What is personal data under the General Data Protection Regulation? GDPR[1] defines personal data as „any information relating to an identified or identifiable natural person” (Article 4 (1) GDPR). According to this definition, any information has the theoretical potential to become personal data. GDPR does not provide an exhaustive list of personal data; GDPR provides an extensive and flexible definition of the concept of ‘personal data’. In Nowak, CJEU explains the meaning of the definition of personal data:
„The use of the expression ‘any information’ in the definition of the concept of ‘personal data’, within Article 2(a) of Directive 95/46, reflects the aim of the EU legislature to assign a wide scope to that concept, which is not restricted to information that is sensitive or private, but potentially encompasses all kinds of information, not only objective but also subjective, in the form of opinions and assessments, provided that it ‘relates’ to the data subject.” (para. 34)
Returning to the main question of this article (what is personal data?), we will offer some examples of personal data: identification personal data (name, surname, address, national identification number, etc.), physical characteristics (image, eye colour, hair colour, weight, height, tattoos, skin colour, etc.), personal data concerning health (disease, treatments, prescriptions, results of medical tests, doctor’s appointments, blood type, etc.), personal data related to education (studies, grades, failed or promoted exams, etc.), personal data concerning work (profession, work place, position, etc.), personal data involving electronic communications (telephone, social media, etc.), location and traffic personal data (IP addresses, cookie, etc.), the opinions or observations of others, personal data concerning family (marital status, number of children, etc.), tracking data (IP addresses, digital fingerprints, GPS coordinates, other online identifiers).
Personal data according to the CJEU’s jurisprudence
We will explain better what personal data is if we look at CJEU’s jurisprudence. In Worten[2], the CJEU appreciated that the record of working time (containing the indication, in relation to each worker, of the times when working hours begin and end, as well as the corresponding breaks and intervals) constitutes personal data. In Rynes, the CJEU stated that an image of a person captured by a CCTV constitutes personal data ‘inasmuch as it makes it possible to identify the person concerned’ (para. 22). In Breyer, the CJEU stated that a dynamic IP address is able to constitute personal data. In Nowak, the CJEU appreciated that written answers submitted by a candidate in a professional examination and examiner’s comments with respect to those answers constitute personal data according to the extensive definition provided by the data protection law as „any information relating to an identified or identifiable natural person”.
What about sensitive personal data?
There are two categories of personal data: ordinary personal data and sensitive (or special) personal data. The ordinary data category includes most personal data. Instead, special categories of personal data (‘sensitive data’) include those personal data whose processing involves higher risks for the data subject. This special category of personal data has a different legal regime of processing. This category includes:
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life, personal data concerning sexual orientation.
- in some countries, the national identification number (for example, in Romania, the processing of the national identification number has a restrictive legal regime of processing).
- personal data involving children;
- personal data relating to criminal convictions and offenses.
What is personal data according to data protection authorities?
Article 29 Data Protection Working Party (WP29) recommends that the concept of personal data is analyzed through its main building blocks: ‘any information’, ‘relating to’, ‘an identified or indentifiable’ and “natural person”.
Regarding the first element – ‘any information’, the information is able to have an objective nature (information that does not support interpretations, like name, position or marital status) or a subjective nature (for example, interpreting a person’s behaviour)[3]. Personal data can be correct or incorrect because, as WP29 states ‘for information to be ‘personal data’, it is not necessary that it [personal data] be true or proven’. Furthermore, the personal data can be provided by the data subject[4] (for example, when the data subject fills an online form), or information can be generated by third parties (telephone number, bank account, IP address, etc.). Regarding the content of information, personal data can contain all kinds of information, not just intimate information about a person, but also personal data concerning the social, professional, or economic behaviour of a person[5].
Regarding the second element, ‘relating to’, personal data must refer to a natural person. Data concerning phenomena or things without a connection to a natural person does not fall under the protection of the GDPR. Also, anonymous data does not fall under the protection of the GDPR, because they are not considered personal. Recital (26) GDPR is clear in this matter: ‘The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not, therefore, concern the processing of such anonymous information, including for statistical or research purposes’. Nevertheless, pseudonymized personal data falls under data protection laws because this kind of data concerns a data subject and the data subject can be identified.
In order to answer to the main question of the article (‘what is personal data’) we shall therefore analyze the third element of the definition – ‘an identified or indentifiable’. The process of identification can be realized through direct or indirect means. WP29 brings the following observations:
‘In general terms, a natural person can be considered as “identified” when, within a group of persons, he or she is „distinguished” from all other members of the group. Accordingly, the natural person is “identifiable” when, although the person has not been identified yet, it is possible to do it (that is the meaning of the suffix „-able”). This second alternative is therefore in practice the threshold condition determining whether information is within the scope of the third element’
In other words, if the identification of a person is possible (directly or indirectly), we are in the presence of personal data. Recital (26) GDPR states that ‘to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments’. The case that best explains the notion of identification is Breyer[6]. In this case, the CJEU states that a dynamic IP address can fall within the concept of personal data even if the person could not be directly identified. CJEU stated that ‘in order to treat information as personal data, it is not necessary that that information alone allows the data subject to be identified’ (para. 41) and ‘to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person’ (para. 42). In Breyer, the CJEU stated that, even if a dynamic IP address does not relate to an identified person, the data protection laws still apply because indirect identification is possible. How can be realized this indirect identification? The CJEU offers an example of indirect identification (paras. 39-48), showing that, in the event of a cyberattack, the person can be identified by corroborating the IP address with other personal data held by the internet access provider.
Regarding the last element of the definition – ‘natural person’, two explanations are required. First of all, personal data should concern individuals and not legal persons. However, there is an exception to this rule. In Volker und Markus Schecke și Eifert[7], the CJEU stated that data protection legislation applies where ‘directly natural persons who are members of a company’ can be identified from the name of a company. At the same time, we consider that although the GDPR does not apply to legal persons, information about persons within companies constitutes personal data under the GDPR[8]. For example, as we have stated in the past, „if an email company address in the office@domeniu.ro format is not a personal date, an email address in the nume.prenume@domeniu.ro format will be a personal data”[9]. It should also be added that although the GDPR does not protect legal persons, the data on directors and shareholders falls under the protection of the GDPR even when processed by the Chambers of Commerce, as the CJEU pointed out in Manni[10]. Second, recital (26) GDPR states that GDPR does not apply to personal data relating to deceased persons. However, according to GDPR, Member States are free to adopt additional rules on the processing of personal data relating to deceased persons. Member States like Italy and Denmark have already introduced the protection of the personal data relating to deceased persons[11]. The Romanian national laws did not introduce yet such additional protection. However, Article 78 Romanian Civile Code provides that ‘the deceased person is owed respect for his memory as well as his body’. I, therefore, consider that, to give full effect to Article 78 Romanian Civil Code in the context of new technologies, data processing should be lawful even after the person passed away.
References:
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC OJ L 119, 4.5.2016, p. 1–88.
[2] Case C-342/12, Worten, judgment of 30 May 2013 (ECLI:EU:C:2013:355).
[3] Simona Șandru, Protecția Datelor Personale Și Viața Privată (Hamangiu 2016), 194.
[4] ibid 194-195.
[5] WP29, Opinion 4/2007 on the concept of personal data (2007), 7.
[6] Case C-582/14, Breyer, judgment of 19 October 2016 (ECLI:EU:C:2016:779).
[7] Joined Cases C-92/09 and C-93/09, Volker und Markus Schecke and Eifert, judgment of din 9 November 2010 (ECLI:EU:C:2010:662).
[8] Ruxandra Sava, GDPR Pe Înțelesul Tău. Sinteză Teoretică Și Recomandări Practice (Universul Juridic 2019), 32.
[9] ibid.
[10] Case C-398/15, Manni, judgment of 9 March 2017 (ECLI:EU:C:2017:197).
[11] Lee A. Bygrave and Luca Tosoni, in Christopher Kuner, Lee A. Bygrave, Christopher Docksey (eds), The EU General Data Protection Regulation (GDPR). A commentary (Oxford University Press 2020), 112.