Blog

  • Common misconceptions: What Actually Counts as “Personal Data” Under GDPR?

    We all have experiences dealing with different type of personal data during our daily shopping, web-shops orders, be at our workplace, subscribing to newsletters… not to mention when we want to delete one of our accounts.

    Our experiences vary and sometimes you might feel what happens is not right, but we just don’t want to make a fuss about it or we are simply in a hurry. Maybe we also think, “That is weird, why they ask me that… but some lawyer or someone must have checked it and found it is okay… right?”

    No matter what your profession is, I am sure you also see your peers’ work with a critical eye and spot mistakes much more easily than the average human would do. As data privacy consultants, we do the exact same thing.

    In this post, I would like to explain basic privacy concepts and perhaps help you feel more confident the next time you have to deal with “personal data.” We put personal data in quotes because it is a concept that many people misunderstand.

    Deconstructing the GDPR Personal Data Definition

    According to Article 4 of the GDPR:

    “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

    It is pretty legal and broad, so let’s break it up a little.

    In a nutshell, you should understand it this way: if you are able to piece information together and identify the specific person this information belongs to, then it becomes personal data.

    But what about a simple birthdate, for example? Well, if you only have 05.05.2025 floating in a spreadsheet, it’s not personal data on its own. But if you have the birthday of the oldest person alive in a town, and you also have something else related to it like an eye color, then it is personal data because the crowd has narrowed down to a single human being.

    Most people think personal data must be a name, an email address, a phone number, or a government ID number, but this is simply not the case.

    What Does an “Identifiable Natural Person” Actually Mean?

    To count as personal data, identifying the person has to be reasonably possible. If you would need to hire a private investigator to find out who the person is, then it is likely not personal data.

    Although, with the age of AI, big data, and all our data randomly scattered around the internet, this “reasonable identification” question is going to be an interesting puzzle in the future.

    Also, would a common name like John Doe be personal data? On its own, very unlikely. Unless it is a highly unique name, without any other hints or context you would not be able to identify a specific individual out of thousands of John Does.

    The 3-Part Anonymity Litmus Test

    Because identity can be tricky, European regulators and data protection authorities don’t just guess if data is personal—they run it through a strict, three-part litmus test derived from official EU guidelines.

    To determine if your data has truly broken all ties to a real human being, ask your team these three questions:

    • 1. Singling Out: Can you isolate an individual’s activity from the rest of your users, even without knowing their name? (Example: Tracking a unique browser session that views a specific pair of shoes).
    • 2. Linkability: Can you connect two or more separate records across different systems to the same person? (Example: Linking a user’s anonymous mobile app usage history with their website purchase history).
    • 3. Inference: Can you deduce a person’s traits or identity by looking at the surrounding context of the data? (Example: Correctly guessing who a redacted HR file belongs to by looking at a rare job title and a specific office location).

    How to Use It in Practice

    If your team answers “Yes” to even a single one of these questions, the dataset is legally personal data, and the GDPR applies in full.

    True anonymization requires a definitive “No” to all three. If the data cannot be singled out, cannot be linked to other files, and allows zero inferences, only then is it safely outside the scope of European privacy law.

    The Creepy Side of Location and Tracking Data

    Ok, but what about broad things like location? If you are a customer of a web-shop, they will know where you are when you use their service. The most basic identifier used here is an IP address, which can lead back to a single house or even a specific apartment in a building.

    I would certainly feel my privacy was violated if a random web-shop actively referenced that background data. Imagine receiving an automated email after you bought new headphones online:

    “You must have had a small accident by the poolside at Hotel XY in Tenerife! But no worries, your headphones will be waiting for you at home when you get back from vacation. Buy our insurance now and your next pair will be covered.”

    Here, as always, it depends on what is justifiable. A web-shop has a legitimate interest to protect itself from fraud and malicious actors, so they might temporarily keep logs of your IP address—hence, your location.

    But they should not use that security data in their marketing or sales campaigns. They should be happy with your shipping address for sending you the order, and perhaps keep your city name on record for localized marketing purposes—and not correlate all this background information.

    The GDPR actually asks all data to be used strictly for the specific aim it was collected, and requires those reasons to be explicitly justified. This is exactly why using AI to cross-reference these data points opens up completely new questions and legal dimensions.

    Real-World Compliance Misconceptions

    To round things out, let’s look at three incredibly common scenarios where businesses get the privacy rules completely wrong:

    Myth 1: The Email Loophole

    • The Scenario: A sales representative downloads a list of corporate work emails (like john.doe@company.com) and says, “GDPR only covers private consumers, not people at work.”
    • The Reality: Wrong. A direct work email points to a specific person, meaning these lists must follow the exact same privacy laws. (Note: If the email address is generic, like contact@company.com, then it does not identify a specific person in a big company, and sits outside this rule).

    Myth 2: “We Only Track Machines”

    • The Scenario: A mobile app logs phone serial numbers and IP addresses but no names or accounts, claiming, “We only track machines, not people.”
    • The Reality: Wrong. Device IDs and IP addresses act as unique digital fingerprints. They allow companies to isolate, link, and track a single user’s behavior over time, which legally counts as personal data.

    Myth 3: Anonymous CCTV

    • The Scenario: A store owner installs security cameras that record customers’ faces but says, “We don’t know any of these people’s names or addresses, so it’s not personal data.”
    • The Reality: Wrong. You don’t need a name tag to identify someone. Because the video captures distinct physical traits that allow a business to single out and track an individual’s specific actions, it is protected data.

    Let’s Figure It Out Together

    Did you get a little bit overwhelmed? Don’t worry, you don’t need to have all the answers mapped out. Privacy landscapes can be incredibly complex, and trying to decipher regulatory nuances on your own is a lot to ask.

    Whether you’re looking to untangle a specific data workflow, want to chat through recent compliance updates, or just don’t know where to start, we are here to help. No sales pitch—just a friendly, expert team ready to support you.

  • GDPR Consent vs. Legitimate Interest: A Guide for Small Businesses & NGOs, Part 2

    First of all, the GDPR recognizes multiple options for the legal basis of data processing, meaning, you are only allowed to process personal data based on one of the explicitly mentioned and predetermined bases. You must choose one legal basis per processing purpose — but different purposes can rely on different bases. As an example, an address could be used for billing and for package delivery as well.

    Before you do anything with personal data, you have to decide the legal basis in advance and consider the consequences of your choice. Without further ado, let’s see the difference between consent and legitimate interest as legal bases.

    Consent

    Seems straightforward — we’ve all done it. But there are some things worth knowing about it. As a best practice (or we could say better to be safe than sorry way) requires an explicit and provable way of collecting consent in advance. You have to manage these records, and if someone wants their data deleted, generally you must comply and confirm the deletion.

    (There are always exceptions like legal obligation or exercise of legal claims which would prevent deletion for a time and it just prevent it from using for a specific purpose. Imagine, someone steels from a shop and then asks to delete the camera footage. It makes perfect sense to keep the recording as evidence for the legal proceedings. But these are rather special cases as the example also suggests.)

    Consent also has to be freely given, which complicates things in certain cases. For example, in employment matters, you can often argue whether the person really had a choice. Also, can you ensure that your electronic backups can be handled in a way that allows you to remove the data in a practical manner?

    Legitimate Interest

    This is a potentially much better legal basis, as the person concerned has no automatic right to have their data deleted, which can be much simpler from an operational point of view — think of deletion from backups or maintaining the integrity of your records. Sounds good?

    There are still important things to consider: the GDPR prohibits processing of personal data by default (you need one of the 6 legal bases to do so), so you must prove that you need this data for your business, that the processing aligns with your actual business needs, and that it does not override the rights of the individual.

    (Although, the data subject still have right to object and ask for deletion, in case, you are able demonstrate compelling legitimate grounds that override the individual’s rights, hence you may keep the data.)

    What do you need to do?

    You have to assess the aforementioned factors and additional ones… but how? The magic term is the Legitimate Interest Assessment (LIA). Yes, it’s true it’s requiring more documentation, but it provides significant advantages.

    UK’s ICO has a great explanation page to understand the basics the LIA: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/legitimate-interests/how-do-we-apply-legitimate-interests-in-practice/

    Let’s see how this would look in a general case (note: each EU country may have slight divergences, as the GDPR — as the name suggests — is the General Data Protection Regulation, and member states are allowed to set additional rules).

    Let’s use the examples from the previous post to better understand how it works:

    • a small yoga studio offering online classes,
    • a local animal rescue NGO coordinating volunteers,
    • a neighborhood bakery running a simple loyalty program.

    Example 1: Yoga Studio

    In the case of the yoga studio newsletter, consent was the right choice — but in certain cases, you may utilize legitimate interest with the same email addresses. Imagine your yoga studio is in a business relationship with the local sports store. You support each other: the sports store sends people your way, and you recommend the sports store for yoga mats. Now the sports store has a great New Year’s deal on yoga mats, so you send this offer to the people who signed up for your newsletter. This can be based on legitimate interest, but I would always recommend being upfront with people who sign up for your newsletter if you have such intentions, as transparency is one of the cornerstones of data processing.

    Please note that many EU countries require prior consent for marketing emails. Recent ruling further clarified the rules around it: https://www.lexology.com/library/detail.aspx?g=bbdc6fd3-9b60-47d9-81ca-1b2bda4d9166

    Example 2: Animal Shelter Volunteers

    If we look at the animal shelter volunteer list, the picture changes. Consent looks good at first glance, and you may have seen similar cases where someone asked for your consent. But let’s say you want to keep records of when a volunteer worked or who handled certain tasks based on their schedule. If you relied on consent, you would be in trouble if the volunteer asks to withdrew it — you would have to delete these records as well. We would argue that it is a legitimate business interest to hold onto this information, right? So if there is no other legal basis available, legitimate interest would be more appropriate and logical here instead of consent.

    Example 3: Neighborhood Bakery

    In our last example — the neighborhood bakery with a simple loyalty program — the answer is simply: it depends. It’s the favorite answer of compliance professionals, as the devil is in the details, and the correct response or alternatives can only be given when the full picture is clear. To determine the right legal basis, we first need to understand how, what, and why data is being processed. Is it a simple paper system where a stamp is added to each paper card and no name or other identifier is collected? Then the GDPR does not apply, and no action is needed at all.

    But what if there is an app that requires registration or tracks users in a way that makes them easily identifiable (e.g., via location data)? That’s already a much more complicated situation.

    If you want to know what to do in similar cases — or in a completely different one — please contact us and let’s see how we can help.

  • GDPR Consent vs. Legitimate Interest: A Guide for Small Businesses & NGOs, Part 1

    What is a Legal Basis under GDPR?

    A legal basis is the foundation that allows you to process personal data under the GDPR. Every organization—whether a small business, a freelancer, or an NGO—must be able to point to one specific legal basis for each purpose of processing. Without a valid legal basis, the processing is simply unlawful, no matter how harmless it may seem.

    The challenge is that not all legal bases are created equal. Some are stable and practical; others are fragile and easy to get wrong. Consent is the one most people know, but it is also the one most often misused. To understand why, it helps to look at how consent works in the real world, through the eyes of three very typical organizations:

    • a small yoga studio offering online classes,
    • a local animal‑rescue NGO coordinating volunteers,
    • and a neighborhood bakery running a simple loyalty program.

    Why Consent is Often Misused

    The yoga studio is the classic example of where consent works well. They send a weekly newsletter with class updates, wellness tips, and occasional promotions. This is a genuinely optional service. People can sign up if they want, ignore it if they don’t, and unsubscribe at any time without affecting their relationship with the studio. Consent here is meaningful: the user has a real choice, the purpose is clear, and withdrawal doesn’t break anything. A simple opt‑in checkbox is enough, and the studio can easily explain what the emails contain. This is what GDPR‑compliant consent looks like in practice—clean, transparent, and low‑risk.

    Things become more complicated when we look at the animal‑rescue NGO. They collect volunteer information—names, phone numbers, availability, emergency contacts—so they can coordinate shifts and ensure safety. Many NGOs assume they need consent for this, so they add a checkbox to their volunteer form. But this is where consent becomes a liability. If a volunteer withdraws consent, the NGO would have to stop using their information immediately, even if that means they can no longer contact them during an emergency or schedule them for an event. The NGO needs this information to function. Consent is the wrong legal basis here because the processing is necessary for the volunteer relationship. Withdrawal would break the workflow and undermine the organization’s ability to operate safely. The GDPR is clear: if the processing is necessary, consent is not appropriate.

    The bakery faces a similar issue. They run a loyalty program where customers earn a free pastry after ten purchases. They collect names and email addresses to track points and send occasional updates. Many small businesses default to consent here too, but the same problem appears: if a customer withdraws consent, the bakery would have to delete their data and stop tracking their points. The loyalty program itself depends on the data. Consent is too unstable for something that is part of the service. The bakery needs a legal basis that reflects the fact that the processing is necessary to deliver what the customer signed up for.

    Why Legitimate Interest is a Better Alternative

    These examples show why consent is so demanding. The GDPR sets a high bar: consent must be freely given, specific, informed, and unambiguous. For the yoga studio’s newsletter, this is manageable. But for the NGO and the bakery, meeting these requirements becomes unrealistic. “Freely given” is difficult when there is any imbalance of power, such as between an NGO and its volunteers. “Specific” means you cannot bundle multiple purposes together, which quickly becomes messy for organizations with several data uses. “Informed” requires clear explanations that many small organizations struggle to write. And “withdrawal at any time” is the biggest challenge: withdrawal must be as easy as giving consent, and it must stop the processing immediately. For the NGO and the bakery, that would make their services unworkable.

    Consent also requires ongoing maintenance. You must record who consented, when, how, and for what purpose. You must track withdrawals. You must refresh consent when your purposes change. You must ensure that your consent mechanism remains compliant over time. For many small organization, this becomes a significant administrative burden. And because consent is so easy to invalidate, it becomes a weak foundation for any processing that your organization depends on.

    This is why legitimate interest often works better for small organizations. It allows processing when it is necessary for a legitimate purpose and does not override the individual’s rights and freedoms. It is not a loophole or a shortcut; it requires a structured balancing exercise and clear documentation. But when used correctly, it offers a more stable and realistic foundation for everyday processing.

    For the NGO, legitimate interest is a natural fit. Coordinating volunteers, ensuring safety, and managing events are all legitimate purposes. Volunteers reasonably expect their information to be used this way. Withdrawal would not make sense, but individuals still retain the right to object if something feels inappropriate. Legitimate interest respects both the organizations’ needs and the individual’s rights.

    For the bakery, legitimate interest also works well. Running a loyalty program is a legitimate business purpose, and customers expect their data to be used to track points and send relevant updates. The bakery can explain this clearly without relying on a consent mechanism that could undermine the program. Customers still have rights, but the bakery is not forced into operational chaos if someone changes their mind.

    Even the yoga studio can benefit from legitimate interest for certain activities. While the newsletter should rely on consent, internal analytics, fraud prevention, or basic service improvements often fit better under legitimate interest. The key is choosing the legal basis that fits the purpose, not the one that feels safest.

    Consent is powerful when used correctly, but it is not the default. It is appropriate only when the processing is genuinely optional and withdrawal does not break the service. The yoga studio’s newsletter shows how well it can work. The NGO’s volunteer management and the bakery’s loyalty program show how quickly it becomes unstable when the processing is necessary.

    How to Transition to Legitimate Interest

    Legitimate interest often provides a more realistic and robust foundation for everyday processing. It aligns with user expectations, avoids the fragility of withdrawal, and supports the operational needs of small organizations—while still protecting individuals’ rights. To use legitimate interest properly, you must conduct a Legitimate Interest Assessment (LIA), a structured way to document your purpose, necessity, and balancing test.

    The next article will walk through how to create an LIA in a clear, practical way that fits the daily reality of a small business or NGO. If you need personalized help, just get in touch.