personal-data-test
Installation
SKILL.md
Personal Data Classification Test — GDPR Art. 4(1)
Overview
Article 4(1) of the GDPR defines personal data as "any information relating to an identified or identifiable natural person ('data subject')." This definition is deliberately broad and technology-neutral. The European Court of Justice in Breyer v Bundesrepublik Deutschland (C-582/14, 19 October 2016) confirmed that even dynamic IP addresses can constitute personal data when the controller has legal means to obtain additional information enabling identification. This skill provides a systematic decision framework for classifying data elements as personal, non-personal, or borderline requiring contextual assessment.
Legal Foundation
Art. 4(1) — Four Constituent Elements
Personal data exists when ALL four elements are satisfied:
| Element | Definition | Assessment Criteria |
|---|---|---|
| Any information | No restriction on nature, content, or format of information | Includes objective facts (age, blood type) and subjective assessments (credit rating, performance review). Covers all formats: text, image, audio, biometric, metadata, behavioural |
| Relating to | Information must have a content, purpose, or result link to the individual | Content link: information is about the person. Purpose link: information is used to evaluate or influence the person. Result link: processing has an impact on the person's rights or interests |
| Identified or identifiable | The person is or can be distinguished from all other persons | Identified: directly singled out. Identifiable: can be singled out by using additional data, taking into account all means reasonably likely to be used |
| Natural person | Living human being, not legal entities or deceased persons | Excludes companies, government bodies, associations. Member State law may extend protections to deceased persons (e.g., Italy extends to 20 years post-mortem) |
Related skills