In a data-driven society, the collection and processing of data is essential to the operation of existing technologies and the development of new ones. Data protection law protects individuals against risks associated with the processing of “personal data”. However, despite an intensive legal debate, there is still considerable uncertainty as to when data is personal data and when it is not. The reason for this is that data such as technical data or geo-location data usually is not “personal” per se but only when it is used for a specific purpose and in a specific way, or to be more precise, when the data processing causes a specific risk to a fundamental right of an individual. In our paper, we demonstrate that by focusing on these risks when assessing the scope of application, the question whether data falls into the scope of the General Data Protection Regulation (GDPR) or not becomes much clearer. The about, purpose, and result elements, introduced by the Art. 29 Working Party, thereby turn out to be a powerful set of analytical tools to determine which rights are specifically affected by data processing and, thus, to what extent a data subject is identified or identifiable in the processing context. While the about element addresses different risks to the right to privacy, the purpose element specifically reveals risks to the autonomy status of an individual. Finally, the result element focuses on the negative effect data processing can have on any other fundamental rights of the individual. On this basis, it is also possible to define more precisely the legal requirements for anonymising personal data. First of all, we illustrate that anonymisation mainly affects the about element and can do little “against” the purpose and result element. At least, however, by assessing which sphere of privacy is specifically concerned, it is possible to more precisely define when an individual is identified in a dataset and, thus, what the requirements for anonymization are.

在数据驱动的社会中，数据的收集和处理对于现有技术的运行和新技术的开发至关重要。数据保护法保护个人免受与“个人数据”处理相关的风险。然而，尽管存在激烈的法律辩论，但数据何时是个人数据、何时不是个人数据仍然存在相当大的不确定性。原因在于，技术数据或地理位置数据等数据本身通常不是“个人”的，而是仅在用于特定目的并以特定方式使用时，或者更准确地说，在数据处理时对个人的基本权利造成特定风险。在我们的论文中，我们证明，通过在评估适用范围时关注这些风险，数据是否属于通用数据保护条例（GDPR）范围的问题变得更加清晰。由艺术引入的关于、目的和结果元素。29 工作组因此成为一套强大的分析工具，用于确定哪些权利受到数据处理的具体影响，从而确定数据主体在处理环境中被识别或可识别的程度。虽然“关于”元素解决了隐私权的不同风险，但“目的”元素特别揭示了个人自主状态的风险。最后，结果要素侧重于数据处理可能对个人的任何其他基本权利产生的负面影响。在此基础上，还可以更精确地定义个人数据匿名化的法律要求。首先，我们说明匿名化主要影响 about 元素，对于“反对”目的和结果元素几乎没有作用。然而，至少通过评估具体涉及哪个隐私领域，可以更精确地定义何时在数据集中识别出个人，从而确定匿名化的要求是什么。