Personal data: definition, categories and obligations according to Art. 4 GDPR
The term personal data determines whether the GDPR applies. This article explains the definition according to Art. 4 No. 1 GDPR, the special categories according to Art. 9, the consequences for the directory, AV contracts and reporting obligations - factually, with paragraphs and examples.
Art. 4 No. 1 GDPR defines personal data as all information that relates to an identified or identifiable natural person. This formulation decides on a daily basis whether a data set falls under the General Data Protection Regulation or not. Anyone who uses the term too narrowly risks fines under Art. 83 GDPR. Anyone who takes it too far will overload the directory, AV contracts and employees with unnecessary checks.
This article provides a reliable interpretation of the term based on the GDPR definition, the case law of the European Court of Justice and the advice of German supervisory authorities. The focus is on identifiability, the special categories according to Art. 9 GDPR, the distinction between pseudonymization according to Art. 4 No. 5 and anonymization as well as the consequences for the processing directory according to Art. 30 GDPR.
Key Takeaways
- Personal data is all information about an identified or identifiable natural person in accordance with Art. 4 No. 1 GDPR.
- Special categories according to Art. 9 GDPR (health, religion, trade union, biometrics) require increased protective measures and explicit legal bases.
- Pseudonymization reduces the risk, but does not end the personal reference. Only true anonymization takes you out of the scope of the GDPR.
Definition: What Article 4 No. 1 GDPR means by personal data
Art. 4 No. 1 GDPR defines personal data as “all information relating to an identified or identifiable natural person”. The definition is intentionally broad. It includes names, addresses, identification numbers, online identifiers such as IP addresses or cookie IDs, location data, physiological and genetic characteristics, economic, cultural and social identity. Recital 26 adds that identifiability must take into account all means that, according to general discretion, are likely to be used to identify the person directly or indirectly.
The European Court of Justice clarified in the Breyer decision (C-582/14) that dynamic IP addresses are personal data if the controller has legal means to obtain the identity from the provider. This interpretation is broad. It affects web server logs, app telemetry, device identifiers and telemetry identifiers.
This results in a check loop for companies: Is there information available that can be traced back to a person with reasonable effort? If so, the GDPR applies. This check loop is not trivial. The external data protection officer documents the classification in the directory and determines which legal basis applies according to Art. 6 GDPR. Others run compliance like a filing cabinet. We run it like software.
Special categories according to Art. 9 GDPR
Art. 9 Para. 1 GDPR prohibits the processing of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as the processing of genetic, biometric, health or sexual life data. The ban is lifted by Article 9 Paragraph 2 if one of the ten exceptions mentioned there applies, such as express consent, employment law obligation, vital interest or health care.
Three categories are particularly relevant for companies. Health data is collected by company doctors, company reintegration and company pension schemes. Religion appears in the payslip via the church tax. Union membership appears in wage deductions or works council membership. Biometrics is activated for access control or single sign-on using a fingerprint or face.
The consequence is an increased obligation to protect. Technical and organisational measures according to Art. 32 GDPR must reflect the increased risk, a data protection impact assessment according to Art. 35 is regularly required, and the list according to Art. 30 must explicitly state the legal basis of Art. 9 Para. 2. The company doctor role on the CIVAC platform separates health data from HR data in its own client rooms, with separate access rights and versioned audit trail.
Pseudonymization and anonymization: Where the personal reference ends
Art. 4 No. 5 GDPR defines pseudonymization as processing in which personal data can no longer be assigned to a specific person without the use of additional information, provided that this additional information is stored separately. Pseudonymized data remains personal data. They remain subject to the GDPR. Pseudonymization is a security measure according to Art. 32, not an opt-out.
Anonymization takes you out of the scope of application. Recital 26 clarifies that anonymous data is information that no longer relates to an identified or identifiable person, or data that has been anonymized in such a way that the data subject cannot or can no longer be identified. The threshold is high. The Article 29 Data Protection Working Party defined three tests in Opinion 05/2014: singling out, linkability and inference. Anyone who fails even one of the three tests does not have anonymization, but rather pseudonymization.
In practical terms, this means: tracking data with shortened IP addresses is rarely anonymous. Aggregated statistics can be anonymous if the group size is sufficiently large and no quasi-identifiers remain. In the directory according to Art. 30, pseudonymization procedures must be documented as a TOM, anonymization procedures as a deletion or elimination step.
List of processing activities in accordance with Art. 30 GDPR
Art. 30 Paragraph 1 GDPR obliges those responsible to keep a register of all processing activities. Mandatory content includes the name and contact details of the controller, purposes of processing, categories of data subjects and categories of personal data, recipients including third countries, transfers with guarantees according to Art. 46, deletion periods and a general description of the TOMs according to Art. 32.
The exception according to Art. In practice, at least two of these exception conditions almost always apply, which is why medium-sized companies keep the directory anyway.
Audit templates reduce the creation time. CIVAC provides 490 ready-to-use audit templates, including an Art. 30 directory that queries categories, legal bases, recipients and deletion periods in a structured manner. Versioning is mandatory. Regulators require the inventory in the state of the incident, not the current state. The appointment certificate, signed, filed, verifiable, is part of the same client logic. The auditor calls, the evidence is ready. The compliance platform and officer-as-a-service bundles directories, orders and reporting lines to management in one workspace.
Legal basis according to Art. 6 GDPR
Every processing of personal data requires a legal basis. Art. 6 Para. 1 GDPR lists six options: consent (lit. a), fulfilment of contract (lit. b), legal obligation (lit. c), vital interest (lit. d), public task (lit. e) and legitimate interest (lit. f). For special categories according to Art. 9, the expanded catalogue of Art. 9 Para. 2 also applies.
Three basic principles are dominant for companies. Fulfillment of the contract includes the order, delivery and payment details. Legal obligation includes payroll, tax, social security and legal storage. Legitimate interests include fraud prevention, IT security, direct marketing and internal administration. Consent includes newsletters, non-essential cookies and voluntary employee data processing.
The legal basis must be determined before processing and documented in the directory. A subsequent rewriting is not permitted in accordance with Article 5 Paragraph 1 Letter b (purpose limitation). If there is a legitimate interest, the balancing of interests must be carried out in writing, with a comparison of the interests of those responsible, the expectations of those affected and milder means. CIVAC provides a template for this that maps the three test steps and saves the result in a versioned manner.
Rights of those affected in accordance with Articles 15 to 22 GDPR
The GDPR gives data subjects eight rights. Information (Art. 15), rectification (Art. 16), deletion (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21) and the right not to be subject exclusively to an automated decision (Art. 22). The notification obligation according to Art. 19 supplements the correction and deletion with an obligation to inform recipients.
According to Art. 12 Para. 3, the response deadline is one month from receipt of the application, extendable by two months if it is complex. Late or refused information can be subject to fines in accordance with Article 83. Practical difficulties arise in identifying the applicant, in the scope of the search and in separating third-party data that may not be disclosed.
Platforms reduce response times by triggering searches across systems on the affected side. Anyone who operates this in manual mode regularly misses the monthly deadline. CIVAC maps the workflow as a ticket, documents the identity check, collects hits from connected systems and issues a versioned response. Audit-proof, documented, Art. 12-firm.
Data breach report according to Art. 33 and Art. 34 GDPR
Art. 33 Para. 1 GDPR obliges the person responsible to report a violation of the protection of personal data to the responsible supervisory authority within 72 hours of becoming aware of it if there is a risk to the rights and freedoms of natural persons. Art. 34 supplements the notification of those affected if there is a high risk.
The deadline expires as soon as we become aware of it. The 72 hours do not begin with the incident, but rather with the person responsible's perception of it. Anyone who does not document their knowledge risks a deadline reconstruction by the supervisory authority, which often turns out to be to the detriment of the person responsible. CIVAC stamps the time of knowledge in the incident workflow and versions each statement of facts.
NIS 2 obligations run in parallel: Section 32 NIS2UmsuCG requires a 24-hour early warning and a 72-hour follow-up report to the BSI for essential and important facilities. In the event of incidents involving personal data in NIS 2 facilities, there are three deadlines: 24h BSI early warning, 72h BSI follow-up report, 72h supervisory authority in accordance with Art. 33 GDPR. An integrated platform reduces sources of error. Licence the workspace for your internal representatives, or have our representatives order it.
Data protection impact assessment according to Art. 35 GDPR
Art. 35 Para. 1 GDPR requires a data protection impact assessment (DPIA) before any processing that is likely to result in a high risk for the rights and freedoms of natural persons. Mandatory cases according to Art. 35 Para. 3 are systematic assessments with profiling, extensive processing of special categories and systematic monitoring of publicly accessible areas. The German supervisory authorities have published supplementary lists.
According to Article 35 (7), a DPIA includes at least a systematic description of the processing, an assessment of necessity and proportionality, a risk assessment and the planned remedial measures. The result must be documented and, in case of doubt, consulted with the supervisory authority in accordance with Art. 36.
A four-stage model has proven useful in practice: threshold analysis, risk identification, risk assessment and action planning. CIVAC provides a DPIA template that maps these four steps, automatically creates the link to the Art. 30 directory and reflects the ISMS risk entries according to ISO/IEC 27001:2022. This means that the DPIA does not become an isolated document, but rather part of ongoing risk management in the workspace.
From concept to order: How data protection becomes operational
The definition of personal data is the entry into the scope of the GDPR. This results in the obligation to appoint a data protection officer in accordance with Article 37 of the GDPR and Section 38 of the Federal Data Protection Act, the obligation to keep records in accordance with Article 30, the obligation to report in accordance with Article 33, the impact assessment in accordance with Article 35 and the rights of those affected in accordance with Articles 15 to 22. Each of these obligations can be managed in isolation or bundled in a platform.
CIVAC combines the obligations in a workspace with EU data residency. 25 representative roles, 93 controls according to ISO/IEC 27001:2022 and 490 audit templates are in the same client room. This is relevant because data protection rarely stands alone. Information security, whistleblower protection, supply chain due diligence and AI governance share risk entries, responsible parties and reporting lines. Licence the workspace for your internal representatives, or have our representatives order it.
Turn reading into an assignment. If you would like to consistently handle the term personal data operationally, send a short outline of your requirements to info@civac.de or use the contact form. The initial audit includes number of employees, processing types, third country transfers and special categories. An assessment will be available within 2 working days as to whether a workspace, an external order or a combination is suitable.
FAQ
Are IP addresses personal data?
Yes, usually. In the Breyer decision, the ECJ ruled that dynamic IP addresses are personal if the person responsible has legal means to determine the identity. Web server logs, app telemetry and device identifiers are therefore usually recorded.
Which data are considered special categories?
According to Art. 9 Para. 1 GDPR: racial and ethnic origin, political opinions, religious or ideological beliefs, trade union membership, genetic and biometric data for unique identification, health and sexual life data. Processing is prohibited unless an exception pursuant to Article 9 Paragraph 2 applies.
Does pseudonymization end personal reference?
No. Art. 4 No. 5 GDPR treats pseudonymization as a security measure. Pseudonymized data remains personal data and is subject to the GDPR. Only real anonymization according to recital 26 leads to the scope of application being removed.
When is a data protection impact assessment mandatory?
According to Art. 35 Para. 3 GDPR, among other things, systematic evaluation with profiling, extensive processing of special categories and systematic monitoring of publicly accessible areas. Regulatory authorities have published additional lists to consider.
How long do I have to report a data breach?
72 hours from knowledge according to Art. 33 Para. 1 GDPR. For NIS 2 facilities, there is also a 24-hour early warning to the BSI. Acknowledgment must be documented because the deadline is linked to this, not to the incident itself.
Do we need a data protection officer?
Yes, from 20 people with regular automated processing in accordance with Section 38 BDSG, when processing special categories in accordance with Art. 37 GDPR and in public bodies. CIVAC appoints an external DPO within 2 working days, including the appointment certificate and reporting line to the management.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.