Blockchain and the General Data Protection Regulation
specific to the physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person 90
Article 4 (1) GDPR underlines that personal data is data that directly or indirectly relates to an
identified or identifiable natural person. The reference to an 'identifiable' person underlines that
the data subject does not need to be already identified for data to qualify as personal data. The mere
possibility of identification is sufficient.91 The Article 29 Working Party has issued guidance on how
the four constituent elements of the test in Article 4 (1) GDPR – 'any information', 'relating to', 'an
identified or identifiable' and 'natural person' – ought to be interpreted.92
Information is to be construed broadly, and includes both objective information (such as a name
or the presence of a given substance in one's blood) but also subjective analysis such as informati on,
opinions and assessments. 93 Note, however, that the ECJ has clarified in the meantime that whereas
information contained in the application for a residence permit and data contained in legal analysis
qualify as personal data, related legal analysis does not. 94 Information qualified as personal data can
include information that is unrelated to one's private life, underlining the distinction between the
concepts of data protection and privacy. 95 Personal data can also take any form, whether it is
alphabetical or numerical data, videos and pictures.96 The Court has indeed confirmed that 'the
image of a person recorded by a camera' constitutes personal data.97
Second, data can be considered to be 'relating to' a data subject 'when it is about that individual'.98
This obviously includes information that is in an individual's file but can also include vehicle data
that reveals information about a given data subject such as a driver or passenger.99 An individual is
considered to be 'identified' or 'identifiable' where it can be 'distinguished' from others.100 This does
not require that the individual's name can be found. According to the Court, identifying individuals
'by name or by other means, for instance by giving their telephone number or information regarding
their working conditions, and hobbies, constitutes the processing of personal data'.101 Personal data
is accordingly 'information, by reason of its content, purpose or effect, is linked to a particular
Personal data relates to an identified or identifiable natural person. Where data obviously relates
to a natural person, as is the case regarding the data subject's full name, the conclusion that such
data is personal data appears uncontroversial.103 Article 4(1) GDPR however also provides the
examples of location data or an identifier, as personal data. This underlines that data, such as health
90 Article 4(1) GDPR (my own emphasis).
91 Below, the required standard of identifiability is examined in detail.
92 Article 29 Working Party, Opinion 04/2007 on the concept of personal dat a (WP 136) 01248/07/EN, 6.
94 Joined Cases C-141/12 and C-372/12 YS v M inister voor Immigratie  EU:C:2014:2081.
95 Article 29 Working Party, Opinion 04/2007 on the concept of personal dat a (WP 136) 01248/07/EN, 7.
98 Article 29 Working Party, Opinion 04/2007 on the concep t of personal data (WP 136) 012 48/07/EN, 9 (emphasis in
99 Article 29 Working Party, Opinion 04/2007 on the concept of personal dat a (WP 136) 01248/07/EN, 10.
100 Ibid, 12.
101 Ibid, 14 and Case C-101/01 Bodil Lindqvis t  EU:C:2003:596, para 27.
102 Case C-434/16 Nowak  EU:C: 2017:994, para 35.
103 In Bodil Lindqvist, the Court held that the term personal data ‘undoubtedly covers the name of a person in conjunction
with his telephone coordinates or information about his working conditions or hobbies’. Case C-101/01 Bodil Lindqvist