Imagine that you process your users’ data "place of birth" (e.g. Barcelona), data "residence" (e.g. Madrid), data "age" (e.g. 23 years), data "health" (e.g. 4 cavities), or "car number plate data" (e.g. M 6699 FGH).

How many people were born in Barcelona, live in Madrid, are 23 years old, have 4 cavities and his/her car number plate is M 6699 FGH?

These data appear to be personal data, but “alone" do not serve to identify anyone in particular, unless you have other data with which to combine or associate them and reasonable means, such as singularization, to identify directly or indirectly its owner.

The European General Data Protection Regulation (GDPR) defines personal data from an objective and very broad point of view:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

At a time when the data obtained from the analysis of people's behaviour, offline or online, or from their electronic devices, may serve to indirectly identify their owner, potentially, practically all types of data could be personal data. Think of data such as "type of food" (e.g. vegan), "frequency of fuelling" (e.g. once a week), "public transport" (e.g. underground) or "means of payment" (e.g. debit card).

If this were the case, the GDPR would simply become an omnipresent law (i.e. the "Law of Everything"). No one would escape its application and all processing of information would be subject to the strict regime of the GDPR (and of the national laws that are applicable in each country, of course) with probably disastrous consequences that would end up slowing down the digital agenda in Europe.

But, fortunately, analysing whether a data is personal data, or not, also depends on who is dealing with it.

Data circulate or flow from one to another regardless of their role in data processing, that is, regardless of whether they are controllers, intermediaries, processors, sub-processors, representatives, control authorities, recipients and any other third parties; whether public authorities or private companies, whether they exercise public powers or not and regardless of the legitimate basis for their processing.

For example, with the data "car number plate" the Traffic Public Authority could identify the owner of the car, but I could not.

Not all of us have the same data with which to compare or associate them, nor the same reasonable means to associate the data with its owner.

To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. 

That is to say, the same data can be a personal data for me and not for you. Therefore, I would have to comply with the RGPD and you would not. This can be very relevant, especially for small and medium-sized companies that want to reuse data obtained by others for their own purposes and do not need them to be traceable until their owner is identified.

There are few non-personal data from its origin (e.g. amount of rain that falls in Seville) and few data relating to a physical person that are anonymous because it is not known who generated them (e.g. the murderer still undiscovered).

In order to be able to process data, originally considered personal data, without all or part of the restrictions imposed by the GDPR, they must have previously undergone an effective processing:

- pseudonymization, so that the person who treats them cannot attribute them to a natural person because they do not have the additional information they would need for identification. The same data would be personal for those who can associate it with a person and non-personal for those who lack such means.

- anonymization, so that the data is no longer attributable to a natural person because nobody has the information or the means to be able to identify its original owner.

- aggregation, in such a way that the data are received in banks or summarized datasets without any room for individualization or singularization by the person who treats them.

All this seems very obvious, but taking it into account can greatly facilitate the processing of data by many businesses and can be the basis for many open data and data reuse initiatives currently being processed exclusively by public authorities or by certain private entities and, for purposes other than those for which they were obtained.

Another question to consider, from now onwards, is or will be whether, as a result of technological advances, the processes of pseudonymization, anonymization or aggregation are or will become ineffective ...

If you have found it interesting and would like us to go a little deeper, do not hesitate to contact me at info@lawingit.com

Translated with www.DeepL.com/Translator