Personal data is a key concept in data protection. Data protection laws only apply if the data relates to a person. If data cannot be attributed to a person, then data protection rules do not need to be considered.
Article 4 no. 1 of the EU General Data Protection Regulation (GDPR) defines „personal data“ as „information relating to an identified or identifiable natural person“.
The handling of personal data is primarily governed by the GDPR. Other laws containing stipulations on personal data either refer directly to the data protection laws, or they contain their own wording that is compliant with such laws, e.g. § 67 SGB X (German Social Code) (definition of social data).
Laws, regulations, and court rulings
- GDPR art. 4 no. 1 (definition of personal data) with recitals 26, 27, 30
- § 67 SGB-X (definition of social data as a specific case of personal data)
- Ruling by the European Court of Justice of 19 Oct 2016 (C–582/14) on reference to persons in IP addresses (Breyer ruling)
- German Federal Court of Justice of 16 May 2017 (Az. VI ZR 135/13) about reference to persons in dynamic IP addresses
Information about a person
Data protection covers „all information“ that directly or indirectly relates to a person. This should be interpreted loosely.
Individual information relating to persons includes, for example:
- Name and identifying information (e.g. date of birth, titles, ID number)
- Contact data (e.g. mailing and e-mail address, phone number)
- Physical characteristics (e.g. height, weight, hair colour, genetic fingerprint, medical conditions, drug use)
- Psychological information (e.g. desires, attitudes, beliefs, legal competence)
- Connections and relationships (e.g. friends and relations, employers)
- Other data (e.g. location data, usage data, activities, statements, value judgements, career, banking information, etc.)
Data is only personal if it relates to a „natural person“ in the legal sense. This means a living human being, independent of age or nationality. Data protection provisions therefore also apply for non-EU citizens.
However, there is no explicit rule for deceased persons, which means that data protection laws do not apply directly. Information about „legal entities“ (limited companies, corporations, associations, foundations, etc.) is not personal and therefore not protected by data protection laws.
Identified or identifiable persons
Data is personal only if it relates to an identified or identifiable natural person.
- A person is considered identified if the data refers directly to the person, or if such a reference can be made immediately. Examples of identified persons: „Mr Smith works at company XY“, or „March 22 is the birthday of the head of IT at company XY“.
- Alternatively, it is sufficient if the concerned person is at least „identifiable“. In this case, it may not be immediately obvious who the data relates to. However, the person can be identified by means of additional knowledge.
Examples of identifiable persons: „Employee no. 1234 accumulated ten hours of overtime last month.“ A member of the HR department would be able to relate the employee number, and thereby the entire statement, to an actual person.
The key question is whether one needs to have the additional knowledge for identifying a person oneself, or if it is sufficient if somebody else has it.
The European Court of Justice decided: Data shall be considered personal if an organization „as the legal means that allow [it] to have the person identified by means of additional knowledge […]“, European Court of Justice, ruling of 19 Oct 2016, C-582/14 no. 49). „Legal means“ should be considered available if third parties can be involved who are legally required to provide information on the identity (German Federal Court of Justice, ruling of 16 May 2017, Az. VI ZR 135/13).
This means that data is considered non-personal only if an identification of the relevant person is practically impossible or prohibited by law.
Example: IP addresses
The issue of additional knowledge was decided based on IP addresses by the European and the German Federal Courts of Justice.
- For the telecommunications provider, an IP address assigned to an internet user (customer) is personal data. The provider has the actual means of connecting the IP address to a user name.
- For a website operator, an IP address is personal data because they may use either their own additional knowledge (e.g. when the user uses a contact form and enters personal data) or because they have the legal means of inquiring about this information at the telecommunications provider. This is basically always the case, according to the German court, because the operator may turn to the responsible authority e.g. in the event of a cyber attack. The provider therefore always has the legal means of having the user identified. For this reason, an IP address is considered personal data for a website operator.
Anonymised and pseudonymised data
If data is anonymised, then this is not considered personal data because the relevant person is neither identified nor identifiable.
This is different for pseudonymised data: Additional knowledge may enable the identification of the relevant person. If the required additional knowledge is accessible, then the data is personal and the data protection laws apply.
Special categories of personal data
This is a subcategory of personal data. „Special categories of personal data“ have stricter protections in place.
Definition according to the BDSG (old):
The pertinent definition of the term „personal data“ is found in § 3 paragraph 1 of the Federal Data Protection Act (BDSG). Other data protection laws either refer to it or repeat it more or less verbatim. According to this definition, personal data is
- Individual information
- about personal or material circumstances
- of an identified or identifiable natural person.
Important in practice
In practice, it is important that only the data of natural persons can be personal. Natural persons can be defined – somewhat colloquially – as „people of flesh and blood.“
The data of legal entities (limited companies, corporations, etc.) is therefore not covered. Only exception: The data of a „one-man limited“, a company where the owner and the manager are one and the same person, is considered the personal data of its owner/manager.
At first glance, it may seem like this makes things easier in practice. However, the opposite is true. Because it is not obvious without research whether a company is a one-man-limited, the default assumption must be that any limited company could be a one-man-limited. As a result, a customer file that contains only the data of limited companies must be considered personal data.
However, this is only true if the concerned person is identified or identifiable:
- A person is usually „identified“ by being named directly.
- A person may be „identifiable“ e.g. if the person can be identified using public sources (phone book, but also commercial registers). This liberal interpretation of the term „identifiable“ has the result that identifiability is given very frequently in practice.
The other requirements in the BDSG for data to be considered personal, namely
- the characteristic „individual information“ and
- „personal or material circumstances“
are usually fulfilled and rarely need to be reviewed. „Individual information“ is all information that says something about a person – in practice nearly anything. „Personal or material circumstances“ covers anything that relates to a person, from their financial situation to their marital status and family relations.
Terms describing non-personal data
Terms describing non-personal data are anonymous data (BDSG § 3 paragraph 6) on one hand and pseudonymous data (BDSG § 3 paragraph 6 a) on the other. In terms of data protection, both anonymisation and pseudonymisation ensure that a person is no longer identified or identifiable. They differ in the likelihood that identification may still happen.