4

Supposed there is some data that is not associated with an individual. This data is processed by a company and distributed on the web. At a later date this data becomes associated with an individual such that its processing is controlled by the GDPR. What is the status of the company then, if they continue to distribute this data?

The particular data I am thinking about is car number plates. The data processing I am thinking about is online car adverts. When I google car models I get many car adverts from years ago. Many of these display the number plate. At the point that the data goes online the number plate would be registered to the seller, in most cases a corporate entity. This would mean the number plate is not personal information at that point. Once the car has sold it is likely to become registered to a person, and then the number plate becomes personal information.

What is the status of those old car adverts? Are they all processing personal data in a way that the GDPR applies? Did they do all their data collection and processing when it was not personal data so the GDPR does not apply?

Improve this question
3
  • 1
    The car advert has no link to the person that purchased the car later on. If all the data you have is that car advert it is not personal information because it cannot be linked to a person. The same bits of data can be personal information for one entity but not another depending on what other information these entity holds.
    – quarague
    Commented Jan 13 at 18:09
  • 2
    @quarague The car advert has the number plate in it. The number plate can be linked to a person via the DVLA. From gdpr-info "The data subjects are identifiable if they can be directly or indirectly identified ... For example ... number plate ... are all personal data."
    – User65535
    Commented Jan 13 at 18:15
  • @quarague all owners of the car (past, present, and future) are intimately linked to the number plate through the registry. All it takes is a legitimate request and you have the name and address. The GDPR only cares that the data can be linked, not that a particular controller has all the information to make the link.
    – Dale M
    Commented Jan 13 at 23:12

1 Answer 1

Reset to default
3

You’re thinking about personal data the wrong way

personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

The car number plate is intimately linked to all the owners of the vehicle - past, present and future - any of whom might be a natural person. The plate can also be linked to any drivers, for example, through insurance documents, police tickets, or court cases; all of them are definitely natural persons (at present). Therefore, car number plates are personal data subject to the GDPR always and forever.

Your mistake was in thinking that the number plate only liked to the owner and that, if the current owner was not a person, it was not personal data. However, number plates also link to past and future owners and drivers, so it is personal data.

The question you need to ask is not “can I identify the person”, but “is it data related to a natural person and, if so, is it theoretically possible for someone, with access to whatever data they need even if I don’t have that data, to identify that person”.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .