As mentioned in our previous article, the General Data Protection Regulations (“GDPR”) apply to organizations that control or process personal data of subjects in the European Union.
We have written various articles on the Personal Data Protection Act 2010 of Malaysia (“PDPA”), including the meaning of personal data under the PDPA. What about the term ‘Personal Data” used in the GDPR? Does it mean the same thing?
Definition of Personal Data under the GDPR
The GDPR defines personal data as “any information relating to an identified or identifiable natural person”.
As such, personal data includes information relating to an individual who:
- Can be identified or who are identifiable, directly from the information in questions (i.e. an identifier); or
- Who can be indirectly identified from that information in combination with other information.
Identified & Identifiable
If, by looking solely at the information one is processing, an individual can be distinguished from other individuals, then the individual is identified or identifiable.
To determine whether an individual is identifiable, one should consider the means reasonably likely to be used to identify the individual.
Reasonable likeliness, meanwhile, takes into account objective factors such as the cost and effort required for identification, including the available technology at the time of processing.
To boil it down, if it is easy for one to identify an individual from the information being processed, the information will be personal data in the context of the GDPR.
The GDPR helpfully lists out non-exhaustive examples of identifiers, including names, identification numbers, location data, online identifiers or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.
Interestingly, the GDPR specifically lists online identifiers as an example of identifiers.
Online identifiers are provided by a user’s device, applications, tools and protocols, and include internet protocol addresses, cookie identifiers and radio frequency identification tags. Used together with other unique identifiers and information received by the servers, online identifiers may be used to create profiles of natural persons.
Contrast with the PDPA
Under the PDPA, personal data means information processed in respect of commercial transactions, from which a data subject can “be identified or is identifiable”. 
As we can see from above, the GDPR takes a similar approach to the PDPA by not setting out hard and fast rules as to what classes of information are personal data. Both focus on the identifiability of a data subject to determine whether or not a class of information would constitute personal data.
However, the GDPR apply to automated processing of personal data which form or are intended to form part of a filing system. As such, the application of the GDPR does not seem to be limited to “commercial transactions”. The GDPR further specifically lists out examples of identifiers, and the recitals of the GDPR give more guidance on the determining the “identifiability” of any class of information.
A note on pseudonymisation vs anonymization
The GDPR introduces the concept of pseudonymisation, which means the processing of personal data which renders a specific data subject unidentifiable without additional information.
Pseudonymisation should be contrasted with anonymization, the latter of which means irreversibly destroying any ways to identify data subjects, when the personal data is no longer needed by the organizations. The GDPR does not apply to personal data anonymized by the processing organization. However, the GDPR will apply to pseudonymized data, as it is still possible for organizations to re-identify an individual with the pseudonymized information.
Nevertheless, pseudonymisation remains one of the organizational measures recommended in the GDPR to ensure the security of personal data.