counts as personal data:

  • E-mail address
  • IP number
  • Personal number
  • Phone number
  • Residential address
  • Customer number
  • Pictures
personuppgifter och gdpr

What doesn’t count as personal information?

Since the consequences of violating the GDPR or handling personal data irresponsibly can be harsh, companies tend to play it safe. However, there are of course some data that do not qualify as sensitive personal data, for example:

  • organization number (except in the case of a sole proprietorship, in which case it is considered personal data)
  • email addresses such as info@företag.se.

Important regarding personal data

What does your company need to consider when it comes to personal data?

  • Identify and document what personal data you currently collect and justify why you collect it.
  • Make sure you can manage any new rights (e.g. the right to be forgotten).
  • Clean up your database and discard old data that is no longer used or active/invalid.

Almost every company has a database containing the contact details of customers, prospects, leads or newsletter subscribers. If that database contains names, email addresses or phone numbers, it means that these data have been processed at some point. The way your business processes personal data is an important part of the new GDPR, and below we try to explain what that means:

Under the GDPR, ‘processing of personal ‘processing of means almost everything that is done with personal data, except communicating. If you have customer contact details in Rule, they have been processed at some point. It will be a requirement that there is someone in charge who can ensure that the processing itself is done properly.

Here are some examples of what counts as personal data processing under the GDPR:

  • Submitting an email address to one or more of your systems.
  • To automatically analyze and add additional data, based on the data you already have(also called “populate”).
  • Dividing different personal data into groups/segments to limit or allow certain communications.
  • Pulling out an excel file to manually add names, phone numbers, etc.

There is also a law called the Personal Data Act, so what is the GDPR law in relation to it?“The GDPR law says that companies must be able to demonstrate what they want to do with the personal data collected, stored or recorded. The Personal Data Act (PUL) is more about what what is done with the information once it is collected or recorded.”

What your company should think about the regarding GDPR and personal data

In order for your company to process personal data, there must be a legal basis that allows the processing. There are really only 3 points that your company needs to keep track of in order to collect new leads and email addresses under the new GDPR:

  1. Consent – The data subject has given their consent to the processing of their personal data for one or more specific purposes.
  2. Contracts – The processing is necessary for the performance of a contract to which the data subject subscribes or for the performance of certain agreements before the data subject accepts such a contract.
  3. Legitimate interest – Personal data may be processed in certain other situations listed in the law. If the processing is necessary and if the controller considers that the processing is not likely to infringe personal integrity, it is allowed. In other words, it is a personal judgment call on the part of the controller, and if it could in any way lead to a violation of the data subject’s privacy, there could be heavy fines or other consequences for the company in question.
personuppgifter och gdpr

Sensitive personal data according to GDPR

So, which GDPR sensitive personal data should you really be aware of?

We list them below:

  • ethnic origin
  • political views
  • religious or philosophical beliefs
  • membership of a trade union
  • health
  • a person’s sexual life or sexual orientation
  • genetic data
  • biometric data used to uniquely identify a person

Is it allowed to email personal data according to the GDPR?

The same assessment should be made for the processing of personal data in email as the processing of personal data in any other system. The recommendations that IMY (integration authority) states on its website as follows:

  • Once you have received and read the email, assess whether the data should be retained and, if so, where it should be retained in order to meet the requirements applicable to that particular data.
  • Do not send sensitive personal data in unprotected emails.
  • Provide information on your website in connection with the email address on how you process personal data or link from there to your privacy policy.
  • If you send reply emails or autoresponders, include a standard text informing the sender of how you process personal data or link to a privacy policy on your website.
  • Inform everyone in your organization about the rules and procedures for processing personal data in your organization. Also make sure that the procedures are kept alive.

Disclose personal data to third party GDPR

There is a legal basis called ‘ balancing of interests ‘ that allows you as a company to process personal data in certain cases. What matters is whether your interests outweigh those of the data subject and whether the processing of personal data is necessary for the purpose. When you have a legitimate interest as a legal basis, you may disclose personal data to a third party, i.e. a recipient with a legitimate interest. But before you disclose the data, there are three simple but important things to consider:

  • why they want the personal data
  • what they will use the personal data for
  • and whether they really need them

Once you have disclosed the personal data, you must also be able to justify your disclosure. It is then the responsibility of the third party to justify the legal basis on which they support the processing.

What personal data may be stored?

How can data be stored under the GDPR and how long can personal data be stored? Personal data may be retained for as long as necessary for the purpose of processing. So according to GDPR requires you to delete personal data you have stored when it is no longer needed. for the specific purpose. Then it is time to delete or de-identify them. So, when asked what does GDPR stand for, you should now know the link between GDPR and personal data. In short, it is about how(!) you are allowed to handle a user’s personal data.

Share this article

Drive engagement and growth through smart communication

gdpr mailutskick

Reminder GDPR emails: How to follow the rules

More than half of all emails sent globally are some form of marketing. It’s thus a huge market that has previously been largely unregulated. E-mail ...
Read More
5 bra marknadsföringstips

5 eggcellent Easter marketing tips

We are heading towards brighter times and Easter is approaching. Therefore, it’s time to start planning for a colorful Easter campaign. Easter is a perfect ...
Read More
BF 2

Successful email marketing during Black Friday

For retailers, Black Friday is one of, if not the biggest sales event of the year. There is a possibility to compensate for lost revenue ...
Read More

Explore Rule Free, without even having to register a debit card.

Discover how you, with the help of Rule and smart communication, can drive growth through increased engagement. 


  • Pre-made templates and free emails
  • Try our features in your own pace
  • No lock-in period or hidden extra fees

Get a personal demo of Rule

Discover how you can increase digital engagement and growth in a personal demo of our platform.