Key References

  • Art. 4(1) on definition of personal data
  • Recitals 26-27, 30
  • WP29 Opinion 4/2007 on the concept of personal data (01248/07/EN)
  • Anonymisation vs Pseudonymisation
  • Identified vs identifiable

Art. 4(1) Key elements

  • any information
  • relating to
  • an identified
  • or identifiable
  • natural person (‘data subject’)
  • such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Recital 26

  • Personal data that is pseudonymised can nevertheless lead to an identifiable person when it is combined with other additional information.
  • To determine whether a person is identifiable, account should be taken of:
    • all means reasonably likely to be used such as singling out, either by the controller or by another person to identify the person directly or indirectly.
    • all objective factors such as cost and amount of time required to identify.
    • taking into consideration the available technology at the time of the processing and technological developments.
  • The GDPR does not not apply to anonymous information.

Recital 27

  • GDPR does not apply to the personal data of deceased persons.
  • Member States may provide for rules regarding the processing of personal data of deceased persons.

Recital 30

  • Examples of personal data include IP address, cookie identifiers, radio frequency ID tags.
  • A combination of information that is used to create profiles and identity a person is also personal data.

Patrick Breyer v. Bundesrepublik Deutschland (In Case C‑582/14)

  • CJEU case holding that dynamic IP address is personal data.
  • The controller in this case had multiple pieces of personal data on a user, and combining the user’s dynamic IP with other pieces of data, the controller could identify the data subject. The Court held that in this scenario dynamic IP address was personal data.
  • The Court stated that when a controller possesses multiple pieces of data on a user, and has the technical knowhow to combine data to identify a specific user, that would meet the reasonably likely test for personal data in Recital 26. Whether the controller actually uses such technology would not matter.