Page 9
© Copyright egta 2017. All rights reserved.
be used to satisfy certain obligations
3
.
Anonymous data
is not
considered personal
data, and as such falls outside the scope of the
GDPR. Anonymisation is meant for irreversible de-
identification.
The
territorial scope
of the GDPR covers:
• The processing of personal data by controllers
and processors established in the EU, regardless
of whether this takes place in the Union or not;
• The processing of personal data by companies
outside the EU where it relates to the offering
of goods and services to data subjects in the EU
(with or without payment) or to the monitoring
of their behaviour taking place in the EU.
PART
01:
MATERIAL AND
GEOGRAPHICAL SCOPE
The GDPR applies only to the processing of
personal data
, defined as “
any information relating
to an identified or identifiable natural person
”.
Identification may occur by associating online
identifiers with other information to create
profiles
1
and, to qualify as personal data, it is not
necessary that all the information enabling the
identification of the data subject be in the hand
of one person
2
. Location data or online identifiers
are clearly mentioned as types of data that may be
used to identify users.
Pseudonymised data
is no longer attributable to a
specific data subject without the use of additional
information, which should be kept separately and
subject to technical and organisational measures.
Pseudonymous data
is
considered personal data
and is regulated under the GDPR; however it can
IN
practice:
Personal data should be considered as an extensive concept: to the extent that it is
possible
(however
difficult) to trace someone back through information, that information may qualify as personal data.
The
context
of data processing is important: for example, hashed identifiers
4
may not be considered
personal data unless the controller/processor of the data can reasonably collect additional information
to single out a user.
According to IAB Europe, “
under the GDPR, online identifiers and information related to those identifiers
will often constitute personal data. (…)
The types of pseudonymous data commonly used by companies in
the online advertising industry, such as device advertising identifiers and cookie IDs, will
(depending on
the specific situation of the company processing the data)
generally fall into the category of personal data
and thus be subject to the requirements of the GDPR
”
5
.
As is currently the case, sensitive data (revealing political opinion, ethnicity, sexual orientation, etc.)
remains subject to stricter conditions.