Page 9

© Copyright egta 2017. All rights reserved.

be used to satisfy certain obligations

3

.

Anonymous data

is not

considered personal

data, and as such falls outside the scope of the

GDPR. Anonymisation is meant for irreversible de-

identification.

The

territorial scope

of the GDPR covers:

• The processing of personal data by controllers

and processors established in the EU, regardless

of whether this takes place in the Union or not;

• The processing of personal data by companies

outside the EU where it relates to the offering

of goods and services to data subjects in the EU

(with or without payment) or to the monitoring

of their behaviour taking place in the EU.

PART

01:

MATERIAL AND

GEOGRAPHICAL SCOPE

The GDPR applies only to the processing of

personal data

, defined as “

any information relating

to an identified or identifiable natural person

”.

Identification may occur by associating online

identifiers with other information to create

profiles

1

and, to qualify as personal data, it is not

necessary that all the information enabling the

identification of the data subject be in the hand

of one person

2

. Location data or online identifiers

are clearly mentioned as types of data that may be

used to identify users.

Pseudonymised data

is no longer attributable to a

specific data subject without the use of additional

information, which should be kept separately and

subject to technical and organisational measures.

Pseudonymous data

is

considered personal data

and is regulated under the GDPR; however it can

IN

practice:

Personal data should be considered as an extensive concept: to the extent that it is

possible

(however

difficult) to trace someone back through information, that information may qualify as personal data.

The

context

of data processing is important: for example, hashed identifiers

4

may not be considered

personal data unless the controller/processor of the data can reasonably collect additional information

to single out a user.

According to IAB Europe, “

under the GDPR, online identifiers and information related to those identifiers

will often constitute personal data. (…)

The types of pseudonymous data commonly used by companies in

the online advertising industry, such as device advertising identifiers and cookie IDs, will

(depending on

the specific situation of the company processing the data)

generally fall into the category of personal data

and thus be subject to the requirements of the GDPR

”

5

.

As is currently the case, sensitive data (revealing political opinion, ethnicity, sexual orientation, etc.)

remains subject to stricter conditions.