Simona Sobotovicova (UPV/EHU)
This part of the Guidelines was reviewed by Daniel Jove VIllares, Universidade Da Coruna, Spain
This part of The Guidelines has been reviewed and validated by Marko Sijan, Senior Advisor Specialist, (HR DPA)
The concept of personal data
Personal data means any information relating to an identified or identifiable natural person (“data subject”). The definition of personal data under GDPR adds that an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person[1]. There is no doubt that the objective of the rules contained in the GDPR is to protect the fundamental rights and freedoms of natural persons and in particular their right to privacy, with regard to the processing of personal data. However, due to the broad definition of personal data laid down in the GDPR, the Article 29 Data Protection Working Party, the National Data Protection Supervisory Authorities and European Court of Justice (hereinafter, ECJ) case law endorse the definition of personal data.
The Article 29 Data Protection Working Party analysis of the concept of personal data in Opinion 4/2007 has been based on the following four main “building blocks” that can be distinguished in the definition of “personal data”[2]:
- “Any information” – This term clearly signals the willingness of the legislator to design a broad concept of personal data. This wording calls for a wide interpretation. It covers “objective” information, such as the presence of a certain substance in one’s blood. It also includes “subjective” information, opinions or assessments. Moreover, for information to be “personal data”, it is not necessary that it be true or proven.
It must be stated that, the concept of personal data includes a very wide range of information, “not only objective but also subjective”, in the form of opinions and assessments, provided that it “relates” to the data subject[3].
- “Relating to” – In general terms, information can be considered to “relate” to an individual when it is about that individual. It could be pointed out that, in order to consider that the data “relate” to an individual, a “content” element or a “purpose” element or a “result” element should be present. These three elements (content, purpose, result) must be considered as alternative conditions, and not as cumulative ones, so is enough the presence of one of these elements is enough to be considered to “relate” to an individual.
In the words of the EJC the content, purpose or effect criteria act as a parameter for classifying certain information as personal data. If the content, purpose or effect is linked to a particular person, then the information is personal data. The use of one of these criteria is sufficient to exist to classify any given information as personal data[4].
- “Identified or identifiable” – In general terms, a natural person can be considered as “identified” when, within a group, this person is “distinguished” from all other members of the group. Accordingly, the natural person is “identifiable” when, although the person has not been identified yet, it is possible to do so (that is the meaning of the suffix “-able”).
The GDPR mentions those “identifiers” in the definition of “personal data” in Article 4(1) mentioned previously. Moreover, regarding to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly[5]. However, whether the person is “identifiable” is still the focus on the recent scholarly discussions[6].
- “Natural person” – The protection applies to natural persons, that is, to human beings. The right to the protection of personal data is, in that sense, a universal one that is not restricted to nationals or residents in a certain country.
The GDPR establishes that natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them[7]. Moreover, the principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons[8].
It could be stated that, the Article 29 Data Protection Working Party states that these four elements provided in the first sentence of personal data definition (any information, relating to, an identified or identifiable and natural person) are closely intertwined and feed on each other, but together determine whether a piece of information should be considered as “personal data”.
What information can be considered as personal data?
The National Data Protection Supervisory Authorities and ECJ case law play an essential role in providing interpretation of legal provisions and concrete guidance to controllers and data subjects endorsing a definition of personal data that is wide enough. The definition of the personal data is central element for the application and interpretation of data protection rules which have a profound impact on a number of important issues and topics. Considering the format or the medium on which that information is contained, the concept of personal data includes information available in whatever form, be it alphabetical, numerical, graphical, photographical or acoustic, for example[9]. The ECJ provides a classification of information as personal data in different judgments. To this extent, the term personal data undoubtedly covers the names of the persons in conjunction with their telephone coordinates or information about their working conditions or hobbies. Also information contained in free text in an electronic document may qualify as personal data, provided the other criteria in the definition of personal data are fulfilled. E-mail will for example contain “personal data”. The ECJ has spoken in that sense when considering that “referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes the processing of personal data […][10].
On 20 December 2017 the ECJ gave its judgment on the “Nowak case”[11] establishes the classification of the answers and subjective comments of the examiner within the written answers submitted by a candidate in a professional examination as personal data, establishing a series of criteria that make it possible to understand which data are of a personal nature[12]. The ruling addresses the potential application of GDPR to constitute personal data[13]. It must be highlighted that, the classification of this data as personal data entails, for the candidate, the possibility of using their rights of access, rectification and objection. To this extent, the classification as personal data provides the right of access, but also the other powers given to the owner of this type of data, which are: rights of rectification, erasure and objection, as well as all the guarantees included in the data protection legislation[14].
The sentence also analyzes the applicability of the right of access to data with more than one owner and opposing interests (in this case the examiner and candidate). The ECJ reaffirmed the idea that, the fact that the information is in the hands of one person or several people is irrelevant regarding its classification as personal data. The attribution of the condition of personal data does not come from this fact, but from the very nature of the information. Regarding the definition of personal data, the ECJ adds another feature to this: the plurality of affected persons, or the possibility that one piece of information may be personal data of more than one data subject[15].
Due to the classification of an information as personal data, in the YS and Others[16] case, it is considered that the legal analysis of a minute produced within the framework of a request for a residence permit, is not personal data as it refers to “information about the assessment and application by the competent authority of the law to the applicant´s situation. This interpretation meant that, in the YS and Others case, the right of access was not recognized for that information, believing that such access would be based on a right of access to public documents which is not covered under GDPR legislation[17]. However, if the analysis had included any evaluations of the subject, or that could have an effort on them, then this would be considered as personal data which would, as such, be subject to the GDPR[18].
It could be affirmed that, the GDPR definition, as recalled by the ECJ, is based on the broad definition of personal data reflecting the intention of the legislator to assign a wide scope to the concept, encompassing subjective and objective information on data subject. Since the classification of information as personal data brings it into the realm of the fundamental rights protection architecture of the EU, it also establishes both the rights of the data subjects and the circumstances under which the standard of protection may be diminished due to justifiable objectives[19].
References
1Article 4(1) GDPR. ↑
2See, Article 29 Data Protection Working Party: Opinion 4/2007 on the concept of personal data. Adopted on 20th June, 01248/07/EN WP 136, pp.9-12, 21. Available at: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf ↑
3Judgement of the Court of Justice of the European Union (Second Chamber), Case C-43 4/16, Peter Nowak v Data Protection Commissioner, 20 December 2017, §34. ↑
4Judgement of the Court of Justice of the European Union (Second Chamber), Case C-43 4/16, Peter Nowak v Data Protection Commissioner, 20 December 2017, §35. ↑
5Recital (26) GDPR. ↑
6See, for instance; Purtova, N. (2018). The Law of Everything. Broad Concept of Personal Data and Future of EU Data Protection Law. Law, Innovation and Technology. DOI:https://doi.org/1 0.1080/17579961.2018.1452176. ↑
7Recital (30) GDPR. ↑
8Recital (2) GDPR. ↑
9Article 29 Data Protection Working Party: Opinion 4/2007 on the concept of personal data. Adopted on 20th June, 01248/07/EN WP 136, p.7. Available at: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf ↑
10Judgment of the European Court of Justice, C-101/2001, Lindqvist, §27, 06.11.2003. ↑
11Judgement of the Court of Justice of the European Union (Second Chamber), Case C-43 4/16, Peter Nowak v Data Protection Commissioner, 20 December 2017. ↑
12Jove, D. (2019). Peter Nowak v Data Protection Commissioner: Potential Aftermaths Regarding Subjective Annotations in Clinical Records. European Data Protection Law Review, Volume 5, Issue 2, p. 175. DOI: https://doi.org/10.21552/edpl/2019/2/7 ↑
13Judgement of the Court of Justice of the European Union (Second Chamber), Case C-43 4/16, Peter Nowak v Data Protection Commissioner, 20 December 2017, §27. ↑
14Jove, D. (2019). Peter Nowak v Data Protection Commissioner: Potential Aftermaths Regarding Subjective Annotations in Clinical Records. European Data Protection Law Review, Volume 5, Issue 2, p. 177. DOI: https://doi.org/10.21552/edpl/2019/2/7 ↑
15Ibídem, p. 176, 178. ↑
16of the Court, Joined Cases C‑141/12 and C‑372/12, YS and Others, 17 July 2014. ↑
17Judgment of the Court, Joined Cases C‑141/12 and C‑372/12, YS and Others, 17 July 2014, §40. ↑
18Jove, D. (2019). Peter Nowak v Data Protection Commissioner: Potential Aftermaths Regarding Subjective Annotations in Clinical Records. European Data Protection Law Review, Volume 5, Issue 2, p. 179. DOI: https://doi.org/10.21552/edpl/2019/2/7 ↑
19Podstawa, K. (2018). Peter Nowak Data Protection Commissioner: You can access your exam script, because it is personal data. European Data Protection Law Review (EDPL), 4(2), pp. 254, 256. DOI: https://doi.org/10.21552/edpl/2018/2/17. ↑