For the purposes of this regulation, the following definitions shall apply:
(1) "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more elements characterizing the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person;
(Considerations 14-15-26-27)
The protection afforded by this Regulation concerns natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of data on legal persons and in particular companies established as legal persons, such as the name and legal form of the legal person and the contact details of the legal person.
To avoid a serious risk of circumvention, the protection of natural persons should be technology-neutral and should not depend on the technologies used. The protection of natural persons should apply to both automated processing of personal data and manual processing thereof if the personal data are stored or intended to be stored in a file.
Files or a collection of files and their covers which are not structured according to specific criteria should not fall within the scope of this Directive.
Data protection principles should apply to any data concerning an identified or identifiable natural person. Pseudonymized personal data that can be linked to a natural person through the use of additional data should be considered data about an identifiable natural person. To determine whether a natural person is identifiable, account must be taken of all means likely reasonably to be used by the controller or by another person to identify the natural person directly or indirectly, e.g., selection techniques. In determining whether means are reasonably likely to be used to identify the natural person, consideration should be given to all objective factors, such as the costs and time required for identification, taking into account the technology available at the time of processing and technological developments. Data protection principles should therefore not apply to anonymous data, namely data which do not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a way that the data subject is not or no longer identifiable. This Regulation therefore does not cover the processing of such anonymous data, including for statistical or research purposes.
This Regulation does not apply to the personal data of deceased persons. Member States may adopt rules concerning the processing of personal data of deceased persons.
See also WP29, 136 Opinion 4/2007 on the concept of personal data
Finding: ec.europa.eu/justice/article-29/documentation/opinion- recommendation/files/2007/wp136_en.pdf
The Personal Data Protection Act defines it as follows: any data relating to an identified or identifiable natural person. The person about whom data is processed is the data subject.
Article 1 Section a personal data
Data relating to an individual and the identifiability of an individual
The information must relate to a person
First, whether the data contain information about a person is relevant to the concept of personal data. In many cases, such as factual or evaluative data about characteristics, opinions or behaviors, this will follow from the nature of the data. In other cases, consideration will need to be given in part to the context in which the data is recorded and used. If data partly determine the way in which the person concerned is assessed or treated in society, these data must be regarded as personal data. The (social) use that is made of data is therefore co-determinant in answering the question of whether it is personal data.
The information must lead to the identifiability of an individual
The identifiability of the person is the second element that determines whether a person is personal data. The basic principle is that a person is identifiable if his identity can reasonably be established without disproportionate effort. Two factors play a role here: the nature of the data and the ability of the data controller to establish identification.
(a) Nature of the data
An identifiable person is one who can be directly or indirectly identified, in particular by one or more specific elements characterizing his or her physical, physiological, psychological, economic, cultural or social identity.
Indirectly identifying
This occurs when data does not lead directly to identification of a particular person but can be related to a particular person through further steps. This type of data is called indirectly identifying data. They may be de-identified, but under circumstances may be reduced to a particular person through combination with other data.
See also: telephone numbers (Registration Office July 8, 1993, 93.A.002), car license plates (Registration Office October 15, 1993, 92.F.008) and zip codes with house numbers.
(b) The ability of the responsible party to establish identification.
This means that in such a case, the person responsible will have to consider whether or not the data in question in the hands of the recipient will be identifiable. The determining factor is what can reasonably be expected in the given situation. The more possibilities a provider has to foresee or limit the risks of identification by the recipient, the more care can be expected from him in this respect. As information technology advances, account must be taken of the fact that where previously there may have been a disproportionate effort (and thus no personal data), this effort becomes less with the availability of new techniques. The data in question may therefore come within the scope of the bill. The concept is thus to some extent technology-independent in the sense that technical developments lead to a different application of the same concept in order to preserve the rationale of the regulations - the protection of the individual.
Therefore, what can be considered as anonymous data, because it cannot reasonably be traced back to a person, at a certain state of the art, can still become personal data due to technical developments, given the increased possibilities of tracing.(MoT p. 45 ff. and AVG recital 15)
Object Data
Data which by their nature do not relate to individuals or - given the context in which they are processed - co-determine how an individual is assessed or treated in society are not personal data. Data that merely designate objects, for example stolen goods or identity documents, are not personal data if they do not contain information with the help of which individuals' social position can be affected. They are pure object data.
The same applies to data that identify immovable property or other registered property. The fact that these items can be traced to an individual natural person through a public register such as the land registry does not in itself detract from this (does not make them subject to the WBP). It would be different if a provision of such object data (e.g. overviews of properties and inheritances with additional information about their size and nature) is accompanied by additional data about persons, making it possible to search for individuals.
Sometimes it is argued that one does have personal data, but that the law does not apply "because we don't do anything with it. Then the legal rules still apply, because from the moment of collection, due diligence, the principle of purpose limitation and the duty to inform apply.
If a tag, which contains a unique identifier, is worn by an individual, that identifier should also be treated as personal data.
An ip address is personal data, see
