What types of data fall outside the scope of data protection law?
Data without any personal reference, and data that has been fully anonymized, are not protected by data protection law.
Two categories escape the reach of data protection:
1. Non-personal data: Information that has no connection to any person at all. For example, weather measurements, machine sensor readings, or aggregate statistics where no individual can be identified.
2. Fully anonymized data: Data that has been processed so that it can no longer be attributed to any specific person.
But here's the catch: Full anonymization is extremely difficult to achieve in practice. Studies have repeatedly shown that supposedly anonymized data can be re-identified by combining it with other datasets.
A famous example: researchers de-anonymized Netflix viewing histories by cross-referencing them with public IMDb reviews. Just a few movie ratings and approximate dates were enough to identify specific people.
This means the "anonymized data" exception is much narrower than companies often claim. If there's any reasonable possibility of re-identification, the data still counts as personal data and data protection law still applies.
Go deeper:
Data re-identification (Wikipedia) — why the "anonymized" exception is narrow (Sweeney 87%, Netflix).