Personal data on GDPR. We read the law
I read the interpretation of the GDPR regulations for a long time. For some reason, I was sure that I could not read the original regulations because of the highly complex legal language. That people, smarter than me, have long read everything and made husks. But, after reading these "squeeze", I sketched so much rubbish in my head that it became sickening. Continuing to read such texts, instead of at least understanding something, I stopped understanding at all what was going on. There is especially a lot of disagreement over what is considered personal data in the framework of the GDPR. Then who is on that much. Someone X (substitute IP, IDFA, Google Advertising ID, email, etc.) - personal data, someone does not.
What was my surprise when I realized that the regulations were written quite in human language, and that there were less contradictions and possible discrepancies in it than it is customary to talk about it.
In this article I will try to focus only on what is considered personal data for the GDPR. Of course, this is another interpretation, and a person far from lawmaking (I work as a technical director in a small Russian company). But the attempt is not torture. Perhaps the article will push you to read the law.
I recommend reading here . This is not the original, but it is much more convenient to read there.
')
Art. 4 (1) :
Excerpt from Recital 26 :
Recital 30 :
Another excerpt from Recital 26 :
You can often find questions like “Is the user's IP address personal data?” If you suddenly find yourself thinking that you are asking such or similar questions, then most likely you do not understand what personal data is within the framework of GDPR.
Apart from the context, such a question does not make sense. Let's look at the case with IP addresses. There are two aspects here.
First, the IP address can be viewed simply as part of the data you collect for the user. If you can potentially determine the real individual who is behind this user (not through this IP address, but in general, using all the available tools and data), then all the data you collected (and the IP address among them) is personal data .
Secondly, an IP address can be considered as data with the help of which an individual can be identified. It all depends on what else you collect, except for the IP address. If you only remember the IP address of the cafe visitor who used the common Internet access point, then this address can hardly be considered as personal data (do not worry much about the IP addresses in the logs). But if you, in addition to the IP address, collect something else that, along with this IP address, makes it possible to identify a specific visitor, for example, the time and frequency of visiting a cafe and / or orders of visitors, then all that you collected ( and the IP address also) - personal data.
What was my surprise when I realized that the regulations were written quite in human language, and that there were less contradictions and possible discrepancies in it than it is customary to talk about it.
In this article I will try to focus only on what is considered personal data for the GDPR. Of course, this is another interpretation, and a person far from lawmaking (I work as a technical director in a small Russian company). But the attempt is not torture. Perhaps the article will push you to read the law.
I recommend reading here . This is not the original, but it is much more convenient to read there.
')
Definition of personal data
Art. 4 (1) :
“personal data” means (1) any information relating to a person ('data subject'); It can be identified as a rule. , physiological, genetic, person, personWhat can be understood from this:
- Personal data is generally any data (1) that can be associated with an individual. It makes no sense to argue whether the individual data is personal or not. If all the data you have for a user can be associated with an individual, then all of them are personal data. Lists of orders, devices, purchases, notes, comments, addresses, in general, all that a user can leave with you, using your product - potentially personal data.
- The data may already be directly related to the individual (“an identified natural person”), i.e. they are clearly spelled out, whose (for example, their names, year of birth are tied to them), or they can be potentially linked (“an identifiable natural person”) by means of available methods (more on this below).
- User IDs, such as logins, IDFA and AAID , some identifiers in cookies, unique numbers in the system - you may have links to some individuals in the system. However, these identifiers (as well as all the data associated with them ) become personal (and fall under the GDPR) only when individuals represented by these identifiers can potentially be identified in the real world (“an identifiable natural person”).
What is "identifiable"
Excerpt from Recital 26 :
It is possible to determine whether it is possible to use it directly or indirectly. It is taken as a rule that it makes it possible to make it out. processing and technological developments.This is about the fact that the term “an identifiable natural person” needs to be understood as an individual, which can be defined by any means available to you with reasonable probability and with reasonable waste of resources. You assess “rationality” yourself and prepare to challenge in court if you suddenly have to.
Recital 30 :
Natural persons may be associated with radio frequency identification tags, such as radio frequency identification tags. It means that you can use it.This again means that by collecting a lot of different data about the user, we can eventually identify an individual in the real world. And then everything that we collected becomes personal data.
Anonymous data
Another excerpt from Recital 26 :
It’s not necessary to make it clear that you can use it.So, if according to the data you have, it is impossible to identify an individual (within reasonable limits, see above), then all data on the user of your system are anonymous and are not subject to the GDPR.
Instead of conclusion
You can often find questions like “Is the user's IP address personal data?” If you suddenly find yourself thinking that you are asking such or similar questions, then most likely you do not understand what personal data is within the framework of GDPR.
Apart from the context, such a question does not make sense. Let's look at the case with IP addresses. There are two aspects here.
First, the IP address can be viewed simply as part of the data you collect for the user. If you can potentially determine the real individual who is behind this user (not through this IP address, but in general, using all the available tools and data), then all the data you collected (and the IP address among them) is personal data .
Secondly, an IP address can be considered as data with the help of which an individual can be identified. It all depends on what else you collect, except for the IP address. If you only remember the IP address of the cafe visitor who used the common Internet access point, then this address can hardly be considered as personal data (do not worry much about the IP addresses in the logs). But if you, in addition to the IP address, collect something else that, along with this IP address, makes it possible to identify a specific visitor, for example, the time and frequency of visiting a cafe and / or orders of visitors, then all that you collected ( and the IP address also) - personal data.
Source: https://habr.com/ru/post/360527/
All Articles