They who must not be identified—distinguishing personal from non-personal data under the GDPR

• Published in: International data privacy law Vol. 10; no. 1; pp. 11 - 36
• Main Authors: Finck, Michèle, Pallas, Frank
• Format: Journal Article
• Language: English
• Published: Oxford Oxford University Press 01.02.2020; Oxford Publishing Limited (England)
• Subjects: Computer science; Data processing; General Data Protection Regulation; Law; Personal information; Germany
• ISSN: 2044-3994; 2044-4001
• DOI: 10.1093/idpl/ipz026

One year after the European Union’s (EU) General Data Protection Regulation (hereafter ‘GDPR’ or ‘the Regulation’) became binding, uncertainty continues to surround the definition of some of its core concepts, including that of personal data. Drawing a dividing line between personal data and non-personal data is, however, paramount to determine the scope of application of European data protection law. Whereas personal (including ‘pseudonymous’) data is subject to the Regulation, non-personal data is not. Determining whether a given data item qualifies as personal data is thus crucial, and increasingly burdensome as more data are being generated and shared. Notwithstanding the pivotal importance of the distinction between personal and non-personal data, it can, in practice, be extremely burdensome to differentiate between both categories. This difficulty is anchored in both technical and legal factors.