In a data-driven society, the collection and processing of data is essential to the operation of existing technologies and the development of new ones. Data protection law protects individuals against risks associated with the processing of “personal data”. However, despite an intensive legal debate, there is still considerable uncertainty as to when data is personal data and when it is not. The reason for this is that data such as technical data or geo-location data usually is not “personal” per se but only when it is used for a specific purpose and in a specific way, or to be more precise, when the data processing causes a specific risk to a fundamental right of an individual. In our paper, we demonstrate that by focusing on these risks when assessing the scope of application, the question whether data falls into the scope of the General Data Protection Regulation (GDPR) or not becomes much clearer. The about, purpose, and result elements, introduced by the Art. 29 Working Party, thereby turn out to be a powerful set of analytical tools to determine which rights are specifically affected by data processing and, thus, to what extent a data subject is identified or identifiable in the processing context. While the about element addresses different risks to the right to privacy, the purpose element specifically reveals risks to the autonomy status of an individual. Finally, the result element focuses on the negative effect data processing can have on any other fundamental rights of the individual. On this basis, it is also possible to define more precisely the legal requirements for anonymising personal data. First of all, we illustrate that anonymisation mainly affects the about element and can do little “against” the purpose and result element. At least, however, by assessing which sphere of privacy is specifically concerned, it is possible to more precisely define when an individual is identified in a dataset and, thus, what the requirements for anonymization are.
