Incidental processing and GDPR: from bystanders to spontaneous notes, do data protection rules apply?

Another week, another product announcement from someone involving AI in your pocket, on your wrist, in front of your eyes. I have met people whose lives have literally been transformed as a result of some of these tools, such as an individual who is suddenly able to use a camera in glasses to film his work in his workshop, free to use his only hand to actually do the work instead of holding a phone or camera, and have seen people who are concerned that wearable technologies may, together with recent discussions on encryption and backdoors, be the missing ingredient towards total governmental surveillance.

At the same time, another week, another decision by a supervisory authority considering that individuals are identifiable on the basis of assumptions and saying that intent is irrelevant, raising questions as to where data protection law might go in the coming years on the most fundamental of notions: “processing of personal data”.

As a lawyer, a legal technologist and data litigator, my reflex is to check which are the real legal questions, what the relevant technical context is and what might be my take on them. And over the past 2 years, my articles have been gradually building towards a couple of key questions – notably the handling of a topic I couldn’t quite put my finger on at the time. I have written about whether AI models involve the processing of personal data (on a few separate occasions, notably regarding a Cologne Higher Regional Court judgment that tackled this issue in part). I have written about SRB and when information becomes personal data, pseudonymisation and when information ceases to be personal data, and situations where anonymisation is mandated by law to see what anonymisation entails. [If you haven’t yet examined all of these, put them on your reading list!]

In all of these issues, there has been a focus on “what is personal data?”, but I realised that there is more than purely this. When you apologise in an e-mail to a professional contact for having to reschedule a meeting because of your kid’s fever or to ask to push back a call because of a birthday party, you are causing that contact’s organisation to process information that might not have been covered by the purpose of professional e-mail processing – yet it might actually be information relating to an identified or identifiable natural person. When you point your phone towards a dancer in the metro, hoping to capture on video the next viral sensation, you are capturing data regarding bystanders, some of whom might be identifiable, some not. Therefore, there are situations where “what is personal data?” might not be sufficient. In others, it might be unclear. For instance, when your car’s sensors detect a human moving in front of a parked vehicle and warns you to be careful, is that processing of personal data – and is the answer any different if that sensor is a camera?

So here is an in-depth look at the issue of incidental processing, i.e. the possibility of information being captured or otherwise processed that goes beyond the purpose or intended use of a tool.

This isn’t just one of my long reads – it’s a long, long read, so I have included a PDF version too to allow you to print it out.

I. Proposed typology for incidental processing

To properly tackle the question of what incidental processing is and how to tackle it from a data protection perspective, I think it is important to draw a distinction between three main scenarios, and to examine how they are handled from a legal perspective:

1. Incidental processing: First, the scenario where a tool is being used for one particular purpose that is not intended to involve third-party personal data but incidentally captures data that could relate to a natural person. The incidental nature of the processing concerns the whole of the processing of information relating to natural persons. [For instance: where a camera is used to take a video of a skyline and a natural person happens to walk by the camera; where a microphone is used to identify bird sounds and someone happens to talk during the recording; where a financial analyst is brought in to check business expenses but notices that the shop ticket features a line saying “Served by”, followed by the name of the salesperson.]
2. Incidental data category: Second, the scenario where a tool is being used for a purpose that is intended to involve certain categories of information relating to natural persons, but that incidentally captures other categories of information relating to such a natural person. [For instance: where a camera is used to take a picture of a person, with the photo revealing a pendant with a Christian cross; where a corporate e-mail system is intended to be used for business-to-business communications but one e-mail contains information about the sender undergoing chemotherapy; where a free-text field on a contact form for a taxi pickup is used to indicate that the ordering person is going to a restaurant to celebrate their birthday.]
3. Incidental person: Third, the scenario where a tool is being used for a purpose that is intended to involve information concerning a particular natural person but incidentally captures data that could relate to another natural person. The incidental nature of the processing concerns the natural person in question, as the capturing of information relating to natural persons is intentional, but not in relation to that natural person. [For instance: where a camera and a microphone are being used to provide a live transcription of what a particular person is saying, through a combination of audio and video, and another person’s words are processed in that context; where a video is being made of a singer on the metro/subway and another person appears in the field of view, getting on after a stop; a remote call in which one participant is at home and their daughter comes into the video frame.]

This distinction will be relevant when examining the applicability and impact of data protection rules for each scenario.

But first, back to the basics.

---

II. “Processing” of information

The GDPR only applies to the processing of personal data.

The concept of “processing” has a very broad definition:

“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (Article 4(2) GDPR)

In other words, any capturing of personal data is processing, even if that personal data is not actively used thereafter, as is any further use thereof.

But does it require knowledge, intent to be considered “processing” for the purposes of the GDPR? The first sentence contains two important clues: “any operation or set of operations which is performed on personal data or on sets of personal data”.

“Perform” as a verb relates to an action, in lexical morphology a verb that requires an agent (as opposed to e.g. “happens”, where an external event occurs). Someone instigates processing.

The same with the word “operation”, a nominalisation of the equally active verb “to operate”. An operation is an action with a particular goal.

The cases in which the Court of Justice of the European Union (CJEU) has found there was “processing” illustrate this, from the simple loading of a website in the Lindqvist case to the active retrieval and analysis of web pages in the Google Spain case: there is some form of active component, an intent to perform an action on information that can foreseeably include personal data (see sections III, IV and V below in this respect). This is not a subjective assessment, but one of intent made objective by way of the manner of action (active retrieval or loading of information, instigated at least by design by the controller). [[CJEU, 6 November 2003, Lindqvist, C-101/01, EU:C:2003:596, para. 25 // 13 May 2014, Google Spain, C-131/12, EU:C:2014:317, para. 28]]

By way of an illustration of what is not “processing”, there are various types of data changes that happen due to external factors, some at a more physical level. Some data errors arise as a result of cosmic rays or other interference, data can degrade over time and data loss can be caused by passive hardware failure. These situations cannot be considered as “processing”, as they merely happen to data but are not performed on data. [Note that this is a wholly separate issue from whether such events can count as a “personal data breach”.]

For instance:

• Data errors have been shown to happen frequently but randomly due to cosmic radiation (by way of oversimplification, high-energy particles such as photons hurtling towards Earth at the speed of light as a result of supernova explosions and other cosmic events). [[See notably B. Schroeder, E. Pinheiro & W.-D. Weber, “DRAM Errors in the Wild: A Large-Scale Field Study”, SIGMETRICS/Performance’09, June 15–19, 2009, as well as H. Iwashita, H. Sato, and Y. Kiyanagi, “Neutron-energy-dependent Semiconductor Soft Errors Successfully Measured for the First Time”, NTT Technical Review, Vol. 19 No. 6 June 2021.]]
• Data degradation can happen even with solid-state drives (SSDs), and this has been shown to happen increasingly at a “high retention age” as a result of charge leakage (as digital memory is stored in an electrical charge, if too many electrons holding that electrical charge and thus memory bleed out of the drive – a natural phenomenon due to difficulties in creating perfect barriers to hold electrons – before the memory is refreshed, the data held in memory can be corrupted). [[See Y. Cai, Y. Luo, E. Haratsch, K. Mai & O. Mutlu, “Data retention in MLC NAND flash memory: Characterization, optimization, and recovery”, IEEE 21st International Symposium on High Performance Computer Architecture, HPCA 2015, 551-563, 10.1109/HPCA.2015.7056062.]]
• Hardware failures have been shown to happen as a result of phenomena such as electromigration (whereby atoms forming wires inside a microprocessor are pushed out of their place by moving electrons). [[See H. Cui, W. Tian, Y. Zhang & Z. Chen, “The Study of the Reliability of Complex Components during the Electromigration Process”, Micromachines (Basel). 2023 Feb 21;14(3):499. doi: 10.3390/mi14030499. PMID: 36984906; PMCID: PMC10051856.]]

Each of these situations points to a similar idea: something happens, unintentionally, as a result of factors or circumstances that are external to the (potential) controller. This can lead to data alterations or even their erasure or destruction, yet there is no reason to consider them as “processing” that would be subject to data protection rules. Article 32 of the GDPR notably aims at ensuring that a controller or processor take measures to mitigate the risk of such “accidental or unlawful destruction, loss, alteration”, yet nowhere is it alleged that those events themselves are “processing”.

Therefore, where something happens outside of the framework decided by the (potential) controller, it should not be considered as processing – at least, not from their perspective – as it does not form part of the “operations” that the controller “performs” on “personal data”.

---

III. Processing of information that “relates to a natural person”

Similarly, the requirement of “personal data” is complex to handle, and one cannot just rely on assumptions. Data concerning “John Doe” may seem like data about a person, but it might be a fictitious character (not personal data), a deceased person (not / no longer covered by the GDPR), a pseudonym that cannot be linked to the actual natural person (not personal data) or even a generic name to label someone, an indeterminate person, without it being a specific natural person (not personal data).

Under Article 4(1) GDPR, for information to be “personal data”, it must relate to a natural person who is identified or identifiable, directly or indirectly.

The issue of what “relates” to a natural person may seem straightforward, various situations are more difficult, such as the processing of information regarding small businesses (given the strong ties between a small business owner and the business itself).

In the Nowak case, the CJEU held that the condition “relates to” “is satisfied where the information, by reason of its content, purpose or effect, is linked to a particular person” [[20 December 2017, Nowak, C-434/16, EU:C:2017:994, para. 35]]. In other words, if business information relates to a business in terms of content but someone wishes to use it to assess the individual behind the company, that aspect of intent (the purpose of assessing the individual) or impact (the effect of correlating business and individual) can transform business information into personal data.

Along a similar vein, it is worth taking into account the nature of the tool (device, system, etc.) used to process information. Some tools are built with a very particular use in mind, while others are more flexible.

For instance, an environmental sensor is built with the purpose of detecting the temperature or other qualities of the air surrounding it; an electricity meter is built to measure and track the amount of electricity passing through it.

Illustrations of more flexible tools include a camera (which can be pointed at a landscape, a building or a person), a recording device (which can listen to wildlife or human conversations) or a database (which might feature a list of countries in one case or a list of users in another).

In all cases, though, such tools have at least the potential to involve the processing of personal data, a potential that in some cases will be realised, and in others, not.

For instance:

• An Internet-connected electricity meter involves the processing of personal data if an electricity company places it in a house and knows the identity of the contract holder, as the electricity consumption being collected and transmitted through the meter relates to an identified natural person (from the electricity company’s perspective).
• If that same electricity company places such an electricity meter in a warehouse, there is no intent to process personal data – quite the opposite. Yet the electricity company also knows who is the natural person within the company who signed the contract, or who is the natural person who acts as CEO or other legal representative of the company. It could therefore theoretically choose to link the electricity consumption to that natural person.
• Similarly, in the case of a meter placed in a dental practice, the electricity company will likely view it as relating to a small enterprise, not to a natural person. It could theoretically link the electricity consumption to the dentist, but if it treats it as “business” data rather than actually linking it to the natural person, there would only be a hypothetical link to the natural person, not an actual one.

Based on the CJEU’s teachings concerning the condition “relates to”, the first one (residential customer) will likely be viewed as processing of information that relates to a natural person, as the contract owner (a natural person) is known and the information is linked to that natural person by reason of its effect, potentially also by reason of its content.

The second (warehouse) will not, as the contract holder is the company rather than the CEO, unless the electricity company does decide to keep a separate individual-level data point (e.g. to track contact people and the consumption “related” to their account) – at which point the information will become linked to a natural person by reason of its purpose.

The third (meter placed inside a dental practice) follows a similar logic. While it is hypothetically possible to link the electricity consumption to the dentist as natural person, as long as this is purely a hypothetical scenario the consumption should not be viewed as relating to a natural person, whether by reason of its content (electricity consumption regarding a business), its purpose (collection with a view to e.g. grid balancing, billing of the business customer, etc.) or its effect (no specific impact on the dentist as a natural person). There is no link being made between the electricity consumption and the dentist as a natural person.

---

IV. Personal data that relates to an “identified or identifiable” natural person

Beyond the issue of what “relates” to a natural person, the second key condition – that the natural person in question be “identified or identifiable” – gives rise to complex considerations.

IV.1. Criteria for identifiability

In the GDPR, the terms “identified” and “identifiable” are not defined as such.

“Identified” intuitively covers the scenario where a natural person’s name and contact details are known, but neither the law itself nor case law have so far provided a definitive test to assess whether identification has been achieved in other scenarios.

As far as “identifiable” is concerned, its literal meaning is “capable of being identified”. It therefore concerns a precondition, a situation in which a natural person is not yet identified as such but can be. Recital 26 of the GDPR, on the concept of “identifiable” natural persons, provides some useful context:

“To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.”

This means that pseudonymised data will be about an “identifiable” natural person if it can be attributed to a natural person by way of certain types of “additional information”. That person is not an indeterminate “someone” but rather a specific person, one that becomes identifiable by way of that additional information.

Identifiability then requires taking into account objective factors to determine whether such additional information exists and whether means are “reasonably likely to be used” to identify a natural person. If excessive time, effort or money are needed to link information to a natural person, information might have to be viewed as falling outside of the scope of “personal data”.

As the CJEU stressed in its SRB judgment:

“a means of identifying the data subject is not reasonably likely to be used where the risk of identification appears in reality to be insignificant, in that the identification of that data subject is prohibited by law or impossible in practice, for example because it would involve a disproportionate effort in terms of time, cost and labour” [[4 September 2025, C‑413/23 P, EU:C:2025:645, para. 82, quoting OC v Commission (OLAF) (7 March 2024, C-479/22 P, EU:C:2024:215, para. 51).]]

Identifiability must therefore be assessed in a practical and contextual manner, considering the actual, lawful capabilities of a given person or another from whom the relevant person can obtain assistance, and the realistic likelihood of identification.

It is worth noting that singling out, which is explicitly mentioned in Recital 26 GDPR, is just one means that can be used to identify a natural person, and nowhere in the GDPR does it appear that singling out might be a sufficient means of identifying a natural person. Should that have been the case, any scientific study or statistical analysis that reveals an outlier would be deemed to involve the processing of personal data, no matter whether actual identification of the person concerned by the outlier data point is even hypothetically possible.

As mentioned in my previous piece on pseudonymisation:

Statistics make this very clear. In many statistics, outliers can be singled out. For instance, if I receive a table of responses from someone else about self-reported responses to “how high can you jump?”, respondent 34 might have reported being capable of jumping 2m high while everyone else is in the 0.5m-1.5m range. Yet this does not mean that I can do anything about respondent 34. I have no means of actually identifying who respondent 34 is or doing anything about respondent 34. So yes, I can distinguish respondent 34 from the others (= singling out), and I know from the context that respondent 34 is a specific person, but I cannot do anything about that person. It would be excessive to consider singling out as always leading to personal data, as that would effectively mean that many situations in which there is no possible action in relation to an individual become covered.

In other words, singling out can be insufficient to transform information into personal data. It can help and it may be that it becomes seen as a necessary condition, but it is not always a sufficient condition. There is a need to be able to go beyond singling out and to act upon or in relation to such person; otherwise, the mere presence of an outlier in statistics would be sufficient for that outlier to be “identifiable” and the concept becomes too broad to be meaningful.

For this reason, I consider that identifying a natural person requires three things:

1. the ability to attribute certain information to a natural person,
2. the ability to distinguish that person from any other persons (= i.e. so it is a specific natural person, not just any natural person) and
3. that distinction must be of such a nature as to make it possible to act upon or in relation to such person.

Without identification, information is not personal data. Without personal data, the processing of such information is not within the scope of the GDPR.

IV.2. Identifiability as a matter of perspective

Through its Breyer, OC v Commission and SRB cases, the CJEU has made it clear that the “additional information” needed to reidentify a natural person does not have to “in the hands of one [same] person”. Yet this assessment is not made in abstract terms: one must always examine whether a particular person or entity is capable of getting to reidentification, on their own or through the intermediary of someone who does have the additional information in question. [[19 October 2016, Breyer, C-582/14, EU:C:2016:779, para. 43 // OC v Commission, para. 48 // SRB, para. 99]]

As the CJEU stated in SRB, the CJEU has found it possible for “data that are inherently impersonal and have been collected and retained by the controller [to be] nevertheless connected to an identifiable person [where] the controller had legal means of obtaining additional information from another person making it possible to identify the data subject”. [[SRB, para. 99, quoting Breyer (para. 44, 47 & 48) and IAB Europe (CJEU, 7 March 2024, IAB Europe, C‑604/22, EU:C:2024:214, para. 43 & 48).]]

There must therefore be a link between the potential controller and the third party who would provide such “additional information” to enable identification of the data subject. If the potential controller does not have anyone to turn to for such “additional information” – and no legal means of obtaining it from such third party (i.e. excluding unlawful means, such as obtaining additional information in breach of data protection law) – the data itself is not “personal data”.

Another consequence is that where information has been properly pseudonymised, it “must not be regarded as constituting, in all cases and for every person, personal data for the purposes of the application of [data protection rules], in so far as pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable” [[SRB, para. 86].

Identifiability is therefore a matter of perspective. When examining whether a potential controller is indeed processing personal data, one must first assess whether that potential controller (i) has (lawful) means of identifying a natural person or (ii) has (lawful) means of obtaining additional information from a third party in order to identify the natural person. If these conditions are not met, information is not personal data from that potential controller’s perspective – even if that information seems to relate to a natural person.

In addition, the “reasonableness” of those means signifies that merely hypothetical means are irrelevant. Proportionality dictates that these means of identification must be realistic, not dependent upon the alignment of a wide range of other conditions.

An additional point to bear in mind is that identifiability is not a fixed state. In accordance with Scania and SRB, the making available of information to a third party can indirectly make a natural person identifiable, if that third party does in turn have means reasonably likely to be used to enable identification. This in practice requires foreseeability, though, as in both Scania and SRB it was foreseeable for the person making such information available to the third party that the third party would have such means of identification. [[CJEU, 9 November 2023, Scania, C‑319/22, EU:C:2023:837, para. 49 // SRB, paras. 84-85]]

---

V. Incidental processing and the scope of data protection rules

When combining the above, “information that relates to an identified or identifiable natural person” relies on certain key principles that can be visualised in the following manner (or at least, this is how I view things):

In the context of the three scenarios described earlier, namely incidental processing, incidental data category and incidental person situations, these principles, and in particular the issue of identifiability, effectively exclude them from the scope of the GDPR.

V.1. Incidental processing: not always “processing” of personal data due to intent-derived foreseeability

As illustrated earlier regarding the concept of information that “relates to” a natural person, whether a tool is likely or not to collect information relating to a natural person – or which categories – depends on the tool itself and what it was built to do (data sources, data categories, purposes, etc.).

For instance, in the case of processing of business expenses, tickets are focussed on products or services, their price or cost, and payment information. If a tool is used to process such information, it is not intended to process information relating to natural persons in that context. As a result, if a ticket for coffee from a store named “John’s Fabulous Coffee” features words such as “Served by Mark. Have a great day!”, the tool for scanning and organising expense tickets may not be built to handle the hypothesis of information stemming from such scans relating to the natural person having sold or served the goods purchased.

Does it make the information “relating to a natural person”? In this particular context, the information does relate to a natural person by reason of its content. It was not the intention for such kind of information to appear in this system, but it does – and by way of its nature it is linked to a natural person.

Is that natural person identifiable? In theory, knowing that a person called “Mark” works at “John’s Fabulous Coffee”, together with the address of that store, may be sufficient to enable identification of that specific natural person, in particular if the financial analyst lives nearby. The requirement of “means reasonably likely to be used” is context-specific, and in the context of one ticket regarding a nearby store with a limited number of employees, the threshold for identifiability is substantially lower than in many other cases.

Hence the article’s header image – a form of “artist’s impression” if you will:

Yet the issue remains: even if one were to take the view that it is information relating to an identifiable natural person – i.e. “personal data”, the potential controller clearly did not intend for the system (as built or as used) to involve the processing of personal data.

This leads to the important question: is it truly “processing” within the meaning of Article 4(2) GDPR, if the intent to process personal data is clearly absent, just because a ticket might include the name of the person behind the counter?

The UK’s supervisory authority, the ICO, has clearly taken the view that “incidental” processing is still “processing” within the meaning of the (UK) GDPR. It wrote as follows in its 2024 response to the consultation series on generative AI, in a section entitled “Tackling misconceptions”:

“1) The “incidental” or “agnostic” processing of personal data still constitutes processing of personal data. Many generative AI developers claimed they did not intend to process personal data and that their processing of that data was purely incidental. Our view is clear: data protection law applies to processing of personal data (which includes special category data), regardless of whether this is ‘incidental’ or unintentional.”

While the ICO’s response is specifically written in the context of questions concerning generative AI, the answer itself appears to be universally applicable: in the ICO’s eyes, “data protection law applies to processing of personal data (which includes special category data), regardless of whether this is ‘incidental’ or unintentional”. It is unclear whether the ICO is basing this argument on the idea of “processing” or on the idea of identifiability, so I assume it is on the basis of each.

Since the UK is no longer a part of the European Union, the ICO itself is not an EU supervisory authority, but it is possible and even likely that other supervisory authorities will take a similar view, notably because this position helps keep such “processing” within their remit (while accepting a more restrictive interpretation of “processing” would on the contrary limit their remit).

But considering the examples of data degradation etc. as well as the example of AI usage, this position suggests that the application of data protection rules might not depend on the potential controller on the possibility of someone, somewhere including information concerning a natural person where a process and system are not intended to lead to the processing of such information.

Yet the CJEU recently confirmed that “the principle of legal certainty […] requires that rules of law be clear and precise and predictable in their effect, so that interested parties can ascertain their position in situations and legal relationships governed by EU law and take steps accordingly” [[CJEU, 26 June 2025, Commission v Spain (Participations indirectes), joined cases C‑776/23 P to C‑780/23 P, EU:C:2025:487, para. 92.]]. In other words, foreseeability is one of the essential requirements for the lawfulness of legal obligations. Without foreseeability, a law is inapplicable.

As a result, to avoid reaching the conclusion that the GDPR itself is deemed to be unforeseeable (with the significant consequences that this would have regarding its enforceability in general), it appears necessary to consider that, just as the concept of “processing” should not cover data degradation and other forms of alterations that happen outside of a potential controller’s control, it should not cover even the collection of data that happens outside of the parameters set by that potential controller.

In other words: intent regarding the way in which a system or process is designed or used by the potential controller, and the resulting foreseeability, is in fact decisive in order to assess whether any form of interaction with personal data listed in Article 4(2) GDPR is indeed “processing”.

This does not mean that the scope of “processing” would be subjective.

First, in the case of systems or processes whose intent is clear (e.g. processing of business expenses for the purposes of assessing which amounts need to be reimbursed and how they need to be booked), there are objective factors that represent and embody such intent.

Second, in the case of multi-purpose systems or processes (such as cameras or microphones), the context itself can provide the objective evidence of the intent. A camera pointed towards an animal nest is objectively unlikely to be aimed at the processing of personal data, while that same camera being pointed towards a person singing on the metro will clearly be intended to process information relating to a natural person. Similarly, if an augmented reality tool such a smartphone app, wearable headset or a pair of smart glasses is used to provide live navigation, the capturing of situational markers may be the intent behind the functionality used, with no intent to capture information relating to natural persons, and the functionality itself and its manner of assessing which information is relevant can be objective evidence of that intent.

Foreseeability of processing of personal data is therefore an objective assessment, based on the intent of the potential controller as materialised through the design and use of the relevant tool. It is not purely a question of foreseeability in abstract terms but an intent-derived foreseeability that is required.

In the context of AI model training, for instance, the way in which AI model training is based on the detection of patterns in relation to concepts (or even tokens), rather than combining information regarding a specific individual, is such that already objectively, there is no “processing”. The circumstance that an AI model provider first attempts to pseudonymise training data further shows that the objective is not to process personal data but rather to learn patterns about the information to be ingested by the AI model. The lack of reasonable means of identifying data subjects to whom information within the training dataset might relate further shows that even the process of pseudonymisation is objectively not “processing of personal data” but at most an alteration of information that is likely to relate to an indeterminate natural person (“someone, somewhere”), not a particular natural person.

A core issue with incidental processing is that if the intent is not to process information concerning natural persons, and no processing of personal data is foreseeable as a result, compliance with GDPR obligations becomes very difficult.

On the issue of transparency and Articles 13 & 14 GDPR in particular, having to declare hypothetical processing will raise significant concerns.

The Article 29 Working Party, the European Data Protection Board’s predecessor, has criticised the use of conditional words in privacy notices. [[Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01, 11 April 2018, Page 9.]]

Certain national authorities having used similar criticisms to conclude to infringements of the transparency obligation under the GDPR. For instance, the Belgian Data Protection Authority recently stated as follows:

“The Litigation Chamber considers that such wording (“can be used”) does not provide data subjects with sufficient certainty as to the nature and scope of the processing of their personal data by the defendant. Consequently, the data sources cannot be said to have provided data subjects with transparent and fair information.” [[Belgian Data Protection Authority, Litigation Chamber, decision on the merits No. 07/2024 of 16 January 2024, case DOS-2021-01224, p. 63, rough translation. Original in Dutch: “De Geschillenkamer oordeelt dat een dergelijke verwoording (“kunnen gebruikt worden”), onvoldoende zekerheid biedt aan de betrokkenen over de aard en de omvang van de verwerking van hun persoonsgegevens door de verweerder. Dienvolgens kan hier geen sprake zijn van een transparante en eerlijke informatieverstrekking aan de betrokkenen door de gegevensbronnen”.]]

It is similarly difficult to manage the issue of determining a legal ground for an unforeseen “processing of personal data”, which is nevertheless required under Article 6 of the GDPR. For instance, consent cannot be “informed” or “specific” for as-of-yet-unknown processing. A legitimate interest assessment requires taking into account data subject reasonable expectations and balancing the controller’s interest against the data subject’s rights, freedoms and interests. As the data subject’s reasonable expectations are a fully unknown and unknowable parameter in the case of potential and unintended “processing” and the balancing test is equally difficult to properly carry out in the case of speculation and unknowns, no legitimate interest assessment performed in such circumstances will likely be deemed adequate by any supervisory authority.

In other words, the most basic obligations – transparency and lawfulness – under the GDPR are awkward to handle. As will be shown hereunder, other obligations are just as hard to manage (see section V.3).

Yet it is a general principle of EU law that “no one is obliged to do the impossible”. [[Notably confirmed as a general principle of EU law in a Montessori judgment (CJEU, 6 November 2018, Scuola Elementare Maria Montessori v Commission, C-622/16 P, EU:C:2018:873, para. 79)]] If a particular legal obligation is deemed impossible to meet, it does not apply. This therefore reinforces the conclusion that certain types of incidental processing cannot be deemed to be “processing”, or else lead inevitably to impossible obligations and thus unworkable legislation. Either the GDPR is a law that must necessarily be systematically violated and thus loses its purpose and must be ignored by virtue of the principles of legal certainty and of non-impossibility of legal obligations, or the GDPR must be interpreted in a manner so as to avoid impossible compliance – such that it must not be deemed to apply to such incidental processing.

An objective approach to intent-derived foreseeability is moreover in line with CJEU case law on liability for infringements. The CJEU held in Deutsche Wohnen that “only infringements of the provisions of that regulation committed wrongfully by the controller, that is to say those committed intentionally or negligently, can result in a fine being imposed on the controller” pursuant to Article 83 GDPR (based on the reference to negligence and intent in Article 83(2)(b) GDPR). [[CJEU, 5 December 2023, Deutsche Wohnen, C-807/21, EU:C:2023:950, para. 68]] That limitation to negligence and intentional infringements must be considered as indicative of the fact that the GDPR itself only applies to wilful processing or processing that arises as a result of negligence. Indeed, any other interpretation – for instance, that that even non-intentional and non-negligent handling of information that might possibly be considered as personal data would be covered by the GDPR, yet infringements are unsanctionable – would necessarily render the law de facto inapplicable.

In other words, to have an interpretation of Deutsche Wohnen that is compatible with the general principles of legal certainty and of non-impossibility of obligations, intent-derived foreseeability is the foundation on which the limitation of liability to cases of negligence and intentional infringements is based, by way of its expression in Article 83(2)(b) GDPR.

V.2. Incidental processing & identifiability

While the issue of whether it is “processing” will often crop up in relation to such incidental processing, the question of identifiability – and thus whether the information itself truly is “personal data” – is often just as important in this context.

In the example given earlier of a business expense for John’s Fabulous Coffee, the circumstances made is likely that the individual is identifiable. However, such circumstances do not necessarily arise.

In the case of the meter for a company, for instance, it may be that there is a spike in electricity consumption at 8am that corresponds to the use of a company water boiler for a shower. The inference one might make (if so inclined) is that there is someone who comes at 8am in need of a shower (for instance, a sporty cyclist). This information would clearly relate to “a” natural person, but that natural person cannot reasonably be held to be “identifiable” from the perspective of the electricity provider.

Similarly, a vehicle equipped with cameras or a LiDAR system constantly captures information relating to natural persons in the surroundings: detection that it is a natural person, distance away from the vehicle at any given time but also over time in order to detect and possibly anticipate movement, etc. Beyond the fact that the intent itself is to detect patterns and not enable the processing of personal data, information relating to those natural persons themselves is not used with a view to identification, nor does the vehicle manufacturer or its driver likely have any means to identify passers-by on the street. In other words, while the information relates to natural persons, they should not be considered “identifiable”.

This issue of identifiability is most clearly relevant in relation to the “incidental person” scenario, though, and will be examined further in that context.

V.3. The impact of intent-derived foreseeability on incidental data category “processing”

Much of the reasoning set out above in relation to the notion of “processing” is relevant not just for incidental processing but also for the incidental data category scenario. After all, if a system or process is designed in a way to lead to the processing of basic categories of personal data (such as contact details) and a third party (for instance, an external user) decides to add information that is not designed to be included, such as health data or sexual orientation data, why should the full scope of data protection obligations relating to such types of data suddenly apply to the potential controller being assessed?

A common example in this respect is that of corporate e-mail systems. If company ABCD has a corporate e-mail domain and makes professional mailboxes available to its employees, it will expect this e-mail system to involve the processing of personal data regarding its employees, its customers and its suppliers. But it will not expect all possible categories of personal data to be processed in that context, as the professional e-mail system is not necessarily intended to be used by employees to exchange discussions with suppliers about one another’s love life, health, religious or political beliefs. It will not expect that system to handle salary information regarding those supplier representatives, nor even their home address. The business environment means that the foreseeable categories of personal data regarding supplier representatives will be limited.

In this context, should a supplier representative elect to include in an e-mail an indication that they are undergoing chemotherapy, this is not part of the intended scope of processing. If a male supplier representative mentions the name of his spouse, and that name is a male name as well, sexual orientation of the supplier representative is not meant to be part of the categories of personal data processed.

Similarly, if a camera is used to film a singer and the surrounding audience in front of a train station, the intent behind the processing is to process certain categories of personal data: image and location for all natural persons present, voice and potentially even name for the singer. If one among the crowd then steals coins from a hat on the floor in front of the singer before running out of the picture, the processing could suddenly be deemed to cover information regarding criminal offences, despite never having been the intent.

Yet in each of these cases, the information clearly relates to a natural person by reason of its content, and the supplier representative will be deemed identified, while the thief might be considered identifiable depending on the context. [I will examine this point in section V.5 hereunder.]

Is the processing of such information foreseeable? Each case remains within the realm of the possible. An assessment purely based on abstract foreseeability would therefore be insufficient. Rather, it is intent-derived foreseeability that is critical. The organisation did not intend for its system to be used to process such categories of personal data; the person filming the singer and crowd did not intend for the film to be used for the processing of criminal data.

Without such an approach based on intent-derived foreseeability, GDPR compliance is so messy it is unworkable.

For instance, criminal offence data can only be processed “when the processing is authorised by [EU] or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects” (Article 10 GDPR). In Belgium, for instance, there is no general law stating that the video capturing of a criminal offence is lawful. Quite the opposite, as a whole body of case law has been created to determine under which circumstances unlawfully obtained evidence (such as video evidence of criminal activities) can be brought forward before the courts.

In that context, an abstract approach to the concept of “processing”, ignoring intent-derived foreseeability, would necessarily have to conclude that the very act of capturing video of such a situation is an infringement of Article 10 GDPR, as that processing is not itself authorised by law.

Beyond the specific issue of whether this scenario would be permitted under Article 10 GDPR, the broader question of GDPR compliance remains.

As with incidental processing, compliance with the lawfulness and transparency obligations is difficult if data categories themselves happen to become part of the processing through no fault of the potential controller.

An equally acute issue is that the incidental addition of data categories can change a risk assessment significantly. Among the other GDPR obligations that are supposed to be complied with prior to the processing in question, the obligations to carry out a data protection impact assessment or “DPIA” (Article 35(1) GDPR) and if relevant, to carry out a prior consultation of the supervisory authority (Article 36(1) GDPR) stand out.

Where an unforeseen data category starts to be processed, absent the intent of the potential controller, this could change a previously “low” risk processing activity into a potentially “high” risk one, solely by virtue of the fact that special categories of personal data or criminal offence data begin to be processed. The obligation to carry out a DPIA could then suddenly appear out of thin air, purely because Article 9 or Article 10 GDPR data appeared in a system – yet the absence of a DPIA prior to such data appearing in the system would in itself be an infringement of Article 35(1) GDPR.

It is worth noting in this respect that the CJEU’s case law on Article 9 GDPR data has led to a seeming expansion of the scope of that provision. The CJEU suggested in effect that it does not matter if the link with one particular natural person is accurate or not for the purposes of Article 9 (considering in Lindenapotheke that over-the-counter drug sales reveal health data about the purchaser, even if the medication is not intended for him/her); moreover, it appears to have suggested in OT that the mere possibility of an inference of Article 9 GDPR data might be sufficient, even if there is no indication an active inference (considering in OT that the publication of the name of a spouse was sufficient to reveal sexual orientation, despite the lack of evidence of any attempt to actively infer such information from such data). [[CJEU, 4 October 2024, Lindenapotheke, C-21/23, EU:C:2024:846 // 1 August 2022, OT v Vyriausioji tarnybinės etikos komisija, C-184/20, EU:C:2022:601.]]

In other words, there have been decisions placing a burden on controllers even for data that was not intended to be a special category of personal data, or at least not in relation to the person in question.

There are strong arguments against such an approach, though.

First, in OT, the CJEU merely stated that “those provisions cannot be interpreted as meaning that the processing of personal data that are liable indirectly to reveal sensitive information concerning a natural person is excluded from the strengthened protection regime prescribed by those provisions, if the effectiveness of that regime and the protection of the fundamental rights and freedoms of natural persons that it is intended to ensure are not to be compromised” [[OT, para. 127]]. “Not excluded” does not mean “is always included”, though. By stating that the indirect revealing of sensitive information is not in itself excluded, the CJEU is merely stating that it remains possible for Article 9 GDPR to apply, not that this is systematically or automatically the case.

Second, in Lindenapotheke, the context was very clearly linked to a situation in which the inference of health-related data is not merely hypothetical: purchasing medicine in a pharmacy is not something one typically does without at least a concrete risk of someone close – either the purchaser or the purchaser’s close family or friends – having a health-related condition in relation to which such medicine is useful. Attributing the underlying medical condition to the purchaser was therefore not a mere hypothetical possibility.

On the opposite side of the spectrum, regularly rewatching the film Schindler’s List due to its emotional impact and quality does not inherently reveal any special categories of data about the viewer, but it might be theoretically possible for someone to infer (accurate or inaccurate) information regarding religious beliefs or ethnic origin based on assumptions or generalisations, just as in the cases of Lindenapotheke or OT.

If that theoretical possibility suffices and intent is irrelevant, compliance is simply impossible, due to factors that are outside of the potential controller’s control and that may change the controller’s legal situation without warning. Where a law is this unforeseeable, though, it must be deemed contrary to the principle of legal certainty (see section V.1 on incidental processing, above).

Therefore, despite what some might argue on the basis of those cases, there is a need for an active intent to derive insights relating to the special category as such, not the incidental and hypothetical possibility to derive such insights (as well as a need for the information in question to be appropriate to enable such an inference).

It is thus necessary also for the interpretation of Article 9 GDPR to evolve towards an intent-derived foreseeability test as well. The mere hypothetical possibility of linking would make every information a special category of personal data and cannot suffice, or else bring into question the very possibility of compliance with the GDPR and thus its applicability in general. The only practical solution is then to consider that an incidental data category scenario is no processing within the meaning of Article 4(2) GDPR.

V.4. Incidental persons and intent-derived foreseeability

The “incidental person” scenario can in theory also lead to situations where the issue of whether something is “processing” might arise.

For instance, I have evoked earlier the example of health data appearing in an e-mail between a supplier representative and an employee. If the supplier representative states that his or her son or daughter is in the hospital, the son or daughter is clearly identifiable:

1. this information can indeed be attributed to a natural person (a son or daughter of a human clearly refers to a natural person);
2. it is indeed possible to distinguish that person from any other persons, so it is a specific natural person, not just any natural person (it is the son or daughter of one specific supplier representative); and
3. that distinction does make it possible to act upon or in relation to such person (for example, by sending flowers or a box of chocolates to the supplier representative with a note showing that the get-well-soon gift is intended for the son or daughter).

Yet is this incidental inclusion of health data regarding this identifiable natural person truly “processing” under Article 4(2) GDPR from the perspective of the company making the e-mail system available?

Just as in the case of incidental processing and incidental data categories, compliance with the GDPR in relation to this incidental person scenario is unworkable. The inclusion of conditional wording in the company’s privacy statement would be criticised by regulators for being unclear, the assessment of legal grounds before the occurrence would be pure speculation, it would be impossible to perform a DPIA in advance, etc.

In this context, adopting the view that this is nevertheless “processing” would make the application of the GDPR itself unforeseeable and thus contrary to the principle of legal certainty. Because the system is not intended to be used to process such personal data about such (categories of) data subjects, an assessment of intent-derived foreseeability is therefore once again necessary – with the conclusion that in this particular scenario, there is no “processing” within the meaning of Article 4(2) GDPR.

V.5. The issue of identifiability in the incidental person scenario

Beyond the question of whether a form of incidental collection of information is “processing”, there are situations in which even that information’s status as “personal data” can be brought into question, notably due to the incidental nature of that information and its collection.

The “incidental person” situation makes this apparent, for various reasons.

If a camera is used to film a singer on the metro, a particular passenger might be invisible to the camera until he or she gets up to leave the metro at the next stop. The appearance on camera of this bystander clearly relates to a natural person, but is it an identifiable natural person? Without additional information about the person, identifiability will in practice not be possible.

It may for instance be that the person behind the camera knows the bystander, or that by chance the camera captures the name and professional details (company, role) of the bystander on film in the form of a name tag or lanyard. Such circumstances cannot be presumed, however.

Similarly, if a journalist interviews a public figure in a restaurant, the interview’s audio recording might pick up on background chatter or even on the moment when a fellow diner asks the interviewee for an autograph. This information, the audio recording, clearly relates to natural persons, but aside from the interviewee, the other natural persons cannot be said to be identifiable for the interviewer.

The same issues arise in the case of tool-assisted live translations or text transcriptions, such as through the use of smartphone apps or smart glasses to interpret or transcribe one person’s speech. The information being captured incidentally regarding other persons, such as neighbours in the audience, is not meant to be captured, but without additional information they are themselves not identifiable.

In other words, the “incidental person” scenario can occur in a number of situations where the data of individuals gets collected or used without there being any intention to collect or use data relating to them specifically and without sufficient information being captured to enable their identification (directly or indirectly).

As long as the person in question, this bystander or passer-by, is not identifiable, the “processing” of information relating to this person is not personal data.

This lack of identifiability should not however be perceived as creating an issue from the perspective of the protection of rights of the bystander, the “incidental person”. In accordance with the case law on identifiability (see section IV.2 above), non-identifiability is not a fixed state, and circumstances can arise that transform non-personal data into personal data (just as the reverse is true when identification data is erased or made unavailable).

In this context, the potential “controller” for whom the bystander is not an identifiable natural person must take care not to make the relevant information available to a third party, if the “controller” reasonably considers it likely that the bystander will in fact be identifiable from that third party’s perspective – i.e. that the third party in question has lawful and proportionate means of identifying the bystander.

Moreover,  the combination of the issue of identifiability with the above points regarding legal certainty, non-impossibility of obligations and Deutsche Wohnen (see section V.1 above) raises an important issue, namely whether taking reasonable measures to prevent identification (or anonymise personal data) might be sufficient to prevent any finding of an infringement, barring actual (demonstrated) negligence. The burden of proof in any event lies with the supervisory authority (or complainant) claiming personal data is processed, as illustrated by the Polish Supreme Administrative Court in its judgment of 16 October 2025 on cookies and IP addresses (though the CNIL appears to apply a different standard, which I have criticised). [[Compare Polish Supreme Administrative Court, 16 October 2025, III OSK 2595/22, to CNIL, 15 June 2023, Criteo, SAN-2023-009 and 26 May 2026, IQVIA, SAN-2026-008, which both suggest that one presumed or assumed identification suffices.]]

More generally, though, this approach to data protection rules mirrors to a certain extent the principles found in many EU countries in relation to image rights, also known as the right to personal portrayal. In general, such regimes foresee an authorisation or consent requirement for the capturing of a person’s image (and potentially a separate one for publication), as well as typically an exception for persons appearing incidentally in the photo – i.e. not the focus. [[On the authorisation/consent requirement, see e.g. Article XI.174 of the Belgian Code of Economic Law (French / Dutch): “Neither the author, nor the owner of a portrait, nor any other possessor or holder of a portrait, shall have the right to reproduce it or communicate it to the public without the consent of the person depicted or their successors in title for a period of twenty years from the date of their death” (rough translation) // On the exception, see e.g. §23 of the German KunstUrhG (Gesetz betreffend das Urheberrecht an Werken der bildenden Künste und der Photographie), which further allows exceptions to the exception.]]

This raises the important question though of whose perspective is important, and who is acting as “controller” under data protection rules.

VI. The user or deployer as (potential) controller

All scenarios of incidental processing, incidental data category or incidental person are situations where someone, the assumed potential controller, did not intend for certain processing, or some aspects of the processing, to occur.

It is not a purely subjective test; as highlighted earlier, this requires the intent in question to materialise in the form of design and purpose.

Yet who is this controller precisely?

VI.1. Principles regarding controllership

Under Article 4(7) GDPR, a controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.

The CJEU has taken a broad view of the concept of determination of the purposes and means of processing, considering in the Jehovan todistajat case that influence on these purposes and means can be sufficient:

“a natural or legal person who exerts influence over the processing of personal data, for his own purposes, and who participates, as a result, in the determination of the purposes and means of that processing, may be regarded as a controller” [[CJEU, 10 July 2018, Jehovan todistajat, C-25/17, EU:C:2018:551, para. 68]]

It has also considered that participation in this determination “can take different forms”:

“such participation can result from a common decision taken by two or more entities or from converging decisions of those entities. However, where the latter is the case, those decisions must complement each other in such a manner that they each have a tangible impact on the determination of the purposes and means of the processing.” [[CJEU, 5 December 2023, Nacionalinis visuomenės sveikatos centras, C‑683/21, EU:C:2023:949, para. 43]]

Yet joint determination of purposes and means does not mean joint responsibility for all aspects of the processing:

“the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.” [[CJEU, 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388, para. 43]]

In summary: several persons or entities can together be joint controllers, even by exerting a different kind of influence on the processing and by having converging decisions rather than common ones, and such joint controllership can represent different degrees of responsibility.

VI.2. Provider vs user

With any technology or tool being developed by someone other than its user, the provider of the tool is involved in making decisions regarding a product or service’s design, the functionality it is supposed to have, the needs it is supposed to meet.

The user on the other hand is involved in the selection of the tool and in deciding how to use it in practice. In other words, going beyond a user manual and actually using the tool for specific purposes.

A company deploying an e-mail solution offered by a third party, for instance, is clearly the instigator of any actual “processing of personal data” happening through such e-mail solution as implemented. No processing could start without the company’s choice to deploy the solution, and the solution is only used in the manner and context (i.e. the purposes and means) determined by the company.

In the examples highlighted earlier regarding cameras, wearables and microphones, a similar reasoning applies. Without the user’s choice of tool and without the user’s decision to deploy such tool, the video, image, recording etc. would not exist. Any “processing” – if it is indeed processing of personal data – solely exists because the user enabled it. By choosing the tool, the user determines the means; by choosing to deploy it (by taking out a smartphone or camera, by putting on a wearable device, by turning on a recording device, etc.), the user pursues a particular goal and thus determines the purpose.

A useful distinction can be made here between situations where the provider is itself led to carry out any processing, and the situations where everything happens under the (at least theoretical) control of the user.

Where a tool’s processing happens locally, on the user’s device or network, it may be that there is no processing at all by (or on behalf of) the provider, such that any “processing of personal data” is likely entirely under the sole control of the user.

However, if any (part of the) processing takes place remotely, through the provider’s servers or on its behalf, the assessment can become more complex.

It is common practice for a wide range of providers, from operating system providers and hardware manufacturers to web application providers, to collect usage data for the purposes of service improvement and for the security of their own service (own purposes for which they act as sole controller, separately from the user). The reason for sole controllership by the provider is that the processing in question is not for the purposes of delivery of the service to the user.

If a user instigates the processing by the provider of personal data of others in support of the service to the user (for instance, cloud uploads of videos for backup purposes, live transcription or translation), that processing is carried out for purposes determined by the user alone. While the functionality may be enabled in theory by the provider, it is the user who takes the sole decision to actually carry out such processing. The user must therefore be deemed as sole controller for that processing. Should any data also be processed by the provider separately for product improvement purposes, for instance, it is that provider who acts as controller specifically for that type of processing. In other words, the provider acts at most as processor for the user (the controller) for the purpose of provision of the service to the user, while it may act separately as controller for the purposes of service improvement.

This has an impact on the intent-derived foreseeability and identifiability issues highlighted above:

• If a tool is devised and designed in a particular manner, but the user deploys it in another manner, the intent-derived foreseeability assessment may lead to significantly different conclusions for on the one hand the potential “processing of personal data” by the user and on the other hand that by the provider. As a result, what may be clearly intentional and foreseeable “processing of personal data” by the user may be wholly unforeseeable and unintentional “processing” from the provider’s perspective.
• If a natural person is not identifiable from the provider’s perspective but is so for the user (for instance, because a passer-by on camera is known to the person behind the camera), there is no obligation for the provider to automatically consider the natural person as identifiable.

Would it have an impact in the other direction?

• If a provider designs a tool in a way to enable the processing of personal data, and a user uses it in a manner that should not lead to such processing yet does, the user could still invoke intent-based foreseeability to consider that there is no actual processing from the user’s perspective. However, demonstrating this may not be obvious for the user if the tool itself is designed for the processing of personal data.
• If a provider happens to have additional information that makes a natural person identifiable, while the user does not, the key question will be whether the user could reasonably foresee that by making information available to the provider, the natural person would become identifiable. If so, according to CJEU case law, the information in question is “indirectly” personal data for the user.

It is worth examining in this context whether the so-called “household exemption” under the GDPR would apply, i.e. Article 2(2)(c) GDPR, which excludes the application of the GDPR to the processing of personal data “by a natural person in the course of a purely personal or household activity”.

The CJEU has held that this exemption is (as is generally the rule regarding exemptions) to be interpreted restrictively:

“the processing of personal data comes within the exception […] only where it is carried out in the purely personal or household setting of the person processing the data” [[CJEU, 11 December 2014, František Ryneš, C‑212/13, EU:C:2014:2428 , para. 31]]

In a case regarding video surveillance, it specifically rejected the application of this exception to cameras facing public spaces:

“To the extent that video surveillance such as that at issue in the main proceedings covers, even partially, a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner, it cannot be regarded as an activity which is a purely ‘personal or household’ activity […]” [[František Ryneš, para. 33]

As a result, any use even by private individuals of tools such as cameras in a public setting would go beyond the household exemption if it leads to the processing of personal data of other persons.

The reference to a “public space” should in my view not be interpreted as meaning that the processing by an individual of holiday photos of a family is always processing of personal data subject to the GDPR, just because of the public spaces captured in those photos. Rather, the “public space” reference by the CJEU appears to be focussed on the possibility of processing of personal data regarding natural persons from outside the private sphere of the relevant person, family or group.

In this context:

• If a bystander is identifiable, and information relating to such bystander is thus deemed personal data, the processing of video, audio or images concerning such a bystander and captured in a public space does not fall within the scope of the exemption and the GDPR applies in full;
• If on the other hand the bystander is not identifiable, that processing is not deemed to be processing of their personal data, and the GDPR therefore does not apply to that specific processing.

VII. Is transparency required, and if so, how can it be achieved?

Where there is no “processing of personal data”, the GDPR does not apply, there is no transparency obligation under the GDPR

Yet where the GDPR does apply (i.e. there is processing of personal data), the controller is subject to the transparency obligations set out in Articles 12, 13 and 14 of the GDPR.

Under these provisions, the controller must provide data subjects with clear and comprehensive information, including:

• the identity and contact details of the controller;
• the purposes of the processing and its legal basis;
• the categories of personal data processed:
• the recipients or categories of recipients;
• the retention period; and
• information about data subject rights.

Pursuant to Article 12(1) GDPR, this information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.

This information obligation under the GDPR only applies to the controller, not to anyone else. Moreover, where joint controllers are involved, the joint controllership agreement is supposed to also tackle the issue of allocation of responsibilities, notably regarding data subject rights. According to Article 26(1) of the GDPR, joint controllers “shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them”.

The GDPR does not impose any specific technical or formal requirement regarding the manner in which transparency must be achieved. Regulators have filled that space by suggesting ways to ensure transparency, by notably suggesting ways in which to make layered information permissible. The Article 29 Working Party suggested that “a layered approach may be followed by controllers where they opt to use a combination of such methods while ensuring that the most important information […] is always conveyed in the first modality used to communicate with the data subject”, with such “most important information” needing to include “the details of the purposes of processing, the identity of controller and a description of the data subject’s rights” and having to be “directly brought to the attention of a data subject at the time of collection of the personal data”. [[Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01, 11 April 2018, pp. 19 & 21]]

The timing depends on how the personal data was obtained:

• Under Article 13(1) & 13(2) GDPR, which apply in relation to personal data collected from the data subject, the information in question must be provided “at the time when personal data are obtained”.
• In the case of personal data not obtained from the data subject, the information must be provided at the earliest of (i) one month after the obtaining of the personal data, (ii) the first communication with the data subject or (iii) first disclosure to another recipient (Article 14(3) GDPR).

As highlighted in section V.1 above, however, the incidental nature of the scenarios examined here makes the provision of such information at the time of recording complicated.

In the case of a tool used by an organisation, the organisation could include vague, conditional wording in a privacy statement, which could allow it to cover all three scenarios described earlier (incidental processing, incidental data category, incidental person), but the inherent vagueness required to capture every possible incidental hypothesis would likely attract criticism by supervisory authorities for lack of clarity (see section V.1 above).

In the case of a tool used by an individual, even in a public setting, the approach is based on human contact. Photographers, in particular professional photographers, will reach out to identifiable bystanders. Yet a smartphone can seem to be used for browsing or gaming while it is in reality used for filming, unbeknownst to the persons on video. The appearance of wearables with cameras or other sensors included have further raised the question of information – in particular: should devices feature some form of indicator to bystanders that processing of personal data is happening?

The GDPR does not support any such requirement, notably because an indicator does not provide information regarding “the details of the purposes of processing, the identity of controller and a description of the data subject’s rights” (the “most important information” according to the Article 29 Working Party). For video surveillance cameras or CCTV, for instance, the Article 29 Working Party specifically recommended “visible boards containing the information, public signage, public information campaigns or newspaper/ media notices”, not a mere indicator. [[Guidelines on transparency under Regulation 2016/679, pp. 19 & 22]]

Moreover, there is a question as to what indicators might mean. If a smartphone were required to feature an LED by the back camera when filming using the back camera, would this also be required for audio recording? If not, how would an indicator of recording be shown? Such an indicator would moreover serve no purpose if no natural persons are present in the relevant sensor’s range (which might be a narrow field of view for the camera but could be a far-reaching surrounding area for audio recording functions). Similarly, with augmented reality tools such as smart glasses and other headsets as well as augmented reality features on smartphones, a built-in camera could be used to detect street features in order to provide navigation assistance – rather than for filming the street artist in front of the user. In such a situation, an indicator can be misleading, because the functionality that might enable processing of personal data in certain cases can also be used in wholly separate contexts not involving the processing of personal data.

In other words, an indicator is not a valid means of information under the GDPR, nor does it even cover the “first layer” requirements. There does not appear to be any basis for requiring such an indicator on hardware enabling the processing of personal data in certain circumstances, but even if there were, it would likely be misleading due to the fact that the legal classification as “processing of personal data” is context-dependent, as shown in sections V.1-V.5 above, and not dependent on functionality.

VIII. A note about fundamental rights and freedoms – from accessibility to privacy

If you have been reading my articles and posts for a while, you may have noticed that I often write about Article 16 of the EU Charter of Fundamental Rights (the EU Charter), the freedom to conduct a business, and Recital 4 of the GDPR (which notably refers to it and highlights the need for proportionality). I dare assume that because of how often I have quoted them in public, I was one of those targeted by a recent tirade suggesting that anyone quoting them as somehow relevant in a discussion about the GDPR, the right to the protection of personal data (Article 8 of the EU Charter) and the right to respect for private and family life (Article 9 of the EU Charter) should lose their legal degree. Yet the EU Court of Justice recently confirmed that this fundamental freedom covers many things, including the freedom to set a price for a service, and that any restriction has to meet the same standard as for any restriction to any other fundamental right or freedom. [LINKS]

The multiplying use cases for augmented reality tools and AI-powered wearables highlight one important thing though: beyond these rights and freedoms, there are many more fundamental rights and freedoms whose relevance comes into play in the context of the use of such tools.

For instance, as hinted at in the introduction, wearable technologies present tremendous opportunities in terms of accessibility, allowing a person who is hard of hearing to see a live transcript of what is being said or allowing the taking of videos or photos even if someone does not have the physical ability to use a smartphone in particular circumstances, for instance due to injury. Because wearables can be used in a range of situations, by individuals with different perspectives, possibilities and limitations, it is critical to avoid making assumptions that a certain risk is present in every scenario when assessing the legality or illegality of certain uses of technology.

In the context of wearables, for instance, Articles 26, 15(1) and 11(1) of the EU Charter become very relevant:

• Article 26 sets out the right to “[i]ntegration of persons with disabilities”: “The [EU] recognises and respects the right of persons with disabilities to benefit from measures designed to ensure their independence, social and occupational integration and participation in the life of the community.”
• Article 15(1) sets out the right to pursue a freely chosen or accepted occupation: “Everyone has the right to engage in work and to pursue a freely chosen or accepted occupation.”
• Article 11(1) sets out the freedom of expression and information: “Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.”

The right to the protection of personal data and the right to respect for private and family life do not automatically or systematically prevail over those other provisions. Instead, a balance must be found between them, in accordance with Articles 52 and 54 of the EU Charter:

• Article 52(1) sets out the principles of legality and proportionality for any limitation to any of the rights and freedoms recognised under the EU Charter: “Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the [EU] or the need to protect the rights and freedoms of others.” (emphasis mine)
• Article 54 sets out a prohibition of abuse of rights: “Nothing in this Charter shall be interpreted as implying any right to engage in any activity or to perform any act aimed at the destruction of any of the rights and freedoms recognised in this Charter or at their limitation to a greater extent than is provided for herein.” (emphasis mine)

The right to the protection of personal data can therefore not be used in a way that can be used to destroy the right to integration, just as the freedom of expression and information cannot be used in such a way as to destroy the right to the protection of personal data. If any limitation to any right or freedom is foreseen, it must stem from the law and must be proportionate.

Recital 4 of the GDPR emphasises this need for a balance, in line with the EU Charter, by stating that “[t]he right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality”.

This means that when interpreting the scope of the GDPR, and the implications of its obligations in relation to the use of wearables, any interpretation that impacts other rights must always involve a proportionality test. In other words: where two interpretations are possible, one that ignores another fundamental right or freedom and another one that takes it better into account, only the latter will be permitted.

IX. Conclusion: intent-derived foreseeability is needed

The scenario captioned in the header image is cartoonish, yet the absurd reality of an unbridled approach to the notions of “processing” and “personal data”. It is critical in my view to ensure that the GDPR remains a framework that is realistic, to avoid it becoming an unworkable law that cannot apply and thus creates issues in relation to general principles of EU law.

In this context, the notion of intent-derived foreseeability can play a critical role. It is not foreseeability in absolute terms taking a random person as standard but rather an examination of the specific context in which the potential controller is situated, and what the precise purpose is that the controller pursues. Dismissing intent as irrelevant and subjective amounts to denying the existence of scenarios that are not meant to involve the processing of personal data, irrespective of which of the three scenarios I described occurs (incidental processing, incidental data category or incidental person), and ultimately creates artificial situations with obligations that are impossible to meet.

This is not an attack on the fundamental rights to the protection of personal data and to privacy but rather a necessary recognition that these rights are not absolute and that certain limits are in fact themselves a necessity. That these limits then enable other rights to flourish, such as accessibility and inclusion rights and freedoms, should then be seen as a further justification of such limits.

Ultimately, it is a question of proportionality of the law. If the law is interpreted in a manner that is disproportionate or unworkable, it fails the test of necessity and can be set aside; if it is interpreted in a proportionate manner, in line with the test under the EU Charter, it can be applied. My hope then is that intent-derived foreseeability as a test can help keep the GDPR’s interpretation realistic and workable. If not, though, I would welcome practical suggestions on how else to tackle this issue.

[Want to print this out? Try the PDF version of this article.]