Skip to content
Start now

Personal, personally identifiable and personal data

Technical contributions
2 Minutes Reading time

by Katrin Nebermann

It is not always easy to differentiate between the terms relating to data protection, let alone correctly classify the resulting problems.

According to the GDPR, the term “personal data” must be interpreted as broadly as possible. Accordingly, this includes all data that is or can be assigned to a person in any way. The latter is also referred to as “personal data”.

In this broad sense, web analytics cannot actually avoid the processing of personal data within the meaning of the GDPR. This is not critical as such, it simply means that the GDPR applies.

In order to determine the number of visitors across sessions, for example, visitor IDs must be used. However, no personal data such as names or e-mail addresses are required for this. Randomly generated character combinations that are stored in cookies are sufficient. It is therefore not possible to draw conclusions about the person.

The important question in the data protection assessment is therefore not whether personal data is processed at all, but whether, in accordance with Art. 6 f GDPR, the processing is designed in such a way that the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, do not prevail.

The following questions are decisive when assessing the degree of interference with privacy – i.e. the predominance of property rights:

  • Is personal data processed in clear form or even data that is particularly sensitive such as gender, ethnic origin, religious affiliation, etc.?
  • Is it possible to identify the user directly or indirectly based on the type and amount of data?
  • If the encryption takes place (a) with sufficient strength, (b) at the earliest possible time before the actual processing; and (c) “by design” or “by default”?
  • Is personal data passed on to third parties, merged with data from other providers, provided with cross-provider identifiers or enriched with further personal data from other systems?
  • Is the personal data transferred securely, processed only within the EU if possible and protected against unauthorized access by third parties by means of sufficient technical and organizational measures?
  • If the data is used in a manner and for purposes that are (a) have no legal effect for the persons concerned, (b) are typical and reasonably foreseeable for the data subjects and about which information is provided clearly and comprehensibly in the data protection notices?
  • Do users have an easy way to object to the processing of their personal data on all end devices?
  • Are settings in the browser and operating system that clearly express the wishes of data subjects (such as do-not-track settings) observed?

More on the topic