Many thanks for your reply Guy.
As regards point 1 - I did not know of the Information Commissioner's ruling nor was it mentioned in any of the articles I read. It does explain why there are so many contradictory statements out there. Obviously some knew of the ruling but didn't mention it. Thanks for clarifying the situation.
Still scratching my head over your "No" to point 2. Given your statement on websites, newspapers etc surely sharing genealogy data of living persons with others must be a breach of GDPR if you do not have permission from that person?
the problem with the GDPR is it is a wide ranging law which may be interpreted in a huge number of ways.
https://gdpr-info.eu/chapter-1/For example take the definition of personal data shown in Chapter 1 Article 4 of the above site.
"personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"
That covers just about anything about a person whether the data controller has access to the information that would connect the person to the information or not.
The Information Commissioners guidelines to the GDPR website adds-
"Can we identify an individual indirectly from the information we have (together with other available information)?
It is important to be aware that information you hold may indirectly identify an individual and therefore could constitute personal data.
Even if you may need additional information to be able to identify someone, they may still be identifiable.
That additional information may be information you already hold, or it may be information that you need to obtain from another source.
In some circumstances there may be a slight hypothetical possibility that someone might be able to reconstruct the data in such a way that identifies the individual. However, this is not necessarily sufficient to make the individual identifiable in terms of GDPR. You must consider all the factors at stake.
When considering whether individuals can be identified, you may have to assess the means that could be used by an interested and sufficiently determined person.
You have a continuing obligation to consider whether the likelihood of identification has changed over time (for example as a result of technological developments)."
This could mean on a family history site a person may add 4 empty boxes for living children of a couple.
Over time 3 of the four may die and be replaced with their names leaving that empty box. According to the above that empty box could be construed as an identifier of the fourth child, therefore it would be personal data.
The GDPR is going to make plenty of money for solicitors.
Cheers
Guy