SlideShare a Scribd company logo

GIG Working Paper 02/2017 - The Definition of Personal Data

IAB Europe
IAB Europe

This second output of the GIG focuses on the definition of Personal Data under the GDPR, explaining how it will affect companies in the online advertising space.

Law
1 of 11
Download to read offline
WHITE PAPER IAB Europe Guidance Date goes here Five Practical Steps to help companies comply with the E-Privacy Directive IAB Europe GDPR Implementation Working Group THE DEFINITION OF PERSONAL DATA Working Paper 02/2017
About IAB Europe IAB Europe is the voice of digital business and the leading European-level industry association for the interactive advertising ecosystem. Its mission is to promote the development of this innovative sector by shaping the regulatory environment, investing in research and education, and developing and facilitating the uptake of business standards. About the GDPR Implementation Group IAB Europe’s GDPR Implementation Working Group brings together leading experts from across the digital advertising industry to discuss the European Union’s new data protection law, share best practices, and agree on common interpretations and industry positioning on the most important issues for the digital advertising sector. The GDPR Implementation Working Group is a member- driven forum for discussion and thought leadership, its important contribution to the digital advertising industry’s GDPR compliance efforts is only possible thanks to the work and leadership of its many participating members. Acknowledgements The GDPR Compliance Primer has been prepared by the members of the IAB Europe GDPR Implementation Group under the leadership of Quantcast. Contacts Matthias Matthiesen (matthiesen@iabeurope.eu) Senior Manager – Privacy & Public Policy, IAB Europe Chris Hartsuiker (hartsuiker@iabeurope.eu) Public Policy Officer, IAB Europe
3 Working Paper 2 - The Definition of Personal Data Contents Executive Summary ............................................................................................................................... 3 Overview................................................................................................................................................. 4 Personal Data Under the GDPR ............................................................................................................. 4 Personal Data.....................................................................................................................................4 Anonymous Data................................................................................................................................6 Pseudonymous Data..........................................................................................................................7 Special Categories of Personal Data .................................................................................................9 Conclusion........................................................................................................................................10 Executive Summary • The definition of personal data under the GDPR is very broad and intentionally all- encompassing. Pseudonymous data is defined as a sub-category of personal data, and still triggers full application of the GDPR. • Cookies and other device and online identifiers (IP addresses, IDFA, AAID, etc.) are explicitly called out as examples of personal data under the GDPR. • Due to this broad definition, it is highly likely that any data being processed in the online advertising ecosystem falls within the definition of personal data. As the definition is extremely broad, it is prudent to err on the side of caution and assume data is personal. • Where data might appear to fall outside of the scope of personal data, a careful analysis should be carried out to substantiate this on a case-by-case basis. Depending on the circumstances, the same piece of data (i.e. an IP address) may be personal, pseudonymous, or anonymous data. This depends on the circumstances in which an IP address is obtained, for which purposes it is used, and who receives the IP address.
4 Working Paper 2 - The Definition of Personal Data Overview On 27 April 2016, the European Union has adopted the General Data Protection Regulation (“GDPR”).1 The GDPR will become directly applicable law in the European Union (“EU”) and European Economic Area (“EEA”) on 25 May 2018, superseding national data protection laws currently in place. The GDPR will not only apply to companies based in the EU but also to companies all over the globe offering goods and services to people based in the territory of the Union, or monitor the behaviour of individuals located within it. Data protection law regulates the processing of personal data, defined broadly as any information that relates to an identified or identifiable natural person, which may include, amongst others, online and device identifiers that can be used to single out a natural person, for example for digital advertising purposes. The GDPR grants data protection authorities the power to levy significant administrative fines against businesses found in breach of the law. Depending on the severity of the infringement, fines can reach up to € 20,000,000 or 4 per cent of a company’s annual global turnover – whichever is higher. This document has been prepared by members of the IAB Europe GDPR Implementation Group to provide guidance to companies across the globe on understanding what the definition of personal data means for them. Personal Data Under the GDPR The definition of “personal data” is fundamental to data protection law because the GDPR only applies to personal data. Data that is not personal data falls outside the scope of the GDPR. While the digital advertising industry, and other businesses that use similar technologies, have often interpreted unique online identifiers such as cookie IDs and mobile device advertising IDs to be outside the scope of data protection law where they were not coupled with personally identifying details (such as name or email address), these online identifiers are likely to fall within the scope of personal data under the GDPR in many circumstances. Therefore, it is critical that companies involved in digital advertising understand how the definition of personal data in the GDPR applies to them. This paper examines the scope of personal data under the GDPR, including the concepts of anonymous data (which is not personal data and not regulated under the GDPR) and pseudonymous data (which is personal data and is regulated under the GDPR). Personal Data The definition of personal data in the GDPR expands upon the text of the definition contained in the Data Protection Directive (Directive 95/46/EC, “DPD”) by explicitly referencing additional examples 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), available at http://eur-lex.europa.eu/eli/reg/2016/679/oj/.
5 Working Paper 2 - The Definition of Personal Data of identifiers, such as online identifiers, and factors that can be used to identify a person. Article 4(1) of the GDPR states: “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Recitals 26 and 30 provide additional insight into the definition of personal data. Recital 26 introduces the concept of making a person identifiable by “singling out” that person, directly or indirectly. It indicates that one must consider all means reasonably likely to be used to identify the person, taking into account all objective factors when making such a determination. Recital 26 states: “...To determine whether a natural person is identifiable, account should be takenof all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.” Recital 30 indicates that identification may occur by associating online identifiers, such as cookie IDs and IP addresses, with other information to create profiles. Recital 30 states: “Natural persons maybe associated with onlineidentifiers provided bytheirdevices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” These provisions expand the scope of personal data significantly from common interpretations under the DPD. While the digital advertising industry has often interpreted unique online identifiers such as cookie IDs to be outside the scope of data protection law where they were not coupled with personally identifying details (such as name or email address), these online identifiers are likely to fall within the scope of personal data under the GDPR in many circumstances. As described in Recital 26, one will need to look at all means reasonably likely to be used in the circumstances to identify the underlying natural person to determine if the data is personal data; however, as a general matter under the GDPR, data such as online identifiers should be treated as personal data
6 Working Paper 2 - The Definition of Personal Data unless a valid argument can be made that the data subject is not (directly or indirectly) identifiable and cannot be singled out. The determination whether a piece of data is personal data will be context specific. For example, an IP address that corresponds to a public “hot spot” such as a coffee shop, and is used by hundreds of customers every day, by itself is unlikely to comprise personal data. However, if the company links that common IP address with other information that would allow it to single out one individual, then the IP address is likely to be personal data. Similarly, a truncated IP address would not be personal data where the holder of that truncated IP address has no reasonable means to identify the individual. However, if the holder of the truncated IP address can, using reasonable means at its disposal, collect additional information that would allow it to single out the individual, then even that truncated IP address is likely to be personal data. Companies should remember that personal data encompasses more data than what is typically considered personally identifiable information (or PII) in some jurisdictions outside of the EU. In instances where it is unclear whether data is personaldata, treating it as personal data would be the prudent course of action, particularly given the potential for high fines under the GDPR. Anonymous Data Like the DPD before it, the GDPR does not apply to anonymous data. Recital 26 explains that anonymous information does not relate to an identified or identifiable person. Recital 26 states: “The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.” The Article 29 Working Party, in its prior Opinion 05/2014 on Anonymisation Techniques, referred to anonymisation as “a technique applied to personal data in order to achieve irreversible de- identification.” That opinion sets out various anonymisation techniques and highlights that “case studies and research publications have shownhow difficult it is to create a truly anonymous dataset whilst retaining as much of the underlying information as required for the task.” Where a company holds data that is truly anonymous, the GDPR does not apply to that data. For example, a piece of general location information that does not identify an individual is anonymous data that is not subject to GDPR. If a company holds the name of a large city (e.g., Brussels), does not associate any other identifying information, and is not reasonably likely to obtain or use
7 Working Paper 2 - The Definition of Personal Data additional information that could associate the location with an individual, then the data is anonymous. Aggregated data that does not relate to one user, but relates to an entire group of users, is anonymous data as long as the individuals whose data is in the pool cannot be identified. The analysis of whether a particular piece of information, or group of information, is anonymous is context specific and not always clear. Where a company is unsure whether the data it holds is personal data or anonymous data, treating the data as personal data is a prudent course of action. Pseudonymous Data The GDPR introduces the concept of pseudonymous data as a subset of personal data that cannot be attributed to a specific data subject without additional information. Article 4(5) states: “‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” Pseudonymisation was not addressed in the DPD and many in the advertising industry have considered pseudonymous data to be outside the scope of personal data in the DPD and thus outside the scope of the DPD. Under the GDPR, pseudonymisation does not render a data set anonymous (and therefore out of the GDPR’s scope). Recital 26 clarifies that pseudonymous data is in scope of the GDPR: “…Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person…” However, as described in Article 11, pseudonymisation may exclude the data from certain GDPR obligations that specifically require identification, such as subject access and the right to rectification, erasure and data portability (Articles 15-20). Online identifiers, such as cookie IDs that are associated with online browsing history, are often going to be personal data under the GDPR, although a context specific analysis always applies. Pseudonymisation is recognized as a safeguard that reduces the risks to data subjects and helps controllers and processors meet their data protection obligations. Recital 28 recognizes this benefit of pseudonymisation, stating:
8 Working Paper 2 - The Definition of Personal Data “The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data- protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.” The GDPR explicitly recognizes pseudonymisation as a safeguard that can contribute to permissible processing for a secondary use. Article 6(4) says: “Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia: … (e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.” Article 89(1) recognizes pseudonymisation as a safeguard for processing for archiving in the public interest, scientific or historical research purposes or statistical purposes. Article 89(1) states: “Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measuresare in placein particular in order toensurerespect fortheprincipleof data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.” Importantly, the GDPR recognizes that pseudonymisation of personal data is possible by a controller where that controller holds additional information that could be used to attribute that data to an individual data subject, as long as the controller has taken technical and organisational measures to keep that information separate. Recital 29 says: “In order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organisational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional information for attributing the personal data to a specific data subject is kept separately. The controller
9 Working Paper 2 - The Definition of Personal Data processing the personal data should indicate the authorised persons within the same controller.” Article 25(1) of the GDPR recognizes that technical and organizational measures such as pseudonymisation should be designed “both at the time of the determination of the means of processing and at the time of the processing itself.” This design supports two equally relevant concepts of pseudonymisation. First is the collection of data in a way that allows a controller to hold data that cannot be attributed to a specific data subject without the use of additional information. In other words, the data is pseudonymous at its collection, use and storage. For example, some ad tech companies never collect information to directly identify the end user; rather, they only collect a randomised cookie ID and associated URLs visited, which allow a browser to be recognised but the end user cannot be directly identified. This data is pseudonymous in the hands of that ad tech company because that company does not have nor has reasonable access to additional information that would allow it to directly identify the data subject. The second concept of pseudonymisation is as a process that companies can apply to personal data, for example using encryption, hashing or tokenization techniques, to ensure the data is not linked to an identified or identifiable natural person. For example, a company may collect full name, mailing address, account number and URLs visited. If it holds that information in its subscriber database, it could create a separate database of data that has been pseudonymised by removing the name and mailing address information and hashing the account number. If the company puts appropriate technical and organisational measures in place to keep the databases separate and prevent re-attribution of the pseudonymised data, then the second database is a pseudonymous database that could, for example, be used for research purposes in a privacy-friendly way. An IP address is an example of data that could be anonymous data, pseudonymous personal data, or non-pseudonymous personal data, depending on the specific circumstances. Referenced earlier in this paper is an example of a common IP address at a “hot spot” that is anonymous data when held without any other information because it does not identify or make an individual identifiable. Also, referenced earlier in this paper is an example of a truncated IP address that alone is not personal data, but becomes personal data if the holder of that truncated IP address can reasonably associate the truncated IP address with additional information to allow the holder to identify the individual. If the only additional data held is the missing octet, then the data would be pseudonymous personal data; however, if the additional data held is the missing octet plus information such as a name and address associated with the IP address, then that combined data would be non-pseudonymous personal data. Companies are urged to engage in a context specific analysis of the data they hold to determine whether it is personal data. Special Categories of Personal Data The GDPR, like the DPD, recognizes certain special categories of personal data that cannot be processed unless stringent requirements (contained in Article 9(2)) are met, such as explicit consent
10 Working Paper 2 - The Definition of Personal Data by the data subject. Article 9(1) outlines the special categories of sensitive data as: “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;” genetic data or biometric data; and data concerning health or a natural person's sex life or sexual orientation. Data relating to criminal convictions and offences are also subject to restrictions. Article 10, like the DPD, restricts its processing to the control of official authorities or instances where national law may provide derogations. Companies wishing to process special categories of personal data or data relating to criminal offences should be sure to comply with the more stringent processing requirements. Conclusion The GDPR expands on the definition of personal data contained in the DPD and thus expands the scope of EU data protection law. Under the GDPR, online identifiers and information associated with those online identifiers will often constitute personal data. Where the information collected is pseudonymous, it will be considered personal data, and the pseudonymisation will act as a safeguard, bringing benefit to the data subject and excluding the data from certain GDPR obligations. The types of pseudonymous data commonly used by companies in the online advertising industry, such as device advertising identifiers and cookie ids, will (depending on the specific situation of the company processing the data) generally fall into the category of personal data and thus be subject to the requirements of the GDPR. Companies in the digital advertising space should carefully examine their data processing activities to ensure that if they process personal data, that processing complies with the GDPR.
IAB Europe’s GDPR Implementation Working Group brings together leading experts from across the digital advertising industry to discuss the European Union’s new data protection law, share best practices, and agree on common interpretations and industry positioning on the most important issues for the digital advertising sector. The GDPR Implementation Working Group is a member-driven forum for discussion and thought leadership, its important contribution to the digital advertising industry’s GDPR compliance efforts is only possible thanks to the work and leadership of its many participating members. For more information please contact: Matthias Matthiesen (matthiesen@iabeurope.eu) Senior Manager – Privacy & Public Policy IAB Europe Chris Hartsuiker (hartsuiker@iabeurope.eu) Public Policy Officer IAB Europe About the IAB Europe GDPR Implementation Working Group

Recommended

IAB Europe's GDPR Compliance Primer
IAB Europe's GDPR Compliance PrimerIAB Europe's GDPR Compliance Primer
IAB Europe's GDPR Compliance PrimerIAB Europe
 
GIG Working Paper 03/2017 - Consent
GIG Working Paper 03/2017 - ConsentGIG Working Paper 03/2017 - Consent
GIG Working Paper 03/2017 - ConsentIAB Europe
 
IAB Europe position on the proposal for an ePrivacy regulation
IAB Europe position on the proposal for an ePrivacy regulationIAB Europe position on the proposal for an ePrivacy regulation
IAB Europe position on the proposal for an ePrivacy regulationIAB Europe
 
GDPR A Privacy Regime
GDPR A Privacy RegimeGDPR A Privacy Regime
GDPR A Privacy Regimeijtsrd
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyKate Chan
 
Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake lapthorn In House Lawyer forum - 11 Sept 2012Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake lapthorn In House Lawyer forum - 11 Sept 2012Blake Morgan
 
What is GDPR?
What is GDPR?What is GDPR?
What is GDPR?Faidepro
 
Impact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economiesImpact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economiesEquiGov Institute
 

Recommended

IAB Europe's GDPR Compliance Primer
IAB Europe's GDPR Compliance PrimerIAB Europe's GDPR Compliance Primer
IAB Europe's GDPR Compliance PrimerIAB Europe
 
GIG Working Paper 03/2017 - Consent
GIG Working Paper 03/2017 - ConsentGIG Working Paper 03/2017 - Consent
GIG Working Paper 03/2017 - ConsentIAB Europe
 
IAB Europe position on the proposal for an ePrivacy regulation
IAB Europe position on the proposal for an ePrivacy regulationIAB Europe position on the proposal for an ePrivacy regulation
IAB Europe position on the proposal for an ePrivacy regulationIAB Europe
 
GDPR A Privacy Regime
GDPR A Privacy RegimeGDPR A Privacy Regime
GDPR A Privacy Regimeijtsrd
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyKate Chan
 
Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake lapthorn In House Lawyer forum - 11 Sept 2012Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake lapthorn In House Lawyer forum - 11 Sept 2012Blake Morgan
 
What is GDPR?
What is GDPR?What is GDPR?
What is GDPR?Faidepro
 
Impact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economiesImpact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economiesEquiGov Institute
 
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Michael Adamberry
 
The implementation of gdpr in greece (1)
The implementation of gdpr in greece (1)The implementation of gdpr in greece (1)
The implementation of gdpr in greece (1)FOTIOS ZYGOULIS
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingJes Breslaw
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliantSiddharth Ram Dinesh
 
White-Paper_Security-DBSec_EU-GDPR_06-2016
White-Paper_Security-DBSec_EU-GDPR_06-2016White-Paper_Security-DBSec_EU-GDPR_06-2016
White-Paper_Security-DBSec_EU-GDPR_06-2016stefanjung
 
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)Nordic APIs
 
GDPR - The new era of data protection
GDPR - The new era of data protectionGDPR - The new era of data protection
GDPR - The new era of data protectionInterlogica
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-OverviewErica Walker
 
IAB Europe GIG: Working Paper on Data Subject Requests
IAB Europe GIG: Working Paper on Data Subject RequestsIAB Europe GIG: Working Paper on Data Subject Requests
IAB Europe GIG: Working Paper on Data Subject RequestsIAB Europe
 
The Privacy Advantage 2016 - Ruth Boardman
The Privacy Advantage 2016 - Ruth BoardmanThe Privacy Advantage 2016 - Ruth Boardman
The Privacy Advantage 2016 - Ruth BoardmanKrowdthink
 
ESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET
 
The Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech WiewiorowskiThe Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech WiewiorowskiKrowdthink
 
Are you compliant?
Are you compliant?Are you compliant?
Are you compliant?Gabrielė Songin
 
Microsoft Azure and the EU GDPR
Microsoft Azure and the EU GDPRMicrosoft Azure and the EU GDPR
Microsoft Azure and the EU GDPRMiguel Mello
 
Understanding Binding Corporate Rules
Understanding Binding Corporate RulesUnderstanding Binding Corporate Rules
Understanding Binding Corporate RulesJan Dhont
 
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18Fife Centre for Equalities
 
"GDPR - All You Need To Know" presentation from event Nov 16th in Berlin
"GDPR - All You Need To Know" presentation from event Nov 16th in Berlin"GDPR - All You Need To Know" presentation from event Nov 16th in Berlin
"GDPR - All You Need To Know" presentation from event Nov 16th in BerlinMailjet
 
General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulationFahad Ameen
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
 
Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...
Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...
Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...Victor Gridnev
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 

More Related Content

What's hot

Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Michael Adamberry
 
The implementation of gdpr in greece (1)
The implementation of gdpr in greece (1)The implementation of gdpr in greece (1)
The implementation of gdpr in greece (1)FOTIOS ZYGOULIS
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingJes Breslaw
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliantSiddharth Ram Dinesh
 
White-Paper_Security-DBSec_EU-GDPR_06-2016
White-Paper_Security-DBSec_EU-GDPR_06-2016White-Paper_Security-DBSec_EU-GDPR_06-2016
White-Paper_Security-DBSec_EU-GDPR_06-2016stefanjung
 
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)Nordic APIs
 
GDPR - The new era of data protection
GDPR - The new era of data protectionGDPR - The new era of data protection
GDPR - The new era of data protectionInterlogica
 
IAB Europe GIG: Working Paper on Data Subject Requests
IAB Europe GIG: Working Paper on Data Subject RequestsIAB Europe GIG: Working Paper on Data Subject Requests
IAB Europe GIG: Working Paper on Data Subject RequestsIAB Europe
 
The Privacy Advantage 2016 - Ruth Boardman
The Privacy Advantage 2016 - Ruth BoardmanThe Privacy Advantage 2016 - Ruth Boardman
The Privacy Advantage 2016 - Ruth BoardmanKrowdthink
 
ESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET
 
The Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech WiewiorowskiThe Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech WiewiorowskiKrowdthink
 
Microsoft Azure and the EU GDPR
Microsoft Azure and the EU GDPRMicrosoft Azure and the EU GDPR
Microsoft Azure and the EU GDPRMiguel Mello
 
Understanding Binding Corporate Rules
Understanding Binding Corporate RulesUnderstanding Binding Corporate Rules
Understanding Binding Corporate RulesJan Dhont
 
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18Fife Centre for Equalities
 
"GDPR - All You Need To Know" presentation from event Nov 16th in Berlin
"GDPR - All You Need To Know" presentation from event Nov 16th in Berlin"GDPR - All You Need To Know" presentation from event Nov 16th in Berlin
"GDPR - All You Need To Know" presentation from event Nov 16th in BerlinMailjet
 
General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulationFahad Ameen
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
 
Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...
Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...
Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...Victor Gridnev
 

What's hot (20)

Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
 
The implementation of gdpr in greece (1)
The implementation of gdpr in greece (1)The implementation of gdpr in greece (1)
The implementation of gdpr in greece (1)
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-masking
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliant
 
White-Paper_Security-DBSec_EU-GDPR_06-2016
White-Paper_Security-DBSec_EU-GDPR_06-2016White-Paper_Security-DBSec_EU-GDPR_06-2016
White-Paper_Security-DBSec_EU-GDPR_06-2016
 
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
 
GDPR - The new era of data protection
GDPR - The new era of data protectionGDPR - The new era of data protection
GDPR - The new era of data protection
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-Overview
 
IAB Europe GIG: Working Paper on Data Subject Requests
IAB Europe GIG: Working Paper on Data Subject RequestsIAB Europe GIG: Working Paper on Data Subject Requests
IAB Europe GIG: Working Paper on Data Subject Requests
 
The Privacy Advantage 2016 - Ruth Boardman
The Privacy Advantage 2016 - Ruth BoardmanThe Privacy Advantage 2016 - Ruth Boardman
The Privacy Advantage 2016 - Ruth Boardman
 
ESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection Regulation
 
The Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech WiewiorowskiThe Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech Wiewiorowski
 
Are you compliant?
Are you compliant?Are you compliant?
Are you compliant?
 
Microsoft Azure and the EU GDPR
Microsoft Azure and the EU GDPRMicrosoft Azure and the EU GDPR
Microsoft Azure and the EU GDPR
 
Understanding Binding Corporate Rules
Understanding Binding Corporate RulesUnderstanding Binding Corporate Rules
Understanding Binding Corporate Rules
 
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
 
"GDPR - All You Need To Know" presentation from event Nov 16th in Berlin
"GDPR - All You Need To Know" presentation from event Nov 16th in Berlin"GDPR - All You Need To Know" presentation from event Nov 16th in Berlin
"GDPR - All You Need To Know" presentation from event Nov 16th in Berlin
 
General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulation
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
 
Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...
Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...
Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...
 

Similar to GIG Working Paper 02/2017 - The Definition of Personal Data

The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
GDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, EcosystmGDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, EcosystmChris White
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessMark Baker
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookPlr-Printables
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
 
GDPR Explained in Simple Terms for Hospitality Owners
GDPR Explained in Simple Terms for Hospitality OwnersGDPR Explained in Simple Terms for Hospitality Owners
GDPR Explained in Simple Terms for Hospitality OwnersBoostly
 
INFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securityINFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securitySamo Zavašnik
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationPete S
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.Steven Salter
 
IAB Digital Advertising Guidance : special category data under the gdpr - 2020
IAB Digital Advertising Guidance : special category data under the gdpr - 2020IAB Digital Advertising Guidance : special category data under the gdpr - 2020
IAB Digital Advertising Guidance : special category data under the gdpr - 2020Fullstaak
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.Matthias Dobbelaere-Welvaert
 
GDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisGDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisAngad Dayal
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
 
IAB Europe GIG: Working Paper on Controller - Processor Criteria (reupload)
IAB Europe GIG: Working Paper on Controller - Processor Criteria (reupload) IAB Europe GIG: Working Paper on Controller - Processor Criteria (reupload)
IAB Europe GIG: Working Paper on Controller - Processor Criteria (reupload)IAB Europe
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018TRA - Tax Representative Alliance
 

Similar to GIG Working Paper 02/2017 - The Definition of Personal Data (20)

The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
GDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, EcosystmGDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, Ecosystm
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your business
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e book
 
Data protection
Data protectionData protection
Data protection
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
 
GDPR Explained in Simple Terms for Hospitality Owners
GDPR Explained in Simple Terms for Hospitality OwnersGDPR Explained in Simple Terms for Hospitality Owners
GDPR Explained in Simple Terms for Hospitality Owners
 
INFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securityINFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL security
 
MySQL GDPR Whitepaper
MySQL GDPR WhitepaperMySQL GDPR Whitepaper
MySQL GDPR Whitepaper
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
Privacy Year In Preview
Privacy Year In PreviewPrivacy Year In Preview
Privacy Year In Preview
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.
 
IAB Digital Advertising Guidance : special category data under the gdpr - 2020
IAB Digital Advertising Guidance : special category data under the gdpr - 2020IAB Digital Advertising Guidance : special category data under the gdpr - 2020
IAB Digital Advertising Guidance : special category data under the gdpr - 2020
 
Employee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdfEmployee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdf
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.
 
GDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisGDPR A Practical Guide with Varonis
GDPR A Practical Guide with Varonis
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
 
IAB Europe GIG: Working Paper on Controller - Processor Criteria (reupload)
IAB Europe GIG: Working Paper on Controller - Processor Criteria (reupload) IAB Europe GIG: Working Paper on Controller - Processor Criteria (reupload)
IAB Europe GIG: Working Paper on Controller - Processor Criteria (reupload)
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
 

More from IAB Europe

IAB Europe Membership Brochure 2019
IAB Europe Membership Brochure 2019IAB Europe Membership Brochure 2019
IAB Europe Membership Brochure 2019IAB Europe
 
FWCE Cracking the Programmatic Conundrum White Paper
FWCE Cracking the Programmatic Conundrum White PaperFWCE Cracking the Programmatic Conundrum White Paper
FWCE Cracking the Programmatic Conundrum White PaperIAB Europe
 
IAB Europe Virtual Programmatic Day H2 2018 Slides
IAB Europe Virtual Programmatic Day H2 2018 SlidesIAB Europe Virtual Programmatic Day H2 2018 Slides
IAB Europe Virtual Programmatic Day H2 2018 SlidesIAB Europe
 
IAB Spain Digital Ad Spend 2017 Report
IAB Spain Digital Ad Spend 2017 ReportIAB Spain Digital Ad Spend 2017 Report
IAB Spain Digital Ad Spend 2017 ReportIAB Europe
 
AppNexus + Tomorrow TTH Case Study
AppNexus + Tomorrow TTH Case StudyAppNexus + Tomorrow TTH Case Study
AppNexus + Tomorrow TTH Case StudyIAB Europe
 
AppNexus + MiQ Case Study
AppNexus + MiQ Case StudyAppNexus + MiQ Case Study
AppNexus + MiQ Case StudyIAB Europe
 
AppNexus + Axel Springer Case Study
AppNexus + Axel Springer Case Study AppNexus + Axel Springer Case Study
AppNexus + Axel Springer Case StudyIAB Europe
 
AppNexus + Schibsted Case study
AppNexus + Schibsted Case study AppNexus + Schibsted Case study
AppNexus + Schibsted Case studyIAB Europe
 
IAB Europe Webinar Deck: Research Awards Winners - Consumer Behaviour and Med...
IAB Europe Webinar Deck: Research Awards Winners - Consumer Behaviour and Med...IAB Europe Webinar Deck: Research Awards Winners - Consumer Behaviour and Med...
IAB Europe Webinar Deck: Research Awards Winners - Consumer Behaviour and Med...IAB Europe
 
IAB Netherlands - Deloitte Programmatic Advertising 2018 Report
IAB Netherlands - Deloitte Programmatic Advertising 2018 ReportIAB Netherlands - Deloitte Programmatic Advertising 2018 Report
IAB Netherlands - Deloitte Programmatic Advertising 2018 ReportIAB Europe
 
IAB Europe Webinar Deck: Digital Brand Advertising and Measurement
IAB Europe Webinar Deck: Digital Brand Advertising and MeasurementIAB Europe Webinar Deck: Digital Brand Advertising and Measurement
IAB Europe Webinar Deck: Digital Brand Advertising and MeasurementIAB Europe
 
DOOH Presentation by OMD for DOOH and DA Webinar
DOOH Presentation by OMD for DOOH and DA WebinarDOOH Presentation by OMD for DOOH and DA Webinar
DOOH Presentation by OMD for DOOH and DA WebinarIAB Europe
 
Interact 2018 - Advertising that works for everyone
Interact 2018 - Advertising that works for everyoneInteract 2018 - Advertising that works for everyone
Interact 2018 - Advertising that works for everyoneIAB Europe
 
Interact 2018 - Embracing an ever-changing future for digital advertising
Interact 2018 - Embracing an ever-changing future for digital advertisingInteract 2018 - Embracing an ever-changing future for digital advertising
Interact 2018 - Embracing an ever-changing future for digital advertisingIAB Europe
 
Interact 2018 - IAB Europe’s GDPR Transparency & Consent Framework
Interact 2018 - IAB Europe’s GDPR Transparency & Consent FrameworkInteract 2018 - IAB Europe’s GDPR Transparency & Consent Framework
Interact 2018 - IAB Europe’s GDPR Transparency & Consent FrameworkIAB Europe
 
Interact 2018 - GDPR for digital publishers, digital agencies and advertisers
Interact 2018 - GDPR for digital publishers, digital agencies and advertisersInteract 2018 - GDPR for digital publishers, digital agencies and advertisers
Interact 2018 - GDPR for digital publishers, digital agencies and advertisersIAB Europe
 
Interact 2018 - DOOH growth and barriers
Interact 2018 - DOOH growth and barriersInteract 2018 - DOOH growth and barriers
Interact 2018 - DOOH growth and barriersIAB Europe
 
Interact 2018 - Creativity & Interactivity: the perfect match to win user’s ...
Interact 2018 - Creativity & Interactivity: the perfect match to win user’s ...Interact 2018 - Creativity & Interactivity: the perfect match to win user’s ...
Interact 2018 - Creativity & Interactivity: the perfect match to win user’s ...IAB Europe
 
Interact 2018 - Quo vadis Italy? The concentration of online time spent and t...
Interact 2018 - Quo vadis Italy? The concentration of online time spent and t...Interact 2018 - Quo vadis Italy? The concentration of online time spent and t...
Interact 2018 - Quo vadis Italy? The concentration of online time spent and t...IAB Europe
 
Interact 2018 - What Builds Brand Love
Interact 2018 - What Builds Brand LoveInteract 2018 - What Builds Brand Love
Interact 2018 - What Builds Brand LoveIAB Europe
 

More from IAB Europe (20)

IAB Europe Membership Brochure 2019
IAB Europe Membership Brochure 2019IAB Europe Membership Brochure 2019
IAB Europe Membership Brochure 2019
 
FWCE Cracking the Programmatic Conundrum White Paper
FWCE Cracking the Programmatic Conundrum White PaperFWCE Cracking the Programmatic Conundrum White Paper
FWCE Cracking the Programmatic Conundrum White Paper
 
IAB Europe Virtual Programmatic Day H2 2018 Slides
IAB Europe Virtual Programmatic Day H2 2018 SlidesIAB Europe Virtual Programmatic Day H2 2018 Slides
IAB Europe Virtual Programmatic Day H2 2018 Slides
 
IAB Spain Digital Ad Spend 2017 Report
IAB Spain Digital Ad Spend 2017 ReportIAB Spain Digital Ad Spend 2017 Report
IAB Spain Digital Ad Spend 2017 Report
 
AppNexus + Tomorrow TTH Case Study
AppNexus + Tomorrow TTH Case StudyAppNexus + Tomorrow TTH Case Study
AppNexus + Tomorrow TTH Case Study
 
AppNexus + MiQ Case Study
AppNexus + MiQ Case StudyAppNexus + MiQ Case Study
AppNexus + MiQ Case Study
 
AppNexus + Axel Springer Case Study
AppNexus + Axel Springer Case Study AppNexus + Axel Springer Case Study
AppNexus + Axel Springer Case Study
 
AppNexus + Schibsted Case study
AppNexus + Schibsted Case study AppNexus + Schibsted Case study
AppNexus + Schibsted Case study
 
IAB Europe Webinar Deck: Research Awards Winners - Consumer Behaviour and Med...
IAB Europe Webinar Deck: Research Awards Winners - Consumer Behaviour and Med...IAB Europe Webinar Deck: Research Awards Winners - Consumer Behaviour and Med...
IAB Europe Webinar Deck: Research Awards Winners - Consumer Behaviour and Med...
 
IAB Netherlands - Deloitte Programmatic Advertising 2018 Report
IAB Netherlands - Deloitte Programmatic Advertising 2018 ReportIAB Netherlands - Deloitte Programmatic Advertising 2018 Report
IAB Netherlands - Deloitte Programmatic Advertising 2018 Report
 
IAB Europe Webinar Deck: Digital Brand Advertising and Measurement
IAB Europe Webinar Deck: Digital Brand Advertising and MeasurementIAB Europe Webinar Deck: Digital Brand Advertising and Measurement
IAB Europe Webinar Deck: Digital Brand Advertising and Measurement
 
DOOH Presentation by OMD for DOOH and DA Webinar
DOOH Presentation by OMD for DOOH and DA WebinarDOOH Presentation by OMD for DOOH and DA Webinar
DOOH Presentation by OMD for DOOH and DA Webinar
 
Interact 2018 - Advertising that works for everyone
Interact 2018 - Advertising that works for everyoneInteract 2018 - Advertising that works for everyone
Interact 2018 - Advertising that works for everyone
 
Interact 2018 - Embracing an ever-changing future for digital advertising
Interact 2018 - Embracing an ever-changing future for digital advertisingInteract 2018 - Embracing an ever-changing future for digital advertising
Interact 2018 - Embracing an ever-changing future for digital advertising
 
Interact 2018 - IAB Europe’s GDPR Transparency & Consent Framework
Interact 2018 - IAB Europe’s GDPR Transparency & Consent FrameworkInteract 2018 - IAB Europe’s GDPR Transparency & Consent Framework
Interact 2018 - IAB Europe’s GDPR Transparency & Consent Framework
 
Interact 2018 - GDPR for digital publishers, digital agencies and advertisers
Interact 2018 - GDPR for digital publishers, digital agencies and advertisersInteract 2018 - GDPR for digital publishers, digital agencies and advertisers
Interact 2018 - GDPR for digital publishers, digital agencies and advertisers
 
Interact 2018 - DOOH growth and barriers
Interact 2018 - DOOH growth and barriersInteract 2018 - DOOH growth and barriers
Interact 2018 - DOOH growth and barriers
 
Interact 2018 - Creativity & Interactivity: the perfect match to win user’s ...
Interact 2018 - Creativity & Interactivity: the perfect match to win user’s ...Interact 2018 - Creativity & Interactivity: the perfect match to win user’s ...
Interact 2018 - Creativity & Interactivity: the perfect match to win user’s ...
 
Interact 2018 - Quo vadis Italy? The concentration of online time spent and t...
Interact 2018 - Quo vadis Italy? The concentration of online time spent and t...Interact 2018 - Quo vadis Italy? The concentration of online time spent and t...
Interact 2018 - Quo vadis Italy? The concentration of online time spent and t...
 
Interact 2018 - What Builds Brand Love
Interact 2018 - What Builds Brand LoveInteract 2018 - What Builds Brand Love
Interact 2018 - What Builds Brand Love
 

Recently uploaded

定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一jr6r07mb
 
Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...
Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...
Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...Dr. Oliver Massmann
 
如何办理纽约州立大学石溪分校毕业证学位证书
如何办理纽约州立大学石溪分校毕业证学位证书 如何办理纽约州立大学石溪分校毕业证学位证书
如何办理纽约州立大学石溪分校毕业证学位证书Fir sss
 
Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...shubhuc963
 
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝soniya singh
 
Rights of under-trial Prisoners in India
Rights of under-trial Prisoners in IndiaRights of under-trial Prisoners in India
Rights of under-trial Prisoners in IndiaAbheet Mangleek
 
Sports Writing for PISAYyyyyyyyyyyyyyy.pptx
Sports Writing for PISAYyyyyyyyyyyyyyy.pptxSports Writing for PISAYyyyyyyyyyyyyyy.pptx
Sports Writing for PISAYyyyyyyyyyyyyyy.pptxmarielouisetulaytay
 
Trial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionTrial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionNilamPadekar1
 
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis LeeAlexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis LeeBlayneRush1
 
如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书 如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书Fir sss
 
Test Identification Parade & Dying Declaration.pptx
Test Identification Parade & Dying Declaration.pptxTest Identification Parade & Dying Declaration.pptx
Test Identification Parade & Dying Declaration.pptxsrikarna235
 
Comparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesComparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesritwikv20
 
Key Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesKey Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesHome Tax Saver
 
SecuritiesContracts(Regulation)Act,1956.pdf
SecuritiesContracts(Regulation)Act,1956.pdfSecuritiesContracts(Regulation)Act,1956.pdf
SecuritiesContracts(Regulation)Act,1956.pdfDrNiteshSaraswat
 
Alexis O'Connell Lexileeyogi 512-840-8791
Alexis O'Connell Lexileeyogi 512-840-8791Alexis O'Connell Lexileeyogi 512-840-8791
Alexis O'Connell Lexileeyogi 512-840-8791BlayneRush1
 
Role and Responsibilities of Mediator and Approach
Role and Responsibilities of Mediator and ApproachRole and Responsibilities of Mediator and Approach
Role and Responsibilities of Mediator and Approach2020000445musaib
 
Law360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics GuidanceLaw360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics GuidanceMichael Cicero
 
如何办理(Rice毕业证书)莱斯大学毕业证学位证书
如何办理(Rice毕业证书)莱斯大学毕业证学位证书如何办理(Rice毕业证书)莱斯大学毕业证学位证书
如何办理(Rice毕业证书)莱斯大学毕业证学位证书SD DS
 
如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书 如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书Fir sss
 

Recently uploaded (20)

定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
 
Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...
Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...
Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...
 
如何办理纽约州立大学石溪分校毕业证学位证书
如何办理纽约州立大学石溪分校毕业证学位证书 如何办理纽约州立大学石溪分校毕业证学位证书
如何办理纽约州立大学石溪分校毕业证学位证书
 
Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...
 
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
 
Rights of under-trial Prisoners in India
Rights of under-trial Prisoners in IndiaRights of under-trial Prisoners in India
Rights of under-trial Prisoners in India
 
young Call Girls in Pusa Road🔝 9953330565 🔝 escort Service
young Call Girls in Pusa Road🔝 9953330565 🔝 escort Serviceyoung Call Girls in Pusa Road🔝 9953330565 🔝 escort Service
young Call Girls in Pusa Road🔝 9953330565 🔝 escort Service
 
Sports Writing for PISAYyyyyyyyyyyyyyy.pptx
Sports Writing for PISAYyyyyyyyyyyyyyy.pptxSports Writing for PISAYyyyyyyyyyyyyyy.pptx
Sports Writing for PISAYyyyyyyyyyyyyyy.pptx
 
Trial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionTrial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 sedition
 
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis LeeAlexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
 
如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书 如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书
 
Test Identification Parade & Dying Declaration.pptx
Test Identification Parade & Dying Declaration.pptxTest Identification Parade & Dying Declaration.pptx
Test Identification Parade & Dying Declaration.pptx
 
Comparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesComparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use cases
 
Key Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesKey Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax Rates
 
SecuritiesContracts(Regulation)Act,1956.pdf
SecuritiesContracts(Regulation)Act,1956.pdfSecuritiesContracts(Regulation)Act,1956.pdf
SecuritiesContracts(Regulation)Act,1956.pdf
 
Alexis O'Connell Lexileeyogi 512-840-8791
Alexis O'Connell Lexileeyogi 512-840-8791Alexis O'Connell Lexileeyogi 512-840-8791
Alexis O'Connell Lexileeyogi 512-840-8791
 
Role and Responsibilities of Mediator and Approach
Role and Responsibilities of Mediator and ApproachRole and Responsibilities of Mediator and Approach
Role and Responsibilities of Mediator and Approach
 
Law360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics GuidanceLaw360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
 
如何办理(Rice毕业证书)莱斯大学毕业证学位证书
如何办理(Rice毕业证书)莱斯大学毕业证学位证书如何办理(Rice毕业证书)莱斯大学毕业证学位证书
如何办理(Rice毕业证书)莱斯大学毕业证学位证书
 
如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书 如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书
 

GIG Working Paper 02/2017 - The Definition of Personal Data

  • 1. WHITE PAPER IAB Europe Guidance Date goes here Five Practical Steps to help companies comply with the E-Privacy Directive IAB Europe GDPR Implementation Working Group THE DEFINITION OF PERSONAL DATA Working Paper 02/2017
  • 2. About IAB Europe IAB Europe is the voice of digital business and the leading European-level industry association for the interactive advertising ecosystem. Its mission is to promote the development of this innovative sector by shaping the regulatory environment, investing in research and education, and developing and facilitating the uptake of business standards. About the GDPR Implementation Group IAB Europe’s GDPR Implementation Working Group brings together leading experts from across the digital advertising industry to discuss the European Union’s new data protection law, share best practices, and agree on common interpretations and industry positioning on the most important issues for the digital advertising sector. The GDPR Implementation Working Group is a member- driven forum for discussion and thought leadership, its important contribution to the digital advertising industry’s GDPR compliance efforts is only possible thanks to the work and leadership of its many participating members. Acknowledgements The GDPR Compliance Primer has been prepared by the members of the IAB Europe GDPR Implementation Group under the leadership of Quantcast. Contacts Matthias Matthiesen (matthiesen@iabeurope.eu) Senior Manager – Privacy & Public Policy, IAB Europe Chris Hartsuiker (hartsuiker@iabeurope.eu) Public Policy Officer, IAB Europe
  • 3. 3 Working Paper 2 - The Definition of Personal Data Contents Executive Summary ............................................................................................................................... 3 Overview................................................................................................................................................. 4 Personal Data Under the GDPR ............................................................................................................. 4 Personal Data.....................................................................................................................................4 Anonymous Data................................................................................................................................6 Pseudonymous Data..........................................................................................................................7 Special Categories of Personal Data .................................................................................................9 Conclusion........................................................................................................................................10 Executive Summary • The definition of personal data under the GDPR is very broad and intentionally all- encompassing. Pseudonymous data is defined as a sub-category of personal data, and still triggers full application of the GDPR. • Cookies and other device and online identifiers (IP addresses, IDFA, AAID, etc.) are explicitly called out as examples of personal data under the GDPR. • Due to this broad definition, it is highly likely that any data being processed in the online advertising ecosystem falls within the definition of personal data. As the definition is extremely broad, it is prudent to err on the side of caution and assume data is personal. • Where data might appear to fall outside of the scope of personal data, a careful analysis should be carried out to substantiate this on a case-by-case basis. Depending on the circumstances, the same piece of data (i.e. an IP address) may be personal, pseudonymous, or anonymous data. This depends on the circumstances in which an IP address is obtained, for which purposes it is used, and who receives the IP address.
  • 4. 4 Working Paper 2 - The Definition of Personal Data Overview On 27 April 2016, the European Union has adopted the General Data Protection Regulation (“GDPR”).1 The GDPR will become directly applicable law in the European Union (“EU”) and European Economic Area (“EEA”) on 25 May 2018, superseding national data protection laws currently in place. The GDPR will not only apply to companies based in the EU but also to companies all over the globe offering goods and services to people based in the territory of the Union, or monitor the behaviour of individuals located within it. Data protection law regulates the processing of personal data, defined broadly as any information that relates to an identified or identifiable natural person, which may include, amongst others, online and device identifiers that can be used to single out a natural person, for example for digital advertising purposes. The GDPR grants data protection authorities the power to levy significant administrative fines against businesses found in breach of the law. Depending on the severity of the infringement, fines can reach up to € 20,000,000 or 4 per cent of a company’s annual global turnover – whichever is higher. This document has been prepared by members of the IAB Europe GDPR Implementation Group to provide guidance to companies across the globe on understanding what the definition of personal data means for them. Personal Data Under the GDPR The definition of “personal data” is fundamental to data protection law because the GDPR only applies to personal data. Data that is not personal data falls outside the scope of the GDPR. While the digital advertising industry, and other businesses that use similar technologies, have often interpreted unique online identifiers such as cookie IDs and mobile device advertising IDs to be outside the scope of data protection law where they were not coupled with personally identifying details (such as name or email address), these online identifiers are likely to fall within the scope of personal data under the GDPR in many circumstances. Therefore, it is critical that companies involved in digital advertising understand how the definition of personal data in the GDPR applies to them. This paper examines the scope of personal data under the GDPR, including the concepts of anonymous data (which is not personal data and not regulated under the GDPR) and pseudonymous data (which is personal data and is regulated under the GDPR). Personal Data The definition of personal data in the GDPR expands upon the text of the definition contained in the Data Protection Directive (Directive 95/46/EC, “DPD”) by explicitly referencing additional examples 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), available at http://eur-lex.europa.eu/eli/reg/2016/679/oj/.
  • 5. 5 Working Paper 2 - The Definition of Personal Data of identifiers, such as online identifiers, and factors that can be used to identify a person. Article 4(1) of the GDPR states: “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Recitals 26 and 30 provide additional insight into the definition of personal data. Recital 26 introduces the concept of making a person identifiable by “singling out” that person, directly or indirectly. It indicates that one must consider all means reasonably likely to be used to identify the person, taking into account all objective factors when making such a determination. Recital 26 states: “...To determine whether a natural person is identifiable, account should be takenof all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.” Recital 30 indicates that identification may occur by associating online identifiers, such as cookie IDs and IP addresses, with other information to create profiles. Recital 30 states: “Natural persons maybe associated with onlineidentifiers provided bytheirdevices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” These provisions expand the scope of personal data significantly from common interpretations under the DPD. While the digital advertising industry has often interpreted unique online identifiers such as cookie IDs to be outside the scope of data protection law where they were not coupled with personally identifying details (such as name or email address), these online identifiers are likely to fall within the scope of personal data under the GDPR in many circumstances. As described in Recital 26, one will need to look at all means reasonably likely to be used in the circumstances to identify the underlying natural person to determine if the data is personal data; however, as a general matter under the GDPR, data such as online identifiers should be treated as personal data
  • 6. 6 Working Paper 2 - The Definition of Personal Data unless a valid argument can be made that the data subject is not (directly or indirectly) identifiable and cannot be singled out. The determination whether a piece of data is personal data will be context specific. For example, an IP address that corresponds to a public “hot spot” such as a coffee shop, and is used by hundreds of customers every day, by itself is unlikely to comprise personal data. However, if the company links that common IP address with other information that would allow it to single out one individual, then the IP address is likely to be personal data. Similarly, a truncated IP address would not be personal data where the holder of that truncated IP address has no reasonable means to identify the individual. However, if the holder of the truncated IP address can, using reasonable means at its disposal, collect additional information that would allow it to single out the individual, then even that truncated IP address is likely to be personal data. Companies should remember that personal data encompasses more data than what is typically considered personally identifiable information (or PII) in some jurisdictions outside of the EU. In instances where it is unclear whether data is personaldata, treating it as personal data would be the prudent course of action, particularly given the potential for high fines under the GDPR. Anonymous Data Like the DPD before it, the GDPR does not apply to anonymous data. Recital 26 explains that anonymous information does not relate to an identified or identifiable person. Recital 26 states: “The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.” The Article 29 Working Party, in its prior Opinion 05/2014 on Anonymisation Techniques, referred to anonymisation as “a technique applied to personal data in order to achieve irreversible de- identification.” That opinion sets out various anonymisation techniques and highlights that “case studies and research publications have shownhow difficult it is to create a truly anonymous dataset whilst retaining as much of the underlying information as required for the task.” Where a company holds data that is truly anonymous, the GDPR does not apply to that data. For example, a piece of general location information that does not identify an individual is anonymous data that is not subject to GDPR. If a company holds the name of a large city (e.g., Brussels), does not associate any other identifying information, and is not reasonably likely to obtain or use
  • 7. 7 Working Paper 2 - The Definition of Personal Data additional information that could associate the location with an individual, then the data is anonymous. Aggregated data that does not relate to one user, but relates to an entire group of users, is anonymous data as long as the individuals whose data is in the pool cannot be identified. The analysis of whether a particular piece of information, or group of information, is anonymous is context specific and not always clear. Where a company is unsure whether the data it holds is personal data or anonymous data, treating the data as personal data is a prudent course of action. Pseudonymous Data The GDPR introduces the concept of pseudonymous data as a subset of personal data that cannot be attributed to a specific data subject without additional information. Article 4(5) states: “‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” Pseudonymisation was not addressed in the DPD and many in the advertising industry have considered pseudonymous data to be outside the scope of personal data in the DPD and thus outside the scope of the DPD. Under the GDPR, pseudonymisation does not render a data set anonymous (and therefore out of the GDPR’s scope). Recital 26 clarifies that pseudonymous data is in scope of the GDPR: “…Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person…” However, as described in Article 11, pseudonymisation may exclude the data from certain GDPR obligations that specifically require identification, such as subject access and the right to rectification, erasure and data portability (Articles 15-20). Online identifiers, such as cookie IDs that are associated with online browsing history, are often going to be personal data under the GDPR, although a context specific analysis always applies. Pseudonymisation is recognized as a safeguard that reduces the risks to data subjects and helps controllers and processors meet their data protection obligations. Recital 28 recognizes this benefit of pseudonymisation, stating:
  • 8. 8 Working Paper 2 - The Definition of Personal Data “The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data- protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.” The GDPR explicitly recognizes pseudonymisation as a safeguard that can contribute to permissible processing for a secondary use. Article 6(4) says: “Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia: … (e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.” Article 89(1) recognizes pseudonymisation as a safeguard for processing for archiving in the public interest, scientific or historical research purposes or statistical purposes. Article 89(1) states: “Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measuresare in placein particular in order toensurerespect fortheprincipleof data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.” Importantly, the GDPR recognizes that pseudonymisation of personal data is possible by a controller where that controller holds additional information that could be used to attribute that data to an individual data subject, as long as the controller has taken technical and organisational measures to keep that information separate. Recital 29 says: “In order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organisational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional information for attributing the personal data to a specific data subject is kept separately. The controller
  • 9. 9 Working Paper 2 - The Definition of Personal Data processing the personal data should indicate the authorised persons within the same controller.” Article 25(1) of the GDPR recognizes that technical and organizational measures such as pseudonymisation should be designed “both at the time of the determination of the means of processing and at the time of the processing itself.” This design supports two equally relevant concepts of pseudonymisation. First is the collection of data in a way that allows a controller to hold data that cannot be attributed to a specific data subject without the use of additional information. In other words, the data is pseudonymous at its collection, use and storage. For example, some ad tech companies never collect information to directly identify the end user; rather, they only collect a randomised cookie ID and associated URLs visited, which allow a browser to be recognised but the end user cannot be directly identified. This data is pseudonymous in the hands of that ad tech company because that company does not have nor has reasonable access to additional information that would allow it to directly identify the data subject. The second concept of pseudonymisation is as a process that companies can apply to personal data, for example using encryption, hashing or tokenization techniques, to ensure the data is not linked to an identified or identifiable natural person. For example, a company may collect full name, mailing address, account number and URLs visited. If it holds that information in its subscriber database, it could create a separate database of data that has been pseudonymised by removing the name and mailing address information and hashing the account number. If the company puts appropriate technical and organisational measures in place to keep the databases separate and prevent re-attribution of the pseudonymised data, then the second database is a pseudonymous database that could, for example, be used for research purposes in a privacy-friendly way. An IP address is an example of data that could be anonymous data, pseudonymous personal data, or non-pseudonymous personal data, depending on the specific circumstances. Referenced earlier in this paper is an example of a common IP address at a “hot spot” that is anonymous data when held without any other information because it does not identify or make an individual identifiable. Also, referenced earlier in this paper is an example of a truncated IP address that alone is not personal data, but becomes personal data if the holder of that truncated IP address can reasonably associate the truncated IP address with additional information to allow the holder to identify the individual. If the only additional data held is the missing octet, then the data would be pseudonymous personal data; however, if the additional data held is the missing octet plus information such as a name and address associated with the IP address, then that combined data would be non-pseudonymous personal data. Companies are urged to engage in a context specific analysis of the data they hold to determine whether it is personal data. Special Categories of Personal Data The GDPR, like the DPD, recognizes certain special categories of personal data that cannot be processed unless stringent requirements (contained in Article 9(2)) are met, such as explicit consent
  • 10. 10 Working Paper 2 - The Definition of Personal Data by the data subject. Article 9(1) outlines the special categories of sensitive data as: “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;” genetic data or biometric data; and data concerning health or a natural person's sex life or sexual orientation. Data relating to criminal convictions and offences are also subject to restrictions. Article 10, like the DPD, restricts its processing to the control of official authorities or instances where national law may provide derogations. Companies wishing to process special categories of personal data or data relating to criminal offences should be sure to comply with the more stringent processing requirements. Conclusion The GDPR expands on the definition of personal data contained in the DPD and thus expands the scope of EU data protection law. Under the GDPR, online identifiers and information associated with those online identifiers will often constitute personal data. Where the information collected is pseudonymous, it will be considered personal data, and the pseudonymisation will act as a safeguard, bringing benefit to the data subject and excluding the data from certain GDPR obligations. The types of pseudonymous data commonly used by companies in the online advertising industry, such as device advertising identifiers and cookie ids, will (depending on the specific situation of the company processing the data) generally fall into the category of personal data and thus be subject to the requirements of the GDPR. Companies in the digital advertising space should carefully examine their data processing activities to ensure that if they process personal data, that processing complies with the GDPR.
  • 11. IAB Europe’s GDPR Implementation Working Group brings together leading experts from across the digital advertising industry to discuss the European Union’s new data protection law, share best practices, and agree on common interpretations and industry positioning on the most important issues for the digital advertising sector. The GDPR Implementation Working Group is a member-driven forum for discussion and thought leadership, its important contribution to the digital advertising industry’s GDPR compliance efforts is only possible thanks to the work and leadership of its many participating members. For more information please contact: Matthias Matthiesen (matthiesen@iabeurope.eu) Senior Manager – Privacy & Public Policy IAB Europe Chris Hartsuiker (hartsuiker@iabeurope.eu) Public Policy Officer IAB Europe About the IAB Europe GDPR Implementation Working Group