This second output of the GIG focuses on the definition of Personal Data under the GDPR, explaining how it will affect companies in the online advertising space.
The GDPR Compliance Primer has been prepared by the members of the IAB Europe GDPR Implementation Wroking Group, under the leadership of Improve Digital.
The third output of the GDPR Implementation Group focuses on the topic of consent, and its implications as for online advertising companies when used as a legal basis for processing.
Privacy is not a choice and it should not be the price played for our access to internet. We live in an era where everything is digitalized and anybody and everybody, from a child to a 70 year old accesses the same on a regular basis. Great advances in the technological field constitute a greater danger to the privacy of every individual. The constant question that arises is whether the data principal consents to the information provided and disseminated Mercerization of personal information has opened pits of security breaches and data privacy problems. When one consents to provide his data, does he consent to the dissemination of the same The very idea that consumers must make a trade off between privacy and security has been wiped away by the very enactment of the General Data Protection Regulation. This paper stands as proof that, GDPR is the answer to all the data privacy questions and problems faced by the society. The author briefs through the history of enactment EU GDPR and its necessity. The paper brings out both the endless advantages of GDPR as well as the few disadvantages present. The extensive research on GDPR has prompted the author to attract attention to the key changes seen after the implementation of GDPR and the robust data privacy regime built by its awakening. The main cerebration of the authors by referring to the above submissions is that GDPR is a need of the hour and is for the betterment of the society as a whole. Pranaya Dayalu | M. Punnagai ""GDPR: A Privacy Regime"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-4 , June 2019, URL: https://www.ijtsrd.com/papers/ijtsrd23460.pdf
Paper URL: https://www.ijtsrd.com/humanities-and-the-arts/other/23460/gdpr-a-privacy-regime/pranaya-dayalu
What is GDPR, the EU’s new facts protection law? What is the GDPR? Europe’s new information privateness and safety regulation consist of heaps of pages’ really worth of new necessities for companies around the world. This GDPR summary can help you understand the law and determine what components of it follow to you. The General information Protection Regulation (GDPR) is the toughest privacy and safety regulation in the world.
Impact of GDPR on the pre dominant business model for digital economiesEquiGov Institute
A brief description of the impact the General Data Protection Regulation (GDPR) could have on the proposed move towards a digital economy, especially for the Caribbean
The GDPR Compliance Primer has been prepared by the members of the IAB Europe GDPR Implementation Wroking Group, under the leadership of Improve Digital.
The third output of the GDPR Implementation Group focuses on the topic of consent, and its implications as for online advertising companies when used as a legal basis for processing.
Privacy is not a choice and it should not be the price played for our access to internet. We live in an era where everything is digitalized and anybody and everybody, from a child to a 70 year old accesses the same on a regular basis. Great advances in the technological field constitute a greater danger to the privacy of every individual. The constant question that arises is whether the data principal consents to the information provided and disseminated Mercerization of personal information has opened pits of security breaches and data privacy problems. When one consents to provide his data, does he consent to the dissemination of the same The very idea that consumers must make a trade off between privacy and security has been wiped away by the very enactment of the General Data Protection Regulation. This paper stands as proof that, GDPR is the answer to all the data privacy questions and problems faced by the society. The author briefs through the history of enactment EU GDPR and its necessity. The paper brings out both the endless advantages of GDPR as well as the few disadvantages present. The extensive research on GDPR has prompted the author to attract attention to the key changes seen after the implementation of GDPR and the robust data privacy regime built by its awakening. The main cerebration of the authors by referring to the above submissions is that GDPR is a need of the hour and is for the betterment of the society as a whole. Pranaya Dayalu | M. Punnagai ""GDPR: A Privacy Regime"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-4 , June 2019, URL: https://www.ijtsrd.com/papers/ijtsrd23460.pdf
Paper URL: https://www.ijtsrd.com/humanities-and-the-arts/other/23460/gdpr-a-privacy-regime/pranaya-dayalu
What is GDPR, the EU’s new facts protection law? What is the GDPR? Europe’s new information privateness and safety regulation consist of heaps of pages’ really worth of new necessities for companies around the world. This GDPR summary can help you understand the law and determine what components of it follow to you. The General information Protection Regulation (GDPR) is the toughest privacy and safety regulation in the world.
Impact of GDPR on the pre dominant business model for digital economiesEquiGov Institute
A brief description of the impact the General Data Protection Regulation (GDPR) could have on the proposed move towards a digital economy, especially for the Caribbean
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Michael Adamberry
This presentation outlines the issue of Direct Marketing, including the use of cookies, the opt-out register and the e-Privacy Directive (and Regulation). The focus is around the Gibraltar Data Protection Act 2004, and how this will change under the General Data Protection Regulation ("GDPR") as of 25th May 2018 and the upcoming e-Privacy Regulation
ISOLAS is pleased to offer assistance in conducting data audits and ensuring you are compliant before the deadline - the clock is ticking!
New General Data Protection Regulation (Agnes Andersson Hammarstrand)Nordic APIs
This is a session given by Agnes Andersson Hammarstrand at Nordic APIs 2016 Platform Summit on October 25th, in Stockholm Sweden.
Description:
This spring a new EU General Data Protection Regulation was adopted to replace the current personal data legislations. Companies that break the rules risk fines of up to 4 % of the worldwide group turnover. The new regulations entail a large number of news that all companies should be informed about. Among other things, IT systems need to be adapted to privacy under the principles of privacy by design.
Agnes Hammarstrand, partner at Delphi Law firm and expert within IT and online provides an introduction to the new regulations and what you need to do.
Published in the European Official Journal on May 4 2016 and become effective on May 24 2016, at a distance of two years, the legislation that will reform the European legislation on protection of data, matches its direct implementation in Italy.
The General Data Protection Regulation, better known as GDPR, will enter into force on May 25 2018: the legislation is going to make a significant change on how data is managed and protected by – and from - private companies.
In general, the GDPR applies to any business that processes personal data by automated or manual processing
A strategic approach is introduced to regulating personal data and the normative foundations of the European Unions General Data Protection Regulation (GDPR)
Existing Requirements imposed by the 1995 Data Protection Directive are refined.
It does this by establishing a uniform framework for data protection legislation across the EU
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Michael Adamberry
This presentation outlines the issue of Direct Marketing, including the use of cookies, the opt-out register and the e-Privacy Directive (and Regulation). The focus is around the Gibraltar Data Protection Act 2004, and how this will change under the General Data Protection Regulation ("GDPR") as of 25th May 2018 and the upcoming e-Privacy Regulation
ISOLAS is pleased to offer assistance in conducting data audits and ensuring you are compliant before the deadline - the clock is ticking!
New General Data Protection Regulation (Agnes Andersson Hammarstrand)Nordic APIs
This is a session given by Agnes Andersson Hammarstrand at Nordic APIs 2016 Platform Summit on October 25th, in Stockholm Sweden.
Description:
This spring a new EU General Data Protection Regulation was adopted to replace the current personal data legislations. Companies that break the rules risk fines of up to 4 % of the worldwide group turnover. The new regulations entail a large number of news that all companies should be informed about. Among other things, IT systems need to be adapted to privacy under the principles of privacy by design.
Agnes Hammarstrand, partner at Delphi Law firm and expert within IT and online provides an introduction to the new regulations and what you need to do.
Published in the European Official Journal on May 4 2016 and become effective on May 24 2016, at a distance of two years, the legislation that will reform the European legislation on protection of data, matches its direct implementation in Italy.
The General Data Protection Regulation, better known as GDPR, will enter into force on May 25 2018: the legislation is going to make a significant change on how data is managed and protected by – and from - private companies.
In general, the GDPR applies to any business that processes personal data by automated or manual processing
A strategic approach is introduced to regulating personal data and the normative foundations of the European Unions General Data Protection Regulation (GDPR)
Existing Requirements imposed by the 1995 Data Protection Directive are refined.
It does this by establishing a uniform framework for data protection legislation across the EU
This study provides guidance on some of the most important aspects of the GDPR for companies outside the EU and describes some of its key implications with regards to organisational IT and governance. It also offers some key practical advice on steps that can ensure compliance with the GDPR.
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
This GDPR primer highlights key aspects of the new EU regulation regarding the protection of EU citizens data. It also presents a basic approach and key activities for GDPR preparedness. Useful as a discussion starter with senior management.
GDPR Explained in Simple Terms for Hospitality OwnersBoostly
GDPR can come off as being overly complicated. So I've created this to make everything simple and so you can understand everything you need to as an independent hospitality owner!
Our yearly INFOMAGAZINE features technical articles and covers the latest technology advancements, innovative projects, new products, service capabilities, business news and market developments covering all aspects of the IT protection, optimization and control.
In this issue we are FOCUSING ON GDPR COMPLIANCE, new technologies such us protection against cryptolocker, advanced threats, monitoring and optimization tools, cryptography trends and many more… all missing pieces of puzzle in user’s IT and idea to offer partners and costumers new technologies for successful planning.
The European Union will introduce the new General Data Protection Regulation for implementation May 2018. This makes it a legal requirement on all businesses owners to comply with the new regulations or face heavy fines. This will still apply to UK companies after Brexit.
GDPR: A Threat or Opportunity? www.normanbroadbent.Steven Salter
With General Data Protection Regulation (GDPR) a legal requirement for all UK companies from May 2018, there have been numerous articles written either demonstrating the confusion surrounding the new regulations, or detailing the downsides of the legislation.
IAB Digital Advertising Guidance : special category data under the gdpr - 2020Fullstaak
What is special category data, how might it arise in digital advertising, and what are the restrictions on its processing under the GDPR?
As part of our work to address the ICO’s concerns about ad tech and real-time bidding, we have developed this guidance on special category data, to help companies understand their obligations, and how to comply with them in practice.
The guidance aims to help educate the digital advertising industry about:
What ‘special category data’ is, as defined in the GDPR (including how it may arise from the way in which other data is processed)
The legal provisions and requirements that apply to processing special category data
Factors to consider in reviewing whether there is a risk of special category data arising or being inadvertently processed as part of your activities, and how to minimise such risks
https://fullstaak.com/
EU GDPR Lesson 1 - What is the GDPR? Why do we need it?
EU GDPR Lesson 2 - Data Protection by Design and by Default
EU GDPR Lesson 3 - The Right To Be Forgotten
EU GDPR Lesson 4 - Who Does the EU GDPR Apply?
EU GDPR Lesson 5 - What Happens if I Don’t Comply with the EU GDPR?
EU GDPR Lesson 6 - Next Steps - How to Get There?
Over the past few years of monitoring the development of the EU General Data Protection Regulation (GDPR) and its effects on technology, we’ve distilled the parts of the regulation that most affect your business into this practical guide.
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation is designed to update the current legislation which was drafted in a time that was in technology terms, prehistoric.
The Data Protection Directive, drafted back in 1995, harks back to a time when data processing was more about filing
cabinets than data rack enclosures. It’s time to evolve.
"The EU General Data Protection Regulation: GDPR" - workshop held by Beatrice Masserini (Studio Cassinis, Italy) at the TRA Annual Meeting 2018 in Athens
Similar to GIG Working Paper 02/2017 - The Definition of Personal Data (20)
DOOH Presentation by OMD for DOOH and DA WebinarIAB Europe
Following their participation in the IAB Europe webinar on DOOH and Digital Audio, OMD have put together a brief presentation taking a deeper look into their DOOH campaign for HP.
Interact 2018 - Advertising that works for everyoneIAB Europe
Held in Milan on 23-24 May, IAB Europe’s annual 2-day conference Interact 2018 featured a keynote speech by Mark Howe, Managing Director Agencies Europe Middle East & Africa Google
Digital advertising has been helping businesses and brands grow for many years, yet the industry itself faced major growing pains over the past year. It is time for us to collectively set our ambitions higher — for consumers, advertisers, and content owners alike. In doing so, we’ll help ensure the internet remains the free, open, pluralistic place it is today and help businesses of all sizes grow. Join Google’s Mark Howe as he explores key areas of progress over the past year and outlines our vision and plans for the year ahead, as we work to build an advertising ecosystem that works for everyone.
Interact 2018 - Embracing an ever-changing future for digital advertisingIAB Europe
Held in Milan on 23-24 May, IAB Europe’s annual 2-day conference Interact 2018 featured a keynote speech by Amelia Torode, Founder of The Fawnbrake Collective.
The importance of digital advertising to business growth will only increase – but that doesn’t make the future of digital advertising any more predictable. To thrive, businesses must embrace the continual disruption that is characteristic of the digital landscape. Brand strategist Amelia Torode examines the practical changes that they can make, in order to do so: not just executing digital transformation programmes, but building business strategies, workplace cultures and supplier relationships that are optimised for on-going change.
Held in Milan on 23-24 May, IAB Europe’s annual 2-day conference Interact 2018 featured a training by Wilfried Schobeiri, Chief Technology Officer, MediaMath and Matthias Matthiesen, Director Public Policy & Privacy IAB Europe
Following up on the plenary session from DAY 1 on IAB Europe’s GDPR Transparency & Consent Framework this training session presented by IAB Europe will offer the opportunity to ask any questions you may still have regarding the implementation of the Framework from the Global Vendor List to ensuring the best possible User Experience.
Interact 2018 - GDPR for digital publishers, digital agencies and advertisersIAB Europe
Held in Milan on 23-24 May, IAB Europe’s annual 2-day conference Interact 2018 featured a training by Matthias Matthiesen, Director Public Policy & Privacy and Chris Hartsuiker, Public Policy Officer, IAB Europe. Which provisions in the General Data Protection Regulation are the most relevant to digital publishers and advertisers? What is the guidance of the European Data Protection Board (former Article 29 Working party) on these topics? This training session, provided by IAB Europe will provide insight into applying the GDPR to the digital advertising supply chain.
Interact 2018 - DOOH growth and barriersIAB Europe
Held in Milan on 23-24 May, IAB Europe’s annual 2-day conference Interact 2018 featured a presentation by Meindert van den Heuvel, Managing Director Interbest Outdoor Media
Overview of the DOOH developments in the Dutch market
Interact 2018 - Creativity & Interactivity: the perfect match to win user’s ...IAB Europe
Held in Milan on 23-24 May, IAB Europe’s annual 2-day conference Interact 2018 featured a presentation by Caroline Hugonenc, Global Vice President Research, Teads
The 10 rules to reinvent the ad experience on Mobile leveraging technology and data
Interact 2018 - Quo vadis Italy? The concentration of online time spent and t...IAB Europe
Held in Milan on 23-24 May, IAB Europe’s annual 2-day conference Interact 2018 featured a keynote speech by Fabrizio Angelini, CEO Sensemakers, comScore Italia
In a country still dominated by TV (with an average of 4 hours per user per day and more than 50% of media investment) online players are struggling to get consumers’ attention. While the shift to mobile is concentrating traffic on OTT, online video and entertainment players are showing great potential for growth. comScore will show the latest data and key trends in the Italian market, while Auditel will explain how it is building one of the most sophisticated cross-media measurement systems to foster market development.
Held in Milan on 23-24 May, IAB Europe’s annual 2-day conference Interact 2018 featured a keynote speech by Anita Caras, Director Sales Insights EMEA OATH.
Ever wonder where brand love comes from? So did Oath. Oath has found out by looking at the many underlying drivers of brand love in our latest global consumer research study. We all know what love feels like, and we know getting your consumers to love your brand is more important today than ever before. But WHY does a consumer love a brand? What does that relationship look like?
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptxOmGod1
Precedent, or stare decisis, is a cornerstone of common law systems where past judicial decisions guide future cases, ensuring consistency and predictability in the legal system. Binding precedents from higher courts must be followed by lower courts, while persuasive precedents may influence but are not obligatory. This principle promotes fairness and efficiency, allowing for the evolution of the law as higher courts can overrule outdated decisions. Despite criticisms of rigidity and complexity, precedent ensures similar cases are treated alike, balancing stability with flexibility in judicial decision-making.
How to Obtain Permanent Residency in the NetherlandsBridgeWest.eu
You can rely on our assistance if you are ready to apply for permanent residency. Find out more at: https://immigration-netherlands.com/obtain-a-permanent-residence-permit-in-the-netherlands/.
Introducing New Government Regulation on Toll Road.pdfAHRP Law Firm
For nearly two decades, Government Regulation Number 15 of 2005 on Toll Roads ("GR No. 15/2005") has served as the cornerstone of toll road legislation. However, with the emergence of various new developments and legal requirements, the Government has enacted Government Regulation Number 23 of 2024 on Toll Roads to replace GR No. 15/2005. This new regulation introduces several provisions impacting toll business entities and toll road users. Find out more out insights about this topic in our Legal Brief publication.
WINDING UP of COMPANY, Modes of DissolutionKHURRAMWALI
Winding up, also known as liquidation, refers to the legal and financial process of dissolving a company. It involves ceasing operations, selling assets, settling debts, and ultimately removing the company from the official business registry.
Here's a breakdown of the key aspects of winding up:
Reasons for Winding Up:
Insolvency: This is the most common reason, where the company cannot pay its debts. Creditors may initiate a compulsory winding up to recover their dues.
Voluntary Closure: The owners may decide to close the company due to reasons like reaching business goals, facing losses, or merging with another company.
Deadlock: If shareholders or directors cannot agree on how to run the company, a court may order a winding up.
Types of Winding Up:
Voluntary Winding Up: This is initiated by the company's shareholders through a resolution passed by a majority vote. There are two main types:
Members' Voluntary Winding Up: The company is solvent (has enough assets to pay off its debts) and shareholders will receive any remaining assets after debts are settled.
Creditors' Voluntary Winding Up: The company is insolvent and creditors will be prioritized in receiving payment from the sale of assets.
Compulsory Winding Up: This is initiated by a court order, typically at the request of creditors, government agencies, or even by the company itself if it's insolvent.
Process of Winding Up:
Appointment of Liquidator: A qualified professional is appointed to oversee the winding-up process. They are responsible for selling assets, paying off debts, and distributing any remaining funds.
Cease Trading: The company stops its regular business operations.
Notification of Creditors: Creditors are informed about the winding up and invited to submit their claims.
Sale of Assets: The company's assets are sold to generate cash to pay off creditors.
Payment of Debts: Creditors are paid according to a set order of priority, with secured creditors receiving payment before unsecured creditors.
Distribution to Shareholders: If there are any remaining funds after all debts are settled, they are distributed to shareholders according to their ownership stake.
Dissolution: Once all claims are settled and distributions made, the company is officially dissolved and removed from the business register.
Impact of Winding Up:
Employees: Employees will likely lose their jobs during the winding-up process.
Creditors: Creditors may not recover their debts in full, especially if the company is insolvent.
Shareholders: Shareholders may not receive any payout if the company's debts exceed its assets.
Winding up is a complex legal and financial process that can have significant consequences for all parties involved. It's important to seek professional legal and financial advice when considering winding up a company.
ASHWINI KUMAR UPADHYAY v/s Union of India.pptxshweeta209
transfer of the P.I.L filed by lawyer Ashwini Kumar Upadhyay in Delhi High Court to Supreme Court.
on the issue of UNIFORM MARRIAGE AGE of men and women.
ALL EYES ON RAFAH BUT WHY Explain more.pdf46adnanshahzad
All eyes on Rafah: But why?. The Rafah border crossing, a crucial point between Egypt and the Gaza Strip, often finds itself at the center of global attention. As we explore the significance of Rafah, we’ll uncover why all eyes are on Rafah and the complexities surrounding this pivotal region.
INTRODUCTION
What makes Rafah so significant that it captures global attention? The phrase ‘All eyes are on Rafah’ resonates not just with those in the region but with people worldwide who recognize its strategic, humanitarian, and political importance. In this guide, we will delve into the factors that make Rafah a focal point for international interest, examining its historical context, humanitarian challenges, and political dimensions.
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselThomas (Tom) Jasper
Military Commissions Trial Judiciary, Guantanamo Bay, Cuba. Notice of the Chief Defense Counsel's detailing of LtCol Thomas F. Jasper, Jr. USMC, as Detailed Defense Counsel for Abd Al Hadi Al-Iraqi on 6 August 2014 in the case of United States v. Hadi al Iraqi (10026)
Responsibilities of the office bearers while registering multi-state cooperat...Finlaw Consultancy Pvt Ltd
Introduction-
The process of register multi-state cooperative society in India is governed by the Multi-State Co-operative Societies Act, 2002. This process requires the office bearers to undertake several crucial responsibilities to ensure compliance with legal and regulatory frameworks. The key office bearers typically include the President, Secretary, and Treasurer, along with other elected members of the managing committee. Their responsibilities encompass administrative, legal, and financial duties essential for the successful registration and operation of the society.
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptxOmGod1
Victims of crime have a range of rights designed to ensure their protection, support, and participation in the justice system. These rights include the right to be treated with dignity and respect, the right to be informed about the progress of their case, and the right to be heard during legal proceedings. Victims are entitled to protection from intimidation and harm, access to support services such as counseling and medical care, and the right to restitution from the offender. Additionally, many jurisdictions provide victims with the right to participate in parole hearings and the right to privacy to protect their personal information from public disclosure. These rights aim to acknowledge the impact of crime on victims and to provide them with the necessary resources and involvement in the judicial process.
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
GIG Working Paper 02/2017 - The Definition of Personal Data
1. WHITE PAPER
IAB Europe
Guidance
Date goes here
Five Practical Steps to help companies comply with the
E-Privacy Directive
IAB Europe
GDPR Implementation Working Group
THE DEFINITION OF
PERSONAL DATA
Working Paper 02/2017
2. About IAB Europe
IAB Europe is the voice of digital business and the leading European-level industry association for
the interactive advertising ecosystem. Its mission is to promote the development of this innovative
sector by shaping the regulatory environment, investing in research and education, and developing
and facilitating the uptake of business standards.
About the GDPR Implementation
Group
IAB Europe’s GDPR Implementation Working Group brings together leading experts from across the
digital advertising industry to discuss the European Union’s new data protection law, share best
practices, and agree on common interpretations and industry positioning on the most important
issues for the digital advertising sector. The GDPR Implementation Working Group is a member-
driven forum for discussion and thought leadership, its important contribution to the digital
advertising industry’s GDPR compliance efforts is only possible thanks to the work and leadership
of its many participating members.
Acknowledgements
The GDPR Compliance Primer has been prepared by the members of the IAB Europe GDPR
Implementation Group under the leadership of Quantcast.
Contacts
Matthias Matthiesen (matthiesen@iabeurope.eu)
Senior Manager – Privacy & Public Policy, IAB Europe
Chris Hartsuiker (hartsuiker@iabeurope.eu)
Public Policy Officer, IAB Europe
3. 3
Working Paper 2 - The Definition of Personal Data
Contents
Executive Summary ............................................................................................................................... 3
Overview................................................................................................................................................. 4
Personal Data Under the GDPR ............................................................................................................. 4
Personal Data.....................................................................................................................................4
Anonymous Data................................................................................................................................6
Pseudonymous Data..........................................................................................................................7
Special Categories of Personal Data .................................................................................................9
Conclusion........................................................................................................................................10
Executive Summary
• The definition of personal data under the GDPR is very broad and intentionally all-
encompassing. Pseudonymous data is defined as a sub-category of personal data, and still
triggers full application of the GDPR.
• Cookies and other device and online identifiers (IP addresses, IDFA, AAID, etc.) are explicitly
called out as examples of personal data under the GDPR.
• Due to this broad definition, it is highly likely that any data being processed in the online
advertising ecosystem falls within the definition of personal data. As the definition is
extremely broad, it is prudent to err on the side of caution and assume data is personal.
• Where data might appear to fall outside of the scope of personal data, a careful analysis
should be carried out to substantiate this on a case-by-case basis. Depending on the
circumstances, the same piece of data (i.e. an IP address) may be personal, pseudonymous,
or anonymous data. This depends on the circumstances in which an IP address is obtained,
for which purposes it is used, and who receives the IP address.
4. 4
Working Paper 2 - The Definition of Personal Data
Overview
On 27 April 2016, the European Union has adopted the General Data Protection Regulation
(“GDPR”).1
The GDPR will become directly applicable law in the European Union (“EU”) and
European Economic Area (“EEA”) on 25 May 2018, superseding national data protection laws
currently in place.
The GDPR will not only apply to companies based in the EU but also to companies all over the globe
offering goods and services to people based in the territory of the Union, or monitor the behaviour
of individuals located within it. Data protection law regulates the processing of personal data,
defined broadly as any information that relates to an identified or identifiable natural person, which
may include, amongst others, online and device identifiers that can be used to single out a natural
person, for example for digital advertising purposes.
The GDPR grants data protection authorities the power to levy significant administrative fines
against businesses found in breach of the law. Depending on the severity of the infringement, fines
can reach up to € 20,000,000 or 4 per cent of a company’s annual global turnover – whichever is
higher.
This document has been prepared by members of the IAB Europe GDPR Implementation Group to
provide guidance to companies across the globe on understanding what the definition of personal
data means for them.
Personal Data Under the GDPR
The definition of “personal data” is fundamental to data protection law because the GDPR only
applies to personal data. Data that is not personal data falls outside the scope of the GDPR. While
the digital advertising industry, and other businesses that use similar technologies, have often
interpreted unique online identifiers such as cookie IDs and mobile device advertising IDs to be
outside the scope of data protection law where they were not coupled with personally identifying
details (such as name or email address), these online identifiers are likely to fall within the scope of
personal data under the GDPR in many circumstances. Therefore, it is critical that companies
involved in digital advertising understand how the definition of personal data in the GDPR
applies to them.
This paper examines the scope of personal data under the GDPR, including the concepts of
anonymous data (which is not personal data and not regulated under the GDPR) and
pseudonymous data (which is personal data and is regulated under the GDPR).
Personal Data
The definition of personal data in the GDPR expands upon the text of the definition contained in the
Data Protection Directive (Directive 95/46/EC, “DPD”) by explicitly referencing additional examples
1
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive
95/46/EC (General Data Protection Regulation), available at http://eur-lex.europa.eu/eli/reg/2016/679/oj/.
5. 5
Working Paper 2 - The Definition of Personal Data
of identifiers, such as online identifiers, and factors that can be used to identify a person. Article 4(1)
of the GDPR states:
“‘personal data’ means any information relating to an identified or identifiable
natural person (‘data subject’); an identifiable natural person is one who can be
identified, directly or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, an online identifier or to one or
more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.”
Recitals 26 and 30 provide additional insight into the definition of personal data. Recital 26
introduces the concept of making a person identifiable by “singling out” that person, directly or
indirectly. It indicates that one must consider all means reasonably likely to be used to identify the
person, taking into account all objective factors when making such a determination. Recital 26
states:
“...To determine whether a natural person is identifiable, account should be takenof
all the means reasonably likely to be used, such as singling out, either by the
controller or by another person to identify the natural person directly or indirectly.
To ascertain whether means are reasonably likely to be used to identify the natural
person, account should be taken of all objective factors, such as the costs of and the
amount of time required for identification, taking into consideration the available
technology at the time of the processing and technological developments.”
Recital 30 indicates that identification may occur by associating online identifiers, such as cookie
IDs and IP addresses, with other information to create profiles. Recital 30 states:
“Natural persons maybe associated with onlineidentifiers provided bytheirdevices,
applications, tools and protocols, such as internet protocol addresses, cookie
identifiers or other identifiers such as radio frequency identification tags. This
may leave traces which, in particular when combined with unique identifiers and
other information received by the servers, may be used to create profiles of the
natural persons and identify them.”
These provisions expand the scope of personal data significantly from common interpretations
under the DPD. While the digital advertising industry has often interpreted unique online identifiers
such as cookie IDs to be outside the scope of data protection law where they were not coupled with
personally identifying details (such as name or email address), these online identifiers are likely to
fall within the scope of personal data under the GDPR in many circumstances. As described in
Recital 26, one will need to look at all means reasonably likely to be used in the circumstances to
identify the underlying natural person to determine if the data is personal data; however, as a
general matter under the GDPR, data such as online identifiers should be treated as personal data
6. 6
Working Paper 2 - The Definition of Personal Data
unless a valid argument can be made that the data subject is not (directly or indirectly) identifiable
and cannot be singled out.
The determination whether a piece of data is personal data will be context specific. For example,
an IP address that corresponds to a public “hot spot” such as a coffee shop, and is used by hundreds
of customers every day, by itself is unlikely to comprise personal data. However, if the company
links that common IP address with other information that would allow it to single out one
individual, then the IP address is likely to be personal data.
Similarly, a truncated IP address would not be personal data where the holder of that truncated IP
address has no reasonable means to identify the individual. However, if the holder of the truncated
IP address can, using reasonable means at its disposal, collect additional information that would
allow it to single out the individual, then even that truncated IP address is likely to be personal
data.
Companies should remember that personal data encompasses more data than what is
typically considered personally identifiable information (or PII) in some jurisdictions outside
of the EU. In instances where it is unclear whether data is personaldata, treating it as personal
data would be the prudent course of action, particularly given the potential for high fines
under the GDPR.
Anonymous Data
Like the DPD before it, the GDPR does not apply to anonymous data. Recital 26 explains that
anonymous information does not relate to an identified or identifiable person. Recital 26 states:
“The principles of data protection should therefore not apply to anonymous
information, namely information which does not relate to an identified or
identifiable natural person or to personal data rendered anonymous in such a
manner that the data subject is not or no longer identifiable. This Regulation does
not therefore concern the processing of such anonymous information, including for
statistical or research purposes.”
The Article 29 Working Party, in its prior Opinion 05/2014 on Anonymisation Techniques, referred to
anonymisation as “a technique applied to personal data in order to achieve irreversible de-
identification.” That opinion sets out various anonymisation techniques and highlights that “case
studies and research publications have shownhow difficult it is to create a truly anonymous dataset
whilst retaining as much of the underlying information as required for the task.”
Where a company holds data that is truly anonymous, the GDPR does not apply to that data. For
example, a piece of general location information that does not identify an individual is anonymous
data that is not subject to GDPR. If a company holds the name of a large city (e.g., Brussels), does
not associate any other identifying information, and is not reasonably likely to obtain or use
7. 7
Working Paper 2 - The Definition of Personal Data
additional information that could associate the location with an individual, then the data is
anonymous.
Aggregated data that does not relate to one user, but relates to an entire group of users, is
anonymous data as long as the individuals whose data is in the pool cannot be identified.
The analysis of whether a particular piece of information, or group of information, is
anonymous is context specific and not always clear. Where a company is unsure whether the
data it holds is personal data or anonymous data, treating the data as personal data is a
prudent course of action.
Pseudonymous Data
The GDPR introduces the concept of pseudonymous data as a subset of personal data that
cannot be attributed to a specific data subject without additional information. Article 4(5) states:
“‘pseudonymisation’ means the processing of personal data in such a manner that
the personal data can no longer be attributed to a specific data subject without the
use of additional information, provided that such additional information is kept
separately and is subject to technical and organisational measures to ensure that
the personal data are not attributed to an identified or identifiable natural person.”
Pseudonymisation was not addressed in the DPD and many in the advertising industry have
considered pseudonymous data to be outside the scope of personal data in the DPD and thus
outside the scope of the DPD. Under the GDPR, pseudonymisation does not render a data set
anonymous (and therefore out of the GDPR’s scope). Recital 26 clarifies that pseudonymous
data is in scope of the GDPR:
“…Personal data which have undergone pseudonymisation, which could be
attributed to a natural person by the use of additional information should be
considered to be information on an identifiable natural person…”
However, as described in Article 11, pseudonymisation may exclude the data from certain GDPR
obligations that specifically require identification, such as subject access and the right to
rectification, erasure and data portability (Articles 15-20). Online identifiers, such as cookie IDs
that are associated with online browsing history, are often going to be personal data under
the GDPR, although a context specific analysis always applies.
Pseudonymisation is recognized as a safeguard that reduces the risks to data subjects and helps
controllers and processors meet their data protection obligations. Recital 28 recognizes this benefit
of pseudonymisation, stating:
8. 8
Working Paper 2 - The Definition of Personal Data
“The application of pseudonymisation to personal data can reduce the risks to the
data subjects concerned and help controllers and processors to meet their data-
protection obligations. The explicit introduction of ‘pseudonymisation’ in this
Regulation is not intended to preclude any other measures of data protection.”
The GDPR explicitly recognizes pseudonymisation as a safeguard that can contribute to permissible
processing for a secondary use. Article 6(4) says:
“Where the processing for a purpose other than that for which the personal data
have been collected is not based on the data subject's consent or on a Union or
Member State law which constitutes a necessary and proportionate measure in a
democratic society to safeguard the objectives referred to in Article 23(1), the
controller shall, in order to ascertain whether processing for another purpose is
compatible with the purpose for which the personal data are initially collected, take
into account, inter alia: … (e) the existence of appropriate safeguards, which may
include encryption or pseudonymisation.”
Article 89(1) recognizes pseudonymisation as a safeguard for processing for archiving in the public
interest, scientific or historical research purposes or statistical purposes. Article 89(1) states:
“Processing for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes, shall be subject to appropriate
safeguards, in accordance with this Regulation, for the rights and freedoms of the
data subject. Those safeguards shall ensure that technical and organisational
measuresare in placein particular in order toensurerespect fortheprincipleof data
minimisation. Those measures may include pseudonymisation provided that those
purposes can be fulfilled in that manner. Where those purposes can be fulfilled by
further processing which does not permit or no longer permits the identification of
data subjects, those purposes shall be fulfilled in that manner.”
Importantly, the GDPR recognizes that pseudonymisation of personal data is possible by a
controller where that controller holds additional information that could be used to attribute that
data to an individual data subject, as long as the controller has taken technical and organisational
measures to keep that information separate. Recital 29 says:
“In order to create incentives to apply pseudonymisation when processing personal
data, measures of pseudonymisation should, whilst allowing general analysis, be
possible within the same controller when that controller has taken technical and
organisational measures necessary to ensure, for the processing concerned, that
this Regulation is implemented, and that additional information for attributing
the personal data to a specific data subject is kept separately. The controller
9. 9
Working Paper 2 - The Definition of Personal Data
processing the personal data should indicate the authorised persons within the
same controller.”
Article 25(1) of the GDPR recognizes that technical and organizational measures such as
pseudonymisation should be designed “both at the time of the determination of the means of
processing and at the time of the processing itself.” This design supports two equally relevant
concepts of pseudonymisation.
First is the collection of data in a way that allows a controller to hold data that cannot be attributed
to a specific data subject without the use of additional information. In other words, the data is
pseudonymous at its collection, use and storage. For example, some ad tech companies never
collect information to directly identify the end user; rather, they only collect a randomised cookie
ID and associated URLs visited, which allow a browser to be recognised but the end user cannot be
directly identified. This data is pseudonymous in the hands of that ad tech company because that
company does not have nor has reasonable access to additional information that would allow it to
directly identify the data subject.
The second concept of pseudonymisation is as a process that companies can apply to personal
data, for example using encryption, hashing or tokenization techniques, to ensure the data is not
linked to an identified or identifiable natural person. For example, a company may collect full name,
mailing address, account number and URLs visited. If it holds that information in its subscriber
database, it could create a separate database of data that has been pseudonymised by removing
the name and mailing address information and hashing the account number. If the company puts
appropriate technical and organisational measures in place to keep the databases separate and
prevent re-attribution of the pseudonymised data, then the second database is a pseudonymous
database that could, for example, be used for research purposes in a privacy-friendly way.
An IP address is an example of data that could be anonymous data, pseudonymous personal data,
or non-pseudonymous personal data, depending on the specific circumstances. Referenced earlier
in this paper is an example of a common IP address at a “hot spot” that is anonymous data when
held without any other information because it does not identify or make an individual identifiable.
Also, referenced earlier in this paper is an example of a truncated IP address that alone is not
personal data, but becomes personal data if the holder of that truncated IP address can reasonably
associate the truncated IP address with additional information to allow the holder to identify the
individual. If the only additional data held is the missing octet, then the data would be
pseudonymous personal data; however, if the additional data held is the missing octet plus
information such as a name and address associated with the IP address, then that combined data
would be non-pseudonymous personal data. Companies are urged to engage in a context
specific analysis of the data they hold to determine whether it is personal data.
Special Categories of Personal Data
The GDPR, like the DPD, recognizes certain special categories of personal data that cannot be
processed unless stringent requirements (contained in Article 9(2)) are met, such as explicit consent
10. 10
Working Paper 2 - The Definition of Personal Data
by the data subject. Article 9(1) outlines the special categories of sensitive data as: “personal data
revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union
membership;” genetic data or biometric data; and data concerning health or a natural person's sex
life or sexual orientation.
Data relating to criminal convictions and offences are also subject to restrictions. Article 10, like the
DPD, restricts its processing to the control of official authorities or instances where national law
may provide derogations.
Companies wishing to process special categories of personal data or data relating to criminal
offences should be sure to comply with the more stringent processing requirements.
Conclusion
The GDPR expands on the definition of personal data contained in the DPD and thus expands the
scope of EU data protection law. Under the GDPR, online identifiers and information associated
with those online identifiers will often constitute personal data. Where the information
collected is pseudonymous, it will be considered personal data, and the pseudonymisation
will act as a safeguard, bringing benefit to the data subject and excluding the data from
certain GDPR obligations. The types of pseudonymous data commonly used by companies in the
online advertising industry, such as device advertising identifiers and cookie ids, will (depending on
the specific situation of the company processing the data) generally fall into the category of
personal data and thus be subject to the requirements of the GDPR. Companies in the digital
advertising space should carefully examine their data processing activities to ensure that if they
process personal data, that processing complies with the GDPR.
11. IAB Europe’s GDPR Implementation Working Group brings together
leading experts from across the digital advertising industry to
discuss the European Union’s new data protection law, share best
practices, and agree on common interpretations and industry
positioning on the most important issues for the digital advertising
sector.
The GDPR Implementation Working Group is a member-driven
forum for discussion and thought leadership, its important
contribution to the digital advertising industry’s GDPR compliance
efforts is only possible thanks to the work and leadership of its
many participating members.
For more information please contact:
Matthias Matthiesen (matthiesen@iabeurope.eu)
Senior Manager – Privacy & Public Policy
IAB Europe
Chris Hartsuiker (hartsuiker@iabeurope.eu)
Public Policy Officer
IAB Europe
About the IAB Europe GDPR
Implementation Working Group