Definition of the term

The definition of the term personal data is found in Article 4(1) of the GDPR. According to its wording, it is information about an identified or identifiable natural person (“data subject”).

The provision indicates that an identifiable natural person is one who can be identified, directly or indirectly, in particular on the basis of identifiers such as:
1) name, identification number, location data, internet identifier;
2) one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.

The definition has been expanded compared to the definition in the DPA (Article 6(1) and (2)). The EU lawmaker has explicitly indicated that location data, Internet ID and genetic information are factors that should definitely be treated as enabling identification.

According to recital 26 of the GDPR:

1) to determine whether an individual is identifiable, it is necessary to take into account all reasonably likely means (including extracting records relating to the same person) that are reasonably likely to be used by the controller or another person to identify the individual directly or indirectly;
2) to determine whether a means is reasonably likely to be used to identify an individual, it is necessary to take into account all objective factors, such as the cost and time required to identify the individual, and to take into account the technology available at the time of processing and technological progress.

The existing DPA regulation assumes that information is not considered to identify a person if it would require excessive cost, time and effort. The GDPR does not contain such a categorical stipulation, but the interpretive guidance in recital 26 of the GDPR makes a similar sense. The wording of the aforementioned provisions of the GDPR indicates that the GIODO’s guidance on interpreting the concept of “personal data” created under the provisions of the PDPA will not become obsolete after it enters into force. GIODO points out that information can constitute personal data on its own (e.g. PESEL number) or only in combination with other information, which only together will make it possible to determine the identity of a given natural person. In view of this, personal data can also be very general information (e.g., age), if it makes it possible to determine identity, because it is juxtaposed with other information.

Information not subject to GDPR regulations

According to recitals 26 and 27 of the GDPR, information to which the GDPR provisions will not apply is:

1) anonymous information – that is, information that does not involve an identified or identifiable natural person;
2) personal data anonymized in such a way that the subjects cannot be identified at all or are no longer identifiable;
3) data of deceased persons.

Internet identifiers as personal data

An Internet identifier, according to Article 4(1) of the GDPR, is one of the pieces of information on the basis of which an individual can be identified. The dedication of a separate recital to this information (recital 30 of the GDPR) shows that it is considered important by the EU legislator. Recital 30 of the GDPR shows that the attribution to individuals of online identifiers – such as IP addresses, cookie identifiers – generated by their devices, applications, tools and protocols, can result in leaving traces that, especially when combined with unique identifiers and other information obtained by servers, can be used to create profiles and to identify those individuals.

In Case C-582/14 Breyer, the Court of Justice of the EU was asked whether an Internet protocol address (IP address) that a service provider records in connection with access to its website already constitutes personal data for it when a third party (here, the access provider) has the additional knowledge required to identify the person in question. The Court agreed with the applicant’s view. It held that since, under specific circumstances, even a variable IP address allows indirect identification of a website user, it constitutes personal data. The judgment therefore prejudges that the mere registration of an IP address by a service provider, can already be the collection of personal data, if the service provider is able to identify the Internet user using it. Although the ruling is based on the interpretation of the provisions of Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, it will undoubtedly also have an impact on the application of the GDPR provisions.

Comparison of the provisions of the DPA/GDPR:

UODO – Art. 6.
1. For the purposes of the Act, personal data shall be any information relating to an identified or identifiable natural person.
2. An identifiable person is a person whose identity can be determined directly or indirectly, in particular by reference to an identification number or one or more specific factors defining his physical, physiological, mental, economic, cultural or social characteristics.
3. Information shall not be considered to identify a person if it would require excessive cost, time or effort.

GDPR – Article 4 Definitions (for the purposes of this regulation):
1. “personal data” means information about an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;