Privacy and Data Protection based on the GDPR. Leo Besemer
protection agreed to in the UDHR. These have ranged from guidelines to a charter, to conventions and so on. Ultimately, but only after all lighter means had been tried and it had become clear that even a directive was insufficient to make adequate, harmonized legislation regarding the protection of privacy and personal data, the heaviest means available to the EU was finally deployed, a regulation.
1.3 The scope of the GDPR
The GDPR is about processing personal data. But when is data “personal data”? And what, exactly, is “processing”?
1.3.1 The concept of personal data
In practice, we distinguish three types of personal data.
1.3.1.1 Direct personal data
Direct personal data is data that can be attributed directly to a specific data subject without the use of additional information. For instance, the data subject’s photo, DNA or fingerprints. A name can be direct personal data if it is a rare one, like Helen Mirren. There is no need to add “the actress” to that name, as she is the only person by that name (and actually Helen Mirren was born with the last name Mironoff, which her Russian father anglicized). Most names are not a unique identification of a person, and hence not direct personal data. A unique title, such as “the current prime minister of France”, or “Simon, Earl Nelson” are direct references to an individual, thus direct personal data.
1.3.1.2 Indirect personal data
Indirect personal data is data that can be, or could be in the future, linked to a specific data subject using additional information. For example, the number plate of a car is indirect personal data, because it is possible to trace the car to its owner using additional information (in this case the information in a database where the number plates are related to the owners of the cars). The same is true for unique numbers assigned to people by the government (social security number) or by one’s ISP (IP address), which can be linked to a unique individual. The fact that not every controller is able to trace a license plate, social security number or IP address to the associated individual, is not important. The fact that it is possible to identify the data subject makes it (indirect) personal data.
Names are indirect personal data where the name is common enough not to point to a specific person. If you want to distinguish “James Williams” from other individuals by that name, you would need additional information such as residence and date of birth.
In practice, we usually work with a variety of data on a person which of itself is not personal data, but when combined links to a unique individual. That is the reason for always being careful with data on persons. It is usually not a single fact about a person, but the combination of data on a person that identifies a unique individual.
1.3.1.3 Pseudonymized personal data
Data pseudonymization is the process of disguising identities. The aim of such a process is to be able to collect additional data relating to the same individual without having to know his or her identity. Pseudonymization is one of the means mentioned in the GDPR to prevent unauthorized access to personal data.
An example might be a camera registering how many unique cars pass under a bridge on a road. The license plate number is indirect personal data. The controller would then replace each license plate number with a unique key (called a pseudonym), keeping a separate table linking each key to the corresponding license plate. The controller could then send this pseudonymized data to a processor, keeping the key in a safe place. This way the processor has no way to identify who has passed the bridge.
Pseudonymized data is a kind of indirect personal data, where the additional data required to identify the data subjects (the pseudonym) is only available to the controller. The process is reversible as long as the key exists. Consequently, pseudonymized data on a person is considered (indirect) personal data, because identification is still technically possible.
1.3.1.4 Anonymized data
Anonymization means that all information by which the person to whom the data relates can be identified directly or indirectly, is removed. Anonymized data on a person is not considered personal data. Pseudonymized data can be anonymized by destroying the key.
Example: For research on health and eating habits a selected group of data subjects is called. Names, telephone numbers and other data of the data subjects are known and kept in a database, for which the data subjects gave their permission.
The data subjects are called multiple times during the research. Once the research period is over, all identifiable data is erased after gathering the information needed for the research. This means that the data can no longer be linked to the specific data subjects, because no key exists. Only more general personal data like gender and age category are linked to the data about health and eating habits. In other words, the data that is left after the research is anonymized.
1.3.1.5 The concept of processing
In the context of the GDPR, processing is always about personal data. According to the definition, “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, (…)”. That includes almost anything you might want to do with personal data. In fact, it is hard to find an example of something you might do with data that is not covered by this definition.
1.3.2 Material scope of the GDPR
In response to the news of the impending introduction of the GDPR in early 2018, many stories were circulating about the new GDPR. The law would be much stricter and above all, comprehensive. Almost all information about people is personal data, and almost everything you want to do with that data is subject to the law.
According to sources on internet around that time a note was posted on the door of an Italian butcher shop (Figure 1.7). Translated to English it reads:
“Attention! In our butcher shop we might ask for your name and remember your preferences in terms of meat. If you are worried about this, please enter while shouting ’I refuse consent!’ From then on, we will pretend not to know you.”
The story has been repeated many times, and depending on which version you come across the butcher may also have been German or Austrian (in which case the picture shown here would be a fake). But the concern may very well have been real.
Figure 1.7 A butcher’s note.
It is certainly true that any information on an identifiable person is regarded as personal data, and most of the things you might want to do with personal data are deemed as processing according to the law. But the case of the Italian butcher sounds far-fetched. Would this really be necessary?
The GDPR states that:
This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
GDPR Article 2(1)
The information on preferences regarding products would in general not really be data identifying a natural person. Even in a small village it would probably never be possible to identify a person from the kind of meat he or she buys. And then, could the memory of a butcher be considered a filing system? What is, according