GDPR and Personal Data
Understanding GDPR for OneView customers
Introduction
TL;DR - OneView does not process Personal Data as defined in Article 4(1) of Regulation (EU) 2016/679 “GDPR” for the purpose of fulfilling the contractual agreement with you.
This article is meant as a guide to help you understand what are PII, how GDPR works, and how OneView achieves perfect data quality within regulatory boundaries.
What is Personal Data?
| Definition | ||
|---|---|---|
| Personal Data | ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; | Article 4(1) of Regulation (EU) 2016/679 “GDPR” |
| Pseudonymized Data | ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; | Article 4(5) of Regulation (EU) 2016/679 “GDPR” |
| Anonymized Data | […] ‘anonymous information’, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. | Recital 26 of Regulation (EU) 2016/679 “GDPR” |
| Identifiable Person | […] To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. […] | Recital 26 of Regulation (EU) 2016/679 “GDPR” |
Who is involved?
Some more definition that are relevant to the GDPR, by defining
| Role | Definition | |
|---|---|---|
| Data Subject (your users) | Defined together with Personal Data (see above) | |
| Data Controller (you) | ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; | Article 4(7) of Regulation (EU) 2016/679 “GDPR” |
| Data Recepient | ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing; | Article 4(9) of Regulation (EU) 2016/679 “GDPR” |
Pseudonymized Data
There are two instances where pseudonymized data is handled:
| Usage | Considered Personal Data? | Source of Law |
|---|---|---|
| Directly used by the Data Controller | Yes | Recital 26 of Regulation (EU) 2016/679 “GDPR” |
| Disclosed to a Recepient | No, unless the Recepient has the means to re-identify the Data Subject | Recital 26 of Regulation (EU) 2016/679 “GDPR”, clarified by Case T-557/20, SRB v EDPS |
Pseudonymized data used by the Data Controller
Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of should be considered to be information on an identifiable natural person.
Pseudonymized data disclosed to a Recipient
The General Court of the European Union in Case T-557/20, SRB v EDPS clarified that pseudonymized data transmitted to a data recipient will not be considered personal data if the data recipient does not have the means to re-identify the data subjects
Online identifiers
Recital 30 of Regulation (EU) 2016/679 “GDPR” gives a broad definition of online identifiers, including elements such as IP addresses, and cookies.
| Considered Personal Data? | Source of Law | |
|---|---|---|
| IP Addresses | Yes | Recital 30 of Regulation (EU) 2016/679 “GDPR”, clarified by Case C-582/14, Patrick Breyer v Bundesrepublik Deutschland |
| Cookies | It depends | Recital 30 of Regulation (EU) 2016/679 “GDPR” |
IP Addresses
IP Addresses are definitely considered personal data. However, the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest for OneView, which does not require consent for processing.
OneView processes IP Addresses only for the purpose of protecting its network. This is done to ensure that the platform is not abused by malicious actors, for example:
- to ensure the availability of the service to all customers
- to mitigate DDoS attacks
- to ban abusive bots
- to prevent unauthorized access to the network
Cookies
ePrivacy Directive and its enacting laws in EU Member States are lex specialis to the GDPR, meaning in case of ambiguity, the former applies.
In OneView, cookies are only relevant in the context of Frontend Sources, as they integrate with your current technologies (either Google Tag Manager® or Google® gtag.js) to receive data, including that from cookies, from your website.
Both technologies use cookies only to distinguish between sessions and clients; their identifiers are arbitrary and do not encode any information.
Because the other you may send to OneView (which could be used to identify a natural person) are pseudonymized, it is not possible for OneView to identify your Data Subjects from the data it receives, including that from cookies.
Was this page helpful?