You can access the official legal text of GDPR via the European Union’s legal database at eur-lex.europa.eu.
Recital (24): Profiling and Behavioral Tracking Under EU Data Protection Law
Organizations or individuals outside the European Union must comply with EU data protection rules if they process personal data of people located within the EU, especially when such processing involves monitoring their behavior within EU territory. Monitoring may include tracking individuals online and using techniques like profiling to analyze or predict their preferences, actions, or attitudes—particularly when these insights are used to make decisions about them.
Recital (25): Extending GDPR—Public International Law and Non-EU Controllers
Under public international law, EU data rules apply to non-EU controllers, including those in Member State diplomatic or consular offices.
Recital (26): Defining Personal Data—Identifiability, Pseudonymisation, and Anonymity under the GDPR
“The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”
Data protection principles apply to any data linked to a person who is either identified or can be identified. Even if personal data has been pseudonymised, it still falls under these principles if it can be traced back to an individual using additional information. Determining whether someone is identifiable involves considering all methods reasonably likely to be used—such as isolating an individual—whether by the data controller or another party, directly or indirectly. This assessment should factor in objective elements like the cost, time, and available technology, including future advancements. However, these principles do not apply to anonymous data, which cannot be linked to any individual, or to data that has been anonymised in a way that makes identification impossible. Such anonymous data, including that used for research or statistical analysis, is outside the scope of this regulation.
Data Protection Principles
1. Scope of Application
- Applies to any data linked to an identifiable person.
- Includes both directly and indirectly identifiable individuals.
2. Pseudonymised Data
- Still considered personal data if it can be re-identified using additional information.
- Subject to the same data protection principles.
3. Identifiability Assessment
- Must consider all reasonably likely methods of identification.
- Includes actions by the data controller or third parties.
- Can be direct (e.g., name) or indirect (e.g., unique traits).
4. Objective Factors in Assessment
- Cost of identification
- Time required
- Available technology
- Future technological developments
5. Exclusions
- Anonymous Data: Not linked to any individual.
- Anonymised Data: Irreversibly stripped of identifiers.
- These types are outside the scope of data protection regulations.
6. Use Cases for Anonymous Data
- Research
- Statistical analysis
Evaluating Data Under Protection Principles
I. Data Classification
| Category | Description | Examples |
| Identified Data | Directly names or identifies a person | Name, ID number, email address |
| Identifiable Data | Can be linked to a person using other data | IP address, device ID, location |
| Pseudonymised Data | Masked identifiers, but reversible with additional info | Tokenized user ID with lookup key |
| Anonymous Data | Irreversibly stripped of identifiers; cannot be linked to a person | Aggregated statistics, randomized survey data |
II. Identifiability Assessment
Determine whether the data can reasonably identify a person:
- Direct Identification: Does the data contain explicit identifiers?
- Indirect Identification: Could someone isolate an individual using:
- Cross-referencing with other datasets
- Unique traits or patterns
- Contextual clues
Assessment Criteria:
- Technology: What tools exist now or are emerging?
- Time: How long would identification take?
- Cost: Is it economically feasible?
- Actors: Could the data controller or third parties do it?
Pseudonymisation vs. Anonymisation
| Feature | Pseudonymised Data | Anonymised Data |
| Re-identification | Possible with additional info | Not possible, even with extra data |
| Legal status | Still personal data | Not personal data |
| Protection required | Yes | No |
| Use cases | Internal analytics, limited sharing | Research, public release, statistics |
Regulatory Implications
If data is identified, identifiable, or pseudonymised:
- Must comply with data protection principles (e.g., GDPR)
- Lawful basis for processing
- Data minimization
- Purpose limitation
- Security safeguards
- Rights of data subjects
If data is anonymised:
- Outside scope of regulation
- Can be used freely for:
- Statistical analysis
- Scientific research
- Business intelligence
Recital (27): Applicability of Data Protection to Deceased Individuals
This regulation excludes personal data relating to individuals who have passed away. However, individual Member States may establish their own rules for how such data is handled.
Recital (28): Role and Scope of Pseudonymisation in Data Protection
Using pseudonymisation techniques on personal data helps lower risks for individuals and supports data controllers and processors in fulfilling their protection responsibilities. While the regulation formally acknowledges pseudonymisation, it does not limit or exclude the use of other protective measures.
Recital (29): Incentivising Pseudonymisation Through Internal Safeguards and Controlled Access
To encourage the use of pseudonymisation in personal data processing, it should be feasible for a single data controller to carry out general analysis while maintaining safeguards. This requires implementing appropriate technical and organisational measures to ensure compliance with data protection regulations. Additionally, any information that could re-identify individuals must be stored separately, and the controller must clearly designate which individuals within the organisation are authorised to access that information.
“measures of pseudonymisation should, whilst allowing general analysis, be possible within the same controller” “… additional information for attributing the personal data to a specific data subject is kept separately. The controller processing the personal data should indicate the authorised persons within the same controller”
Recital (30): Online Identifiers and the Risk of Individual Profiling
Individuals can be linked to online identifiers generated by their devices, apps, tools, or communication protocols—such as IP addresses, cookies, or RFID tags. These identifiers can leave digital traces which, when combined with other unique data collected by servers, may enable the creation of personal profiles and lead to identification.
Recital (31): Disclosure of Personal Data to Public Authorities Under Legal Mandates
“Public authorities to which personal data are disclosed in accordance with a legal obligation for the exercise of their official mission, such as tax and customs authorities, financial investigation units, independent administrative authorities, or financial market authorities responsible for the regulation and supervision of securities markets should not be regarded as recipients if they receive personal data which are necessary to carry out a particular inquiry in the general interest, in accordance with Union or Member State law. The requests for disclosure sent by the public authorities should always be in writing, reasoned and occasional and should not concern the entirety of a filing system or lead to the interconnection of filing systems. The processing of personal data by those public authorities should comply with the applicable data-protection rules according to the purposes of the processing.”
When public authorities (like tax offices or financial regulators) request personal data to fulfill their legal duties, they are not considered “recipients” in the usual sense under GDPR. Why? Because they’re not receiving the data for their own purposes—they’re acting under a legal mandate to serve the public interest.
Conditions for This Exception
To qualify for this special status:
- The data request must be:
- Written: Not verbal or informal
- Reasoned: Must explain why the data is needed
- Occasional: Not routine or bulk collection
- The request must not:
- Involve the entirety of a filing system
- Lead to interconnection of multiple systems
Data Protection Still Applies
Even though these authorities aren’t “recipients” in the GDPR sense, they must still follow data protection rules—meaning they can only use the data for the specific legal purpose and must safeguard it accordingly.
Recital (32): Requirements for Valid Consent in Personal Data Processing
Consent must be expressed through a clear and deliberate action that confirms the individual’s voluntary, specific, informed, and unmistakable agreement to the processing of their personal data. This can take the form of a written or oral statement, including digital methods such as ticking a box on a website or selecting privacy settings in an online service. Passive behaviors—like silence, pre-selected options, or inaction—do not qualify as valid consent. Consent must apply to all processing activities tied to the same purpose, and if multiple purposes are involved, separate consent is required for each. When consent is requested electronically, the request must be straightforward, transparent, and should not interfere unnecessarily with the user’s experience of the service.
“Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”
Recital (33): Flexible Consent for Scientific Research Under Ethical Standards
When collecting personal data for scientific research, it may not always be feasible to define the exact purpose of processing in advance. To address this, individuals should be permitted to provide consent for specific fields or aspects of research, as long as the approach aligns with established ethical standards. This allows participants to limit their consent to particular areas or components of a research project, based on the scope of the intended use.
“Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.”
Recital (34): Definition and Scope of Genetic Data in Personal Data Processing
“Genetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.”
Genetic Data
1. Nature of the Data
- Personal Data: Information that relates to an identifiable natural person.
- Genetic Characteristics: Traits that are either inherited or acquired.
2. Source of the Data
- Biological Sample: Data must originate from a biological sample taken from the individual
3. Types of Analysis
- Chromosomal Analysis
- DNA (Deoxyribonucleic Acid) Analysis
- RNA (Ribonucleic Acid) Analysis
- Other Equivalent Methods: Any technique that yields similar genetic information.
4. Purpose of the Definition
- To classify genetic data as a specific category of personal data under data protection regulations.
- To ensure appropriate safeguards are applied due to its sensitive nature.
Recital (35): Comprehensive Definition of Health-Related Personal Data Under EU Law
“Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services … to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.”
Personal Data Concerning Health
1. Core Definition
- Refers to any data that reveals the past, present, or future physical or mental health status of an individual.
2. Sources of Health Data
Healthcare services
- Data collected during:
- Registration for healthcare services
- Provision of healthcare services
- Includes services covered under Directive 2011/24/EU (cross-border healthcare)
Unique identifiers for health purposes
- Examples:
- Numbers (e.g. patient ID)
- Symbols
- Specific markers assigned to identify individuals in health systems
Medical testing and examination
- Data derived from:
- Testing or examining body parts or bodily substances
- Genetic data (e.g. DNA, RNA)
- Biological samples
3. Types of Health Information
Medical conditions
- Disease
- Disability
- Risk of disease
Medical history
- Past diagnoses
- Previous treatments
- Surgical records
Clinical treatment
- Ongoing or past therapies
- Medication records
- Rehabilitation data
Physiological or biomedical state
- Vital signs
- Lab results
- Imaging data (e.g. X-rays, MRIs)
4. Sources of Data Collection
- Physicians or other health professionals
- Hospitals or clinics
- Medical devices (e.g. wearables, monitors)
- In vitro diagnostic tests (e.g. blood tests, swabs)
Some use cases
- Data controllers classify sensitive health data correctly
- Researchers understand consent boundaries
- Patients know what qualifies as health-related personal data
- Compliance teams ensure GDPR alignment in healthcare systems
Leave a Reply