(no title)
pilcrowonpaper | 2 years ago
"Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers (...)"
From this, I think we can assume any id connected to a device (and thus user) that can be used re-identify it can be considered personal data, regardless of the time-frame, especially since it mentions "cookie identifiers."
legitster|2 years ago
> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
Just from the phrasing of this recital, it's pretty clear that "unique identifiers and other information received by the server" are not regulated here.
Furthermore:
Article 4.5:
> ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
Again, without the use of additional information is key. Just because it can be de-anonymized doesn't mean that it is.
Recital 29:
> In order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organisational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional information for attributing the personal data to a specific data subject is kept separately. 2The controller processing the personal data should indicate the authorised persons within the same controller.
I have spent a LOT of time with on our GDPR team. And while GDPR is horrendously complex, I don't think anyone on our legal team would support the assertion that GDPR is countermanding itself.
Also, notice the phrasing "whilst allowing general analysis" - completely separate from Legitimate Interest, GDPR allows for "general analysis" of pseudoanonymous data.