The definition of personal data

AuthorMichèle Finck
STOA | Panel for the Future of Science and Technology
3. The definition of personal data
The definition of personal data determines the GDPR's scope of application and is accordingly of
paramount importance. The Regulation only applies to data that is considered 'personal' in nature.
Notwithstanding, '[w]hat constitutes personal data is one of the central causes of doubt' in the
current data protection regime.85 The difficulty of determining what counts as personal data is
anchored in various factors. First, continuing technical developments make it ever easier to identify
individuals on the basis of data that may not be personal on its face. Second, the GDPR's broad
definition of personal data encompasses ever more data points. Third, much uncertainty pertains to
the notions of pseudonymisation and anonymisation in the GDPR; and finally, despite the GDPR's
harmonising aim considerable divergences remain in national law and policy that have added
confusion to this area of the law.
The Regulation adopts a binary perspective be tween personal data and non-personal data and
subjects only the former to its scope of application. 86 Pursuant to Recital 26 GDPR, the Regulation
indeed does not apply to anonymous data. In contrast with this binary legal perspective, reality
operates on a spectrum between data that is clearly personal, data that is clearly anonymous (an
uncontroversial example should be that of climatic data from outer space that does not reveal
information about those that collected it) and anything in between.87
Today, much economic value is derived from data that is not personal on its face but can be
rendered personal if sufficient effort is put in place. The current battlefield in defining personal data
relates to 'data which when collected and processed has the potential to have an impact on the
personal privacy of particular users, perhaps including their economic and emotional wellbeing,
from data which definitely does not have such potential. Data which originally related to a living
person but now claims to be 'anonymised' in some sense perhaps merely by the substitutions of
an identifier for a name can still be very useful for businesses and very intrusive to personal
privacy'.88 Beyond, there is an ongoing debate as to whether personal data can be manipulated to
become anonymous that is of much relevance in contexts where encryption and hashing are used,
as is the case for DLT.89 This section traces th e uncertain contours of personal and anonymous data
respectively to determine what data that is frequently used in relation to blockchains may qualify as
personal data.
Article 4(1) GDPR defines personal da ta as follows:
any information relating to an identified or identifiable natural person ('data
subject'); an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more factors
85 Edwards L (2018), Law, Policy and the Internet, Oxford: Hart Publishing, 84.
86 Some might object that ‘pseudonymous data’ was introduced as third category by the GDPR. Below it will be seen that
pseudonymization is more adequately seen as a method of data processing rather than a separate category of data in EU
data protection law.
87 Note however, Purtova N (2018) ‘The law of everything. Broad concept of personal data an d future of EU data protection
law’ 10 Law, Innovation and Technology 40.
88 Edwards L (2018), Law, Policy and the Internet, Oxford: Hart Publishing, 85
89 See further Finck M and Pallas F, ‘Anonymisation Techniques and the GDPR’ (draft on file with author).
Blockchain and the General Data Protection Regulation
specific to the physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person 90
Article 4 (1) GDPR underlines that personal data is data that directly or indirectly relates to an
identified or identifiable natural person. The reference to an 'identifiable' person underlines that
the data subject does not need to be already identified for data to qualify as personal data. The mere
possibility of identification is sufficient.91 The Article 29 Working Party has issued guidance on how
the four constituent elements of the test in Article 4 (1) GDPR – 'any information', 'relating to', 'an
identified or identifiable' and 'natural person' – ought to be interpreted.92
Information is to be construed broadly, and includes both objective information (such as a name
or the presence of a given substance in one's blood) but also subjective analysis such as informati on,
opinions and assessments. 93 Note, however, that the ECJ has clarified in the meantime that whereas
information contained in the application for a residence permit and data contained in legal analysis
qualify as personal data, related legal analysis does not. 94 Information qualified as personal data can
include information that is unrelated to one's private life, underlining the distinction between the
concepts of data protection and privacy. 95 Personal data can also take any form, whether it is
alphabetical or numerical data, videos and pictures.96 The Court has indeed confirmed that 'the
image of a person recorded by a camera' constitutes personal data.97
Second, data can be considered to be 'relating to' a data subject 'when it is about that individual'.98
This obviously includes information that is in an individual's file but can also include vehicle data
that reveals information about a given data subject such as a driver or passenger.99 An individual is
considered to be 'identified' or 'identifiable' where it can be 'distinguished' from others.100 This does
not require that the individual's name can be found. According to the Court, identifying individuals
'by name or by other means, for instance by giving their telephone number or information regarding
their working conditions, and hobbies, constitutes the processing of personal data'.101 Personal data
is accordingly 'information, by reason of its content, purpose or effect, is linked to a particular
Personal data relates to an identified or identifiable natural person. Where data obviously relates
to a natural person, as is the case regarding the data subject's full name, the conclusion that such
data is personal data appears uncontroversial.103 Article 4(1) GDPR however also provides the
examples of location data or an identifier, as personal data. This underlines that data, such as health
90 Article 4(1) GDPR (my own emphasis).
91 Below, the required standard of identifiability is examined in detail.
92 Article 29 Working Party, Opinion 04/2007 on the concept of personal dat a (WP 136) 01248/07/EN, 6.
93 Ibid.
94 Joined Cases C-141/12 and C-372/12 YS v M inister voor Immigratie [2014] EU:C:2014:2081.
95 Article 29 Working Party, Opinion 04/2007 on the concept of personal dat a (WP 136) 01248/07/EN, 7.
96 Ibid.
97 Case C-345/17, Sergejs Buivids EU:C:2019:122, para 31.
98 Article 29 Working Party, Opinion 04/2007 on the concep t of personal data (WP 136) 012 48/07/EN, 9 (emphasis in
99 Article 29 Working Party, Opinion 04/2007 on the concept of personal dat a (WP 136) 01248/07/EN, 10.
100 Ibid, 12.
101 Ibid, 14 and Case C-101/01 Bodil Lindqvis t [2003] EU:C:2003:596, para 27.
102 Case C-434/16 Nowak [2017] EU:C: 2017:994, para 35.
103 In Bodil Lindqvist, the Court held that the term personal data ‘undoubtedly covers the name of a person in conjunction
with his telephone coordinates or information about his working conditions or hobbies’. Case C-101/01 Bodil Lindqvist
[2003] EU:C:2003:596, para 24.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT