Module 2 · Defining and identifying personal data
Article 4(1) GDPR defines personal data as "any information relating to an identified or identifiable natural person." The course uses a four-step test (all four must be met): any information; relating to (by content, purpose or result); identified or identifiable (indirect identification using "all the means reasonably likely to be used", Recital 26); and a natural person (a living individual). An IP address can be personal data (the Breyer decision).
Article 4(1) GDPR defines personal data as "any information relating to an identified or identifiable natural person." The course applies a four-step test - all four must be met, in any order.
- Any information - literally anything, but it must relate to a person.
- Relating to - by content (e.g. name + address), by purpose, or by result/impact. A job title alone may not relate to an individual, but a job title combined with a name does.
- An identified or identifiable - "identified" = named or singled out; "identifiable" = indirect identification using "all the means reasonably likely to be used" (Recital 26). An IP address can be personal data (the Breyer decision) because the ISP could link it to a person.
- Natural person - a living individual (birth to death), including sole traders, employees, partners and directors - distinct from a corporation.
Personal-data elements (gender, age, DOB, address, phone, email, ID numbers) become richer and harder to de-identify when aggregated. Recital 30 notes cookies may leave traces that, combined with unique identifiers, can build profiles and identify people.