| > ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; > ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; As far as the English text of the regulation goes, it's clear that the generation, detection, and use of this record count as "processing", as long as the record itself is "personal data". It's not clear that this is the case. A record stating "this browser has visited XXXX website today" does nothing, in the absence of other records, to identify the person providing the record. But this is open to some interpretation. In particular, you might be getting this record from web requests that already identify the user by other means (perhaps they're logged in). In that case, someone could argue that the fact of the user having visited (or not) your site before on the same day is data that pertains to them specifically ("personal data"), and that your making note of it is prohibited by default under article 6 of the GDPR. The counterargument would be that when the data is reified in your use and your records, it has already become impossible to relate to any individual person. You'd have to rely on that counterargument, because article 6 won't help you at all: > 1. Processing shall be lawful only if and to the extent that at least one of the following applies: > (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; > (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; > (c) processing is necessary for compliance with a legal obligation to which the controller is subject; > (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; > (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; > (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. > Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. None of these will apply unless you are an agent of the government. ----- Thought experiment: as a hostile website operator, you decide to attack your users by filling their local storage. You generate random bytes and store them under random keys to the limit of what their browser will allow. You don't yourself know what the keys are. Is this a GDPR violation? Those random bytes are highly entropic identifiers which you processed and associated with individual users. |