When is data no longer personal? And what are the implications?

The ruling of the Court of Justice of the European Union (CJEU) of yesterday, 4 September 2025, in the EDPS v SRB case is significant – never mind the naysayers. It is the first time that the CJUE has clearly, explicitly said that if a dataset initially contains personal data but is pseudonymised, and that pseudonymised data is then shared with a recipient, that recipient does not have to consider that information as personal data if two conditions are met:

1. the recipient is in effect unable to and prevented from (lawfully) getting back to the relevant natural persons and

2. the recipient does not share that pseudonymised data with anyone who is able to (re)identify the natural persons.

I will quote the exact wording later, but this is in practice a combination of the Breyer, Scania and OLAF judgments.

Here is the table of contents of this in-depth look at EDPS v SRB and its implications:

• I. Nothing new under the sun? Authorities don’t think so

• II. First CJEU finding in SRB: “opinions” = information relating to a person

• III. Second CJEU finding in SRB: confirmation of relative nature of “personal data” [III.1 Anonymous data? GDPR inapplicable / III.2 Pseudonymous data? GDPR might be inapplicable / III.3 Nature of data for SRB [= controller sharing pseudonymised data]? Here, personal data / III.4 Nature of data for Deloitte [= recipient]? Here, NOT personal data / III.5 Continuing on the conditions for pseudonymised data to be non-personal data / III.6 What about the level of protection of personal data?]

• IV. Third CJEU finding in SRB: transparency covers pseudonymisation – in certain cases?

• V. Points unanswered, questions raised [V.1 Does the role (potential controller / processor) of the recipient influence this assessment? / V.2 Does this allow intragroup pseudonymisation to leave the GDPR’s scope? / V.3 What are the consequences of SRB plus Scania for someone who shares data that he/she believes not to be personal data? / V.4 Transparency & naming of recipients – even needed if no consent? / V.5 Impact on other obligations under the GDPR]

• VI. Conclusion

I. Nothing new under the sun? Authorities don’t think so

First, why is this significant? While it is a combination of prior case law and the logical conclusion of it, all data protection authorities in the EU argued against this finding.

The case was argued by the European Data Protection Supervisor (EDPS), and the European Data Protection Board (EDPB) intervened in support of the EDPS.

The CJEU explicitly states that the EDPS argued that “pseudonymised data must […] be regarded as constituting, in all cases and for every person, personal data” (para. 86 of the judgment).

This is what I and others have called the “absolute” concept of “personal data”, i.e. the idea that if one person on the whole planet is able to make a link between data and a natural person, everyone must treat it as personal data (with all the obligations that this entails).

Several among us have long argued for another view, one stemming from Recital 26 of the Data Protection Directive when it was in force and Recital 26 of the GDPR (consolidated version / initial act with Recitals) since it became applicable.

This view is that the concept of “personal data” depends on the eye of the beholder – i.e. a “relative” concept of personal data.

As I explained in my article on Advocate General Spielmann’s Opinion in the SRB case:

* * *

“Some have considered that "personal data" is an absolute concept, i.e. information can be "in and of itself" personal data for anyone, while others (such as myself) have long contended that it is a relative concept. The idea of the relative concept is that information that I have about Mr John Doe might be personal data from my perspective when I process it, but not from yours if you receive it.

For instance, if I know that John Doe likes vanilla ice cream and not chocolate ice cream, and I have given him the userID AB12345, while Jane Doe prefers chocolate and has the userID AB12346, those userIDs and ice cream preferences are personal data when I process them. Why? Because I have identified John Doe or I am lawfully able to identify or get to identification of John Doe.

However, when I give you a copy of those userIDs or ice cream preferences, you don't know that it is John and Jane who are concerned by this data, and you have no legal means of obtaining any additional information ("who is behind userID AB12345?") from me. If you can't get that additional information anywhere else (lawfully, again), or it would require unreasonable means (in terms of effort, cost, etc.) to reidentify John and Jane, surely you must be able to view this data as non-personal data and cannot be bound to comply with the GDPR?”

* * *

In fact, I know for a fact that some authorities have considered that IP addresses are in every case personal data, without every pausing to consider whether a recipient of IP addresses actually has any means of identifying the natural person behind an IP address.

The typical underlying consideration is that any other interpretation would harm data subjects and allow abuse. We will get back to the issue of abuse, and safeguards against that, a little later [see notably section V hereunder].

First, though, what did the CJEU actually say?

II. First CJEU finding in SRB: “opinions” = information relating to a person

A first question in SRB was whether comments – i.e. opinions – made by individuals are even capable of being “information relating to” a natural person.

In this respect, the CJEU quoted from its previous case law (most importantly Nowak, CRIF and OLAF) and stressed that “[i]nformation relates to an identified or identifiable natural person where, by reason of its content, purpose or effect, it is linked to an identifiable person” (see para. 54 & 55 of SRB).

The CJEU went on to say that “personal opinions or views” are “an expression of a person’s thinking” and are “necessarily closely linked to that person” (para. 58).

To me, this isn’t in any way new (in Nowak already concerned the idea that an examiner’s comments concern both the candidate and the examiner).

But it just means an opinion concerns a natural person – not an identified or identifiable natural person. Careful not to extrapolate.

III. Second CJEU finding in SRB: confirmation of relative nature of “personal data”

Next, in a reasoning that I think can be divided into six stages, the CJEU found that the pseudonymous data in question was personal data for the initial controller and not personal data (= anonymous data) for the recipient.

III.1 Anonymous data? GDPR inapplicable

First, the CJEU stressed that anonymous data falls outside of the scope of data protection rules (para. 70), by reference to Recital 16 of Regulation 2018/1725 (the GDPR for EU Institutions or EUI GDPR), the equivalent of Recital 26 of the GDPR. [The case concerned the EUI GDPR, but all findings of the CJEU are also relevant for the GDPR. The CJEU says this explicitly in para. 52 of the SRB judgment.]

III.2 Pseudonymous data? GDPR might be inapplicable

Second, the CJEU examined the nature of pseudonymisation. Stating that pseudonymisation “presupposes the existence of information enabling the data subject to be identified”, the very existence of this information enabling identification (which the CJEU calls “identifying data” later) precludes pseudonymised data “from being regarded, in all cases, as anonymous data” (para. 73).

In other words, pseudonymised data is not necessarily anonymous data.

However, “the objective of pseudonymisation is, among other things, to prevent the data subject from being identified solely by means of pseudonymised data” (para. 74). This is by keeping the identifying information “separately”, subject to technical and organisational measures to prevent attribution.

For this reason, the CJEU says that “provided that such technical and organisational measures are actually put in place and are such as to prevent the data in question from being attributed to the data subject, in such a way that the data subject is not or is no longer identifiable, pseudonymisation may have an impact on whether or not those data are personal” (para. 75).

This is a key part of the reasoning: while pseudonymised data is not necessarily anonymous data, it can cease to be personal data if technical and organisational measures prevent (re)identification.

It gets back to principles a little later, after examining the specific positions of SRB and Deloitte.

III.3 Nature of data for SRB [= controller sharing pseudonymised data]? Here, personal data

The CJEU then examines whether SRB itself must consider the data as personal data.

It says that “as is usually the case for controllers who have pseudonymised data, the SRB does, in the present case, have additional information enabling the comments transmitted to Deloitte to be attributed to the data subject, with the result that, in its view, those comments are, in spite of pseudonymisation, still personal in nature” (para. 76).

In other words, because SRB itself had the identifying data, the pseudonymised data remained personal data from SRB’s perspective.

This raises an interesting question regarding the controller, though, in the context of segregation of pseudonymised data and identifying data. We’ll get back to this.

III.4 Nature of data for Deloitte [= recipient]? Here, NOT personal data

Turning to Deloitte, the entity that received pseudonymised data from SRB, was the pseudonymised data personal data or anonymous data?

The CJEU’s explanation in this respect is important: “the technical and organisational measures [of pseudonymisation] may, as the SRB essentially submits, have the effect that, for [Deloitte], those comments are not personal in nature. However, that presupposes, first, that Deloitte is not in a position to lift those measures during any processing of the comments which is carried out under its control. Second, those measures must in fact be such as to prevent Deloitte from attributing those comments to the data subject including by recourse to other means of identification such as cross-checking with other factors, in such a way that, for [Deloitte], the person concerned is not or is no longer identifiable” (para. 77).

It is important to note that the role of Deloitte here seems to be assumed to be that of a controller. The EDPS raised factual allegations regarding Deloitte’s role as processor before the CJEU, but those allegations had not been raised at first instance (before the General Court of the European Union, the “first instance” part of the Court of Justice for various kinds of cases). This makes them inadmissible, and the CJEU itself did not talk about anyone’s role as processor. I will show hereunder why I believe that a processor situation has to be examined in a different manner.

III.5 Continuing on the conditions for pseudonymised data to be non-personal data

After looking at the positions of SRB and Deloitte, the CJEU quotes again Recital 16 of the EUI GDPR (// Recital 26 of the GDPR) in support of its position on Deloitte (para. 78-79), before stating that a large part of this Recital “would be deprived of any practical effect” if pseudonymised data were to be considered as personal data in all cases and for everyone (para. 80).

It also considers that the OLAF case “bears out the interpretation that the existence of additional information enabling the data subject to be identified does not, in itself, mean that pseudonymised data must be regarded as constituting, in all cases and for every person, personal data” (see para. 81-82).

Another significant part is para. 83, which compares this situation to that in Breyer and in IAB Europe. It states that, in those cases, it had held that “data that are inherently impersonal and have been collected and retained by the controller were nevertheless connected to an identifiable person, since the controller had legal means of obtaining additional information from another person making it possible to identify the data subject”. Because of this idea of legal means to obtain identifying information from another, “the fact that the information enabling the data subject to be identified was in the hands of other people did not actually to prevent that subject from being identified in such a way that the subject was not identifiable for the controller”.

[On the IAB Europe reference, readers may know that I have my misgivings about the factual assessment the CJEU included – see here – because the alleged possibility of access to identifying data was not factually correct but based on an (in my view) overly broad interpretation of one particular sentence of a policy, a sentence that has since been removed from that policy.]

The CJEU then turns to the Scania case, recalling that “data which are in themselves impersonal may become ‘personal’ in nature where the controller puts them at the disposal of other persons who have means reasonably likely to enable the data subject to be identified” (para. 84). The Court adds that “in so far as it cannot be ruled out that those third parties have means reasonably allowing them to attribute pseudonymised data to the data subject, such as cross-checking with other data at their disposal, the data subject must be regarded as identifiable as regards both [the transfer from the non-controller to the third parties who have such means of identification available] and any subsequent processing of those data by those third parties” (para. 85).

III.6 What about the level of protection of personal data?

The CJEU then examines one of the EDPS’s counterarguments, namely an attempt to counter this relative nature of personal data by focussing on “the objective of ensuring a high level of protection of personal data”. The Court states that although the EU legislator had the “objective of attributing a broad meaning to the concept of ‘personal data’, that concept is not unlimited since that provision requires, inter alia, that the data subject be identified or identifiable” (para. 88).

The Court counters this argument by stating that various obligations under the (EUI) GDPR “require[…] the data subject to be identified” and that they “cannot be imposed on an entity which is in no way in a position to carry out that identification” (para. 89).

In other words, this is not about reducing the level of protection of personal data but about recognising that the EU legislator already provided for limits to this level of protection and that some of the protections are nonsensical if identification is unfeasible.

This is important for the next step of the CJEU’s findings.

IV. Third CJEU finding in SRB: transparency covers pseudonymisation – in certain cases?

Finally, the CJEU turns to another question: was the transparency obligation met by SRB in relation to the processing activities?

This question focusses on Article 15 of the EUI GDPR. Do not be misled by the number into assuming that this concerns data subject access requests, as this provision is in fact the equivalent of Article 13 of the GDPR, i.e. the obligation to inform data subjects about processing when personal data is collected from the data subject directly.

In this context, the question is whether SRB was required to inform data subjects about the transfer of pseudonymised data to Deloitte (as the EDPS held that the failure by SRB, at the time of collection of the personal data, to mention Deloitte as a future recipient constituted an infringement).

The CJEU examines this issue and comes to the conclusion that the assessment of the transparency obligation must be made at moment of collection of the personal data.

To reach this conclusion, it starts by stressing in para. 104 that a data subject must be capable of fully understanding the information sent to him or her under Art. 15 EUI GDPR (// Art. 13 GDPR). It adds that “the principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes” and that the controller “should also provide any other information necessary to ensure fair and transparent processing” (para. 105).

In this particular case (for reasons that are never explained – and one might ask oneself if there was ever a good justification for this), the processing was based on consent. This is why the Court then proceeds to state that where collection takes place based on consent, “the validity of the consent given by that data subject depends, inter alia, on whether that data subject has previously obtained the information in the light of all the circumstances surrounding the processing of the data in question to which he or she was entitled [under Art. 13 GDPR / Art. 15 EUI GDPR] and which allow him or her to give consent in full knowledge of the facts” (para. 106).

From then onwards, it becomes difficult to identify whether the rest of the reasoning is linked to purely the circumstance of “transparency” in general or whether it is tied to the circumstance that the legal ground for the processing was consent.

In para. 108, for instance, the Court states that “one of the purposes of the obligation to provide the data subject – at the time of collection of the personal data linked to him or her – with information relating to the potential recipients of those data is to enable that data subject to decide, in full knowledge of the facts, whether to provide or, on the contrary, refuse to provide the personal data being collected from him or her”. This kind of choice is unavailable if the legal ground is not consent (sure, there is an objection right for legitimate interest and public interest, but that objection right is conditional upon “grounds relating to [the data subject’s] particular situation” pursuant to Art. 21(1) GDPR).

The Court then states that the information obligation under Art. 15 EUI GDPR / Art. 13 GDPR in relation to “potential recipients” is “essential in order for the data subject to be able to defend his or her rights against those recipients subsequently” (para. 109).

This then gets to an awkward part of the ruling, and the reaction by many to the following sections has been disbelief. If a recipient receives pseudonymised data and not identifying data and is unable to get to identification of the data subject, it isn’t personal data – yet a data subject should be able to defend his or her rights against that recipient, even though the recipient has no idea who the data subject is?

I will explain below how I think we should interpret the Court’s reasoning in this respect in order to make this more logical and workable, without creating a risk for data subjects.

The consequence of this positioning, though, is that the Court considers that the assessment of the information obligation must be made at the time of collection only, and that “the SRB’s obligation to provide information was applicable in the present case prior to the transfer of the data at issue and irrespective of whether or not those data were personal data, from Deloitte’s point of view, after any potential pseudonymisation” (para. 112).

Put differently, the issue of which (potential) recipients might get access to personal data has to be assessed from SRB’s perspective on what constitutes personal data, not from each recipient’s perspective. Given that the Court previously found that in this particular case the data in question is personal data from SRB’s perspective, Deloitte would have to be considered as a recipient of the data for the purposes of Art. 13 GDPR / Art. 15 EUI GDPR.

V. Points unanswered, questions raised

As mentioned earlier, the judgment has the merit of affirming in clear terms the relative nature of “personal data”.

But it is far from the end of the saga. There are many unanswered questions. Some have claimed that it raises more questions than it answers – I disagree, but that’s because I have been promoting the “relative” theory for a while.

I have tried to compile some of the key questions, in order to highlight how I see things evolving or whether I have concerns that there are truly unclear points.

V.1 Does the role (potential controller / processor) of the recipient influence this assessment?

A first fundamental question concerns the role of the recipient.

As highlighted above, the EDPS started arguing before the CJEU that Deloitte was a processor for SRB, but this was a new claim and therefore not part of the appeal.

Yet if someone acts as a processor, they are acting under the authority of the controller and are seen as the extension of the controller. A processor is defined as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller” (Art. 4(8) GDPR), and a processor is subject to various obligations in this context. The main obligations for a processor under the GDPR are:

• Art. 27 (EU representatives, where the conditions are met)

• Art. 28 (data processing agreements and the relationship with the controller)

• Art. 29 (statutory requirement to follow the controller’s instructions)

• Art. 30 (record of processing activities – in particular 30(2) and 30(4))

• Art. 32 (security)

• Art. 33(2) (notification of personal data breaches to the controller)

• Art. 37 (data protection officer, where the conditions are met)

• Art. 46 & following (international data transfers)

Indirectly, there are the contractual assistance obligations as well mandated under Art. 28(3) GDPR, such as the obligation to assist the controller with data subject requests and with security, personal data breaches, data protection impact assessments and prior consultations with a supervisory authority.

It isn’t hard to see that if one were to consider that a processor receiving pseudonymised data without the identifying data is processing non-personal data, this would be an easy way to avoid a wide raft of obligations that apply to processors.

Therefore, in my view, keeping in mind the idea that the processor is the extension of the controller from that perspective, the CJEU’s reasoning in SRB regarding the relative nature of personal data should in my view only apply when the recipient could be considered as a controller.

I believe this to be the case even if the processor receives fully encrypted data that it has no means of decrypting.

However, pseudonymisation does have a separate effect: it can significantly reduce the scope and implications of those GDPR obligations for the processor. Because the processor does not have any identifying data, the processor’s degree of assistance to the controller will in many cases be far more limited. For instance, the security measures to put in place by a processor receiving encrypted data (without the key) may be more limited, given that some of the security is already handled by the controller prior to sharing with the processor.

V.2 Does this allow intragroup pseudonymisation to leave the GDPR’s scope?

While “processorship” should in my view be seen as outside of the CJEU’s reasoning in SRB is the extension of the controller, I do not think that we should see intragroup separate (potential) controllers as outside of the scope of the CJEU’s reasoning.

There are broader concerns in the case of intragroup separate “controllership”, of course, relating to the issue of whether two separate group entities can indeed be viewed as acting at arm’s length, i.e. sufficiently independently.

However, principles inspired by competition law (such as the Akzo test regarding the influence a parent company can exercise over the conduct of a subsidiary) show that independence within a group is possible.

In this context, it should also be possible for one affiliate to process pseudonymised data without (access to) identifying data without being deemed to process personal data, provided the CJEU’s SRB conditions (effective technical and organisational measures for pseudonymisation, and no Scania-like sharing of data to re-enable identification) are met.

V.3 What are the consequences of SRB plus Scania for someone who shares data that he/she believes not to be personal data?

I have for a while been suggesting that we should look at the concept of “potentially personal data”, i.e. data that for a given entity is not personal data but that could become personal data in certain circumstances. The idea is not to apply the GDPR in advance, but rather to take steps to limit the compliance gap (and non-compliance risk) associated with a transformation into personal data.

Scania hinted at this, with the idea that non-personal data could be “indirectly” personal data for an entity that shares this non-personal data with a third party who has means of (getting to) identification.

Now, with SRB confirming Scania, I think that the importance of this “potentially personal data” idea becomes significant for anyone handling pseudonymised data. [Personally, I don’t think the idea of “indirect personal data” translates Scania, as that creates confusion with the fact that personal data can concern a natural person who is directly or indirectly identifiable – hence my preference for “potentially personal data”.]

What then are the implications?

The main implication is that anyone handling pseudonymised data without identifying data should seek to determine how best to avoid being seen as enabling reidentification.

This could for instance be done contractually, i.e. by putting in place in data sharing contracts a mechanism to contractually prohibit reidentification or at least reminding the (further) recipient of its own responsibility to ensure compliance with data protection legislation to the extent it might apply.

Other possibilities of measures might be organisational or technical, such as a process to react rapidly if any new circumstance brings into question the pseudonymised nature of the data or a system for vulnerability detection or for monitoring of cybersecurity alerts and advisories (or even mandatory disclosures of partners) that focusses on the mechanism used for pseudonymisation.

Importantly, these cannot be seen as mandatory under data protection law, as the data is not personal data for that entity at the time. This falls outside of the scope of the GDPR’s “accountability” principle, as there is no processing of personal data and the entity in question is not (yet) shown to be a controller.

Put differently, these are voluntary safeguards that the entity in question can put in place.

That being said, the absence of any measures will likely be used by any supervisory authority as indicative of negligence – which in turn could justify fines based on Deutsche Wohnen.

In other words, Scania and SRB help limit the risk of abuse of the possibility to consider pseudonymous data as non-personal data, as they show that the absence of any measure to keep the data non-personal could make the GDPR apply.

One of the questions that I expect to come from this scenario is the GDPR role of the entity sharing pseudonymised data with the third party capable of reidentification. Is it a joint controller solely for the transmission of the pseudonymised data, akin to the Fashion ID situation? Or is the classification different?

[I expect that many will consider joint controllership with a clear allocation of responsibilities to be the best way to manage the difficulties arising out of applying the GDPR to someone who is not actually processing personal data. I personally consider that the concept of joint controllership has been stretched a little too much by CJEU case law, but if the scope of responsibilities is kept logical and reasonable it might be a practical solution to this situation.]

V.4 Transparency & naming of recipients – even needed if no consent?

As highlighted above, the CJEU’s position in relation to transparency is awkward. If the purpose of transparency is to enable the data subject to defend his or her rights against a recipient, will the lack of any identifying information at the level of the recipient of pseudonymised data not make any attempt to defend such rights much more confusing?

The recipient will inevitably say “we do not process your personal data”, to which the data subject will say “you’re lying, ABC told us you received my personal data from them” and they will in turn respond “fine, but we don’t know who you are and which data relates to you”.

This is unhelpful.

This is why I believe that the CJEU’s reasoning has to be read in light of the fact that (i) Deloitte was assumed to be a controller (see V.1 above) and (ii) the processing was based on consent.

Can we then find a practical solution for (or way out of?) recipient naming if the legal ground isn't consent and all they receive is pseudonymised data?

In my view, there are three possible approaches that might work.

• The first involves recognising that in circumstances other than those described above, the obligation to inform does not apply to recipients of pseudonymised data.

• A second (that I am not very keen on, but which could in theory work) would be to recognise that if the identity of the recipient of pseudonymised data is known at the time of collection and can be provided in a meaningful way, it could be named along with a mention that it is a recipient of pseudonymised data and would in principle have no means of identifying the data subject.

• A third, my preferred one, is to draw from Österreichische Post and to acknowledge that in the absence of consent as legal ground, recipients of pseudonymised data do not have to be named individually but can simply be covered by named categories of recipients.

In that case, a difference was drawn between Articles 13-14 GDPR and Article 15 GDPR to highlight the fact that, while both sets of provisions refer to the obligation to inform data subjects about “the recipients or categories of recipients of the personal data”, the latter creates an option, for the data subject, “of obtaining either information about the specific recipients to whom the data have been or will be disclosed, where possible, or information about the categories of recipient” (para. 36 of Österreichische Post). This was used to justify a focus on providing the precise identity of recipients, as opposed to categories of recipients. Because the logic is different for Article 13 GDPR, there should be more freedom for the controller to elect to name categories of recipients – and in the case of recipients of pseudonymised data, this is wholly reasonable.

V.5 Impact on other obligations under the GDPR

Finally, a broader consideration: the CJEU’s awkward reasoning regarding transparency raises questions regarding all other obligations under the GDPR beyond transparency.

For instance, is a legal ground needed for the sharing of pseudonymised data to a recipient? If so, it might make sense to recognise that a legitimate interest assessment will typically be in favour of the data sharing if the conditions in SRB for pseudonymous data to be non-personal data are met.

In a similar vein, does the transfer of pseudonymised data to a non-EU recipient constitute an international transfer of personal data covered by Chapter V of the GDPR? Standard contractual clauses would appear to be irrelevant in practice, and even the Art. 49(1)(a) through (g) GDPR derogations appear nonsensical in this context (how could one establish that a contract is in favour of the data subject if the data subject is unknown to the recipient, unless there is a feedback loop for data enrichment at the level of the true controller?). The “compelling legitimate interests” additional derogation under Art. 49(1) GDPR appears to be the most appropriate one in theory – yet it requires information to the supervisory authority.

Still on the subject of international transfers and in combination with Scania, should any entity processing pseudonymised data without identifying data have to fear the possibility of enabling foreign surveillance authorities to process personal data, for instance if they receive a lawful request for data? Taking into account reasonableness and proportionality, this example illustrates the limits to Scania and the need for verifications to remain proportionate: the one sharing pseudonymous data with the third party capable of reidentification must not be deemed to be involved in processing personal data if it has no reasonable justification for expecting such reidentification.

VI. Conclusion

The SRB ruling is significant. While it is not entirely new, it builds upon existing case law to further clarify certain aspects regarding the notion of “personal data” – in particular its relative nature.

It does raise questions, in particular as a result of its section on transparency, but I believe that with pragmatism it is possible to resolve outstanding issues.

As a data litigator, of course I am keen to see how those questions get handled in the future. But as someone who likes to write analyses of cases, I also find it admirable that the CJEU bucked a recent trend of expanding data protection concepts and instead sought to draw limits to the most fundamental concept of all in data protection – that of what is personal data.