Collection of personal data - how to identify it?


External article

Author: Mariola Malicka, legal advisor at

The collection of personal data is one of the basic concepts in the field of personal data protection law. In the light of this law, a collection of personal data is a set of personal data, having its own structure, in which data are available according to specific criteria.

The collections will be both those that are processed traditionally, manually (folders, files), and automated ones, processed in IT systems (professional databases).

It would seem that the matter is simple and each structured set of personal data, processed in a traditional or automated way, is relatively easy to identify as a set. Most data controllers, however, have many problems with understanding the issues related to the protection of personal data in the scope of their obligations. One of the important issues in the field of personal data protection, with which entrepreneurs grapple with understanding, is the collection of personal data.

Practice shows that the identification of personal data files still causes quite a few problems. Often, during an audit, entrepreneurs are surprised that they process so many sets of personal data in their organization. They do not understand and do not really feel the need to distinguish between different sets in the company.

Finally, it is worth giving a novice administrator how to recognize a set of personal data in your organization:

  • in the light of the Act on the Protection of Personal Data, the collection of personal data must have an ordered structure, it cannot be a random set,
  • a set is a set of data available according to specific criteria

According to the Chief Inspector of Personal Data, in order to classify any set of data as a set within the meaning of the Personal Data Protection Act, one criterion is sufficient to find personal data in the set. The possibility of searching according to any criteria of personal (e.g. name, surname, date of birth, PESEL number) or non-personal (e.g. date of including the data in the filing system) determines the structured nature of the data set and thus allows the set to be classified as a personal data set.

Online Tips

Do you run a company and have questions?

Take advantage of the expert advice of the Entrepreneur's Guide

Online advice for businesses

In the light of this position, a set of contracts, for example, purchase and sale contracts arranged chronologically according to the date of conclusion, as long as the possibility of accessing personal data according to any criterion is created, will be a set of personal data within the meaning of the GDPR.

It is also often the case that entrepreneurs create many different sets, which they identify as one set. For example, the customer base of the online store processed for various purposes, such as order processing, marketing, maintaining a database of civil law contracts, may not be submitted for registration to the Inspector General for Personal Data Protection as one set of personal data.

For the implementation of various purposes, it will be necessary to process personal data in various scopes, which means that the filing of a filing system for registration concerns not one, but several filing systems for different purposes.

Ultimately, the interpretation of whether we are dealing with a set within the meaning of the Act on the Protection of Personal Data with full consequences resulting from this fact may be made by the personal data protection authority or - in the event of a dispute - by a court.