Written by Tom Gilligan

One of the most asked questions of DPOs is whether X, Y or Z data item is personal data. Often this in the context of a file that only has specific data fields and doesn’t contain peoples’ names, e.g. lists of PPS Numbers, staff numbers, credit card numbers, and Vehicle Identification Numbers (VINs). A recent ruling from the CJEU has provided some helpful guidance on determining when data like the examples above become personal data.

A dispute between Scania, a manufacturer of heavy goods vehicle and Gesamtverband, a competitor, made its way to the CJEU. The EU has laws that permit data sharing in the motor vehicle repair market. There were several aspects to the dispute, but two are of interest to DPO’s.

The CJEU ruled as follows

1. VIN data is not personal data of itself. VIN data becomes personal data, when the organisation processing it, has access to additional data that allows them to identify the owner of the vehicle. So if you have a VIN but no way to link it to the owner of the vehicle that it is just data for you and not personal data. Conversely, if you have a file of VINs and have other databases where you can look up the VIN and find the vehicle owner then the file of VINs is personal data, even if there are no personal names in the file.
2. The CJEU went on to test whether the Regulation met the conditions of Article 6(3) of GDPR. They considered the three parts: is there a legal obligation, did the legislation define the purpose of the processing and did this meet a public interest objective, and thirdly is the use of the VIN proportionate to the purpose. The CJEU found that the Regulation met all three tests.

The key lesson then is that whether a piece of data is personal or not, really depends on the context of the processing and whether you have access to other data that relates it to an identifiable person. Regrettably, the CJEU did not give a verdict on the question that if you are a processor who does not have access to additional identifying data, whether the data is either pseudonymised or anonymised in your hands. If it is anonymised, then it would fall out of scope for GDPR.

CJEU Judgement in full – https://curia.europa.eu/juris