- Datenschutz PRAXIS - https://www.datenschutz-praxis.de - DatenschutzPraxis

What is personal data?

Personal data is a key concept in data protection. Data protection laws only apply if the data relates to a person. If data cannot be attributed to a person, then data protection rules do not need to be considered.

Article 4 no. 1 of the EU General Data Protection Regulation (GDPR) [1] defines „personal data“ as „information relating to an identified or identifiable natural person“.

The handling of personal data is primarily governed by the GDPR. Other laws containing stipulations on personal data either refer directly to the data protection laws, or they contain their own wording that is compliant with such laws, e.g. § 67 SGB X (German Social Code) (definition of social data).

Laws, regulations, and court rulings

Information about a person

Data protection covers „all information“ that directly or indirectly relates to a person. This should be interpreted loosely.

Individual information relating to persons includes, for example:

Natural person

Data is only personal if it relates to a „natural person“ in the legal sense. This means a living human being, independent of age or nationality. Data protection provisions therefore also apply for non-EU citizens.

However, there is no explicit rule for deceased persons, which means that data protection laws do not apply directly. Information about „legal entities“ (limited companies, corporations, associations, foundations, etc.) is not personal and therefore not protected by data protection laws.

Identified or identifiable persons

Data is personal only if it relates to an identified or identifiable natural person.

Additional knowledge

The key question is whether one needs to have the additional knowledge for identifying a person oneself, or if it is sufficient if somebody else has it.

The European Court of Justice decided: Data shall be considered personal if an organization „as the legal means that allow [it] to have the person identified by means of additional knowledge […]“, European Court of Justice, ruling of 19 Oct 2016, C-582/14 no. 49). „Legal means“ should be considered available if third parties can be involved who are legally required to provide information on the identity (German Federal Court of Justice, ruling of 16 May 2017, Az. VI ZR 135/13).

This means that data is considered non-personal only if an identification of the relevant person is practically impossible or prohibited by law.

Example: IP addresses

The issue of additional knowledge was decided based on IP addresses by the European and the German Federal Courts of Justice.

Anonymised and pseudonymised data

If data is anonymised, then this is not considered personal data because the relevant person is neither identified nor identifiable.

This is different for pseudonymised data: Additional knowledge may enable the identification of the relevant person. If the required additional knowledge is accessible, then the data is personal and the data protection laws apply.

Special categories of personal data

This is a subcategory of personal data. „Special categories of personal data“ have stricter protections in place.

___________________

Definition according to the BDSG (old):

The pertinent definition of the term „personal data“ is found in § 3 paragraph 1 of the Federal Data Protection Act (BDSG). Other data protection laws either refer to it or repeat it more or less verbatim. According to this definition, personal data is

Important in practice

In practice, it is important that only the data of natural persons can be personal. Natural persons can be defined – somewhat colloquially – as „people of flesh and blood.“

The data of legal entities (limited companies, corporations, etc.) is therefore not covered. Only exception: The data of a „one-man limited“, a company where the owner and the manager are one and the same person, is considered the personal data of its owner/manager.

At first glance, it may seem like this makes things easier in practice. However, the opposite is true. Because it is not obvious without research whether a company is a one-man-limited, the default assumption must be that any limited company could be a one-man-limited. As a result, a customer file that contains only the data of limited companies must be considered personal data.

However, this is only true if the concerned person is identified or identifiable:

The other requirements in the BDSG for data to be considered personal, namely

are usually fulfilled and rarely need to be reviewed. „Individual information“ is all information that says something about a person – in practice nearly anything. „Personal or material circumstances“ covers anything that relates to a person, from their financial situation to their marital status and family relations.

Terms describing non-personal data

Terms describing non-personal data are anonymous data (BDSG § 3 paragraph 6) on one hand and pseudonymous data (BDSG § 3 paragraph 6 a) on the other. In terms of data protection, both anonymisation and pseudonymisation [3] ensure that a person is no longer identified or identifiable. They differ in the likelihood that identification may still happen.