The Key Concepts of Law 25
Mastering the vocabulary is essential. Misunderstanding these definitions is the number one source of compliance mistakes.
Personal information β a very broad definition
Personal information is any information that concerns a natural person and allows that person to be identified, directly or indirectly.
Examples: name, address, email, phone number, IP address, customer number, photo, geolocation data, purchase history linked to an account.
Sensitive personal information β enhanced protection
Information is sensitive when, by its nature or the context of its use, it gives rise to a high degree of reasonable expectation of privacy.
Examples: health data, biometric data (fingerprints, facial recognition), sexual orientation, ethnic origin, political opinions, detailed financial data.
Practical consequence: sensitive information generally requires express consent (not merely implied) and enhanced protection.
Valid consent β 5 mandatory criteria
Consent must be:
Minors under 14: consent is given by the holder of parental authority.
Automated decisions β transparency obligations
When a decision is made exclusively on the basis of automated processing (an algorithm that denies credit, screens job applications, etc.), the organization must:
- Inform the individual that the decision is automated
- Provide them, on request, with the information used and the main factors
- Allow them to submit their observations to a staff member able to review the decision
Anonymization vs. De-identification
| Concept | Definition | Scope under Law 25 |
|---|---|---|
| De-identification | Removal of direct identifiers. Re-identification remains possible but unlikely. | β The data remains personal information subject to the law. |
| Anonymization | Irreversible modification following best practices. Re-identification is not reasonably possible. | β Falls outside the law's scope β freely usable. |
β Concepts checklist
- β Have we mapped which data we hold is "sensitive"?
- β Do our forms request clear, separate consent for specific purposes?
- β Do we use automated decision-making tools? If so, are they properly governed?
- β Is our "anonymized" data truly irreversible according to best practices?