Skip to main content

The First Data Protection Heroes: Five people who understood that data can be lethal

·16 mins
Data Protection GDPR History Purpose Limitation Data Minimisation Data Protection by Design Accountability GDPR at 10

Today, 25 May 2026, marks eight years since the GDPR became enforceable across the EU. I can imagine that most commentary on this anniversary will focus on enforcement trends, adequacy decisions, and the evolving relationship between data protection and AI - all important topics. But today I want to do something different. I want to go back to the reason these laws exist at all, and honour five people who understood - decades before any regulation was drafted - that personal data in the wrong hands is not an administrative inconvenience. It is a weapon. And when it is weaponised, it kills.

These five individuals lived through regimes that turned population registries, census records, and identity documents into instruments of genocide. Each of them made a choice. They falsified data. They sabotaged systems. They destroyed records. They forged identities. They did this knowing that the penalty for being caught was imprisonment, torture, or execution. Not one of them was a data protection professional. They were a police commander, a statistician, an artist, a teenager, and a social worker. What they had in common was an understanding that the infrastructure of identification - the bureaucratic machinery that connects a name to a category to a location - can be turned against the people it was built to serve.

Their stories are not metaphors for modern data protection. They are its moral foundation.

The First Data Protection Heroes

Paul Grüninger - the police commander who falsified records to save 3.600 lives #

Paul Grüninger
Photo credit: [Unknown] / [Gesellschaft Schweiz-Israel]

Paul Grüninger was born in 1891 in Switzerland and served as the police commander of the Canton of St. Gallen, a region bordering Austria. When Nazi Germany annexed Austria in March 1938 and the situation for Jewish Austrians became immediately dangerous, thousands of refugees attempted to cross into Switzerland. The Swiss government responded by closing the border and, following negotiations with Nazi Germany in October 1938, agreeing to the stamping of a “J” in passports issued to Jewish people. The instruction to Grüninger and his fellow border officials was explicit: turn them back.

Grüninger refused.

Over the course of several months from mid-1938, Grüninger systematically falsified visa dates on the passports of Jewish refugees, backdating them to make it appear as though they had entered Switzerland before the border closure when legal entry was still possible. He filed false reports about the number of arrivals in his canton. He impeded efforts to trace refugees who were known to have entered illegally. He spent his own money buying winter clothing for people who had been forced to abandon everything they owned. He even issued summonses to Jewish detainees being held in Dachau, providing a bureaucratic pretext for their release.

In total, Grüninger saved approximately 3.600 lives.

The consequences for him were severe. The Gestapo informed the Swiss authorities of his activities. He was dismissed from the police force in March 1939 without notice, stripped of his pension, and prosecuted for official misconduct and fraud. He was convicted and fined. He spent the rest of his life struggling to find work, taking on odd jobs as a teacher, travelling salesman, and factory worker. He died in poverty in 1972.

It was not until 1995 - twenty-three years after his death - that the Swiss government annulled his conviction and fully rehabilitated him. Yad Vashem had recognised him as Righteous Among the Nations in 1971, a year before he died.

When asked later in life to reflect on his actions, Grüninger said: “It was basically a question of saving human lives threatened with death. How could I then seriously consider bureaucratic schemes and calculations?”

What Grüninger understood, intuitively and practically, is something we now codify in law. The GDPR’s principle of purpose limitation under Article 5(1)(b) says that personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. When a population registry designed to manage migration is repurposed to identify people for persecution, that is the most extreme violation of purpose limitation imaginable. Grüninger’s falsification of records was an act of data integrity sabotage - and it was the right thing to do.

René Carmille - the statistician who hacked his own machines #

René Carmille
Photo credit: [Julien Demade]

René Carmille was born in 1886 in the Dordogne region of France. A career military officer, he became the Comptroller General of the French Army and one of Europe’s foremost experts on Hollerith punch card technology - the electromechanical data processing systems manufactured by IBM that were, by the 1930s, being used by governments across the continent for census and population management.

When Germany invaded France in 1940, the Nazi occupiers set about conducting a census to identify and locate the country’s Jewish population. The plan was straightforward: gather the data, process it through punch card machines, produce lists of names and addresses, and use those lists for arrest and deportation. The problem for the Nazis was that they lacked sufficient trained personnel to process the enormous volume of punch cards required.

Carmille stepped in. He offered to have his National Statistics Service process the census data on the Nazis’ behalf. The Germans accepted.

What they did not know was that Carmille was a double agent, a member of the French Resistance and the Marco Polo intelligence network. Over the course of two years, Carmille and his team deliberately delayed and sabotaged the processing of the census. He issued deadlines and then changed them. He created bureaucratic bottlenecks. Most critically, he reprogrammed his own punch card machines so that they would never process Column 11 - the field where citizens were asked to indicate their religion. The data was collected but never tabulated. Lists of Jewish names and addresses could not be printed. The completed register that Adolf Eichmann demanded to fulfil France’s deportation quotas never arrived.

While the Nazis believed Carmille’s machines were processing their census, he was simultaneously using them to compile information for the Allied forces, supporting the counter-attack that began in North Africa in 1942.

By early 1944, the Gestapo grew suspicious. Carmille was arrested in February 1944 and taken to Lyon, where he was tortured by Klaus Barbie - the infamous head of the local Gestapo - for two consecutive days. He revealed nothing. Carmille was deported to Dachau, where he died on 25 January 1945.

The IEEE has described Carmille as the world’s first ethical hacker. His story is a direct precursor to the modern principle of Data Protection by Design - the idea, now codified in Article 25 of the GDPR, that protection must be built into the architecture of systems and processing operations from the outset, not added as an afterthought. Carmille embedded protection into the machinery itself. He designed his systems to make harm impossible, even while appearing to cooperate.

Willem Arondeus - the artist who bombed a population registry #

Willem Arondeus
Photo credit: [Unknown]

Willem Arondeus was born in 1894 in Naarden, near Amsterdam. He was an artist, an author, and an openly gay man in a society that offered little tolerance for any of those identities. When Germany invaded the Netherlands in May 1940, Arondeus joined the resistance almost immediately.

The Dutch population registry was one of the most comprehensive and well-maintained in Europe. Every citizen’s identity card, religion, address, and family connections were meticulously documented. For the Nazi occupiers, this was an extraordinary gift. The registry allowed them to identify precisely who in the Dutch population was Jewish and where they lived. It also meant that any forged identity documents produced by the resistance could be cross-checked against the original records and exposed as fakes.

Arondeus understood that the forged documents his network was producing - eventually totalling around 80,000 counterfeit identity cards through the Identity Card Centre he co-founded with sculptor Gerrit van der Veen - would be worthless as long as the registry remained intact. The data itself had to be destroyed.

On the night of 27 March 1943, Arondeus led a team of fifteen resistance fighters - mostly artists and intellectuals - to the Amsterdam civil registry building. Dressed in fake police uniforms sewn by a friend, they gained entry, sedated the guards, planted explosives throughout the archive, and detonated them. The resulting fire destroyed approximately 800.000 identity cards - around fifteen per cent of the total holdings. They also recovered 600 blank identity cards and 50.000 guilders to fund further resistance operations. The attack was meticulously planned to avoid casualties, and no one was harmed.

The damage temporarily crippled the Nazis’ ability to cross-reference forged documents and track down Jewish residents using the registry. But the victory was short-lived. Within days, a betrayal from within the resistance led to arrests. Arondeus was taken by the Gestapo on 1 April 1943. Despite severe interrogation, he refused to name his co-conspirators, though a notebook found in his apartment led to further arrests.

Arondeus was sentenced to death. Before his execution on 1 July 1943, he asked his lawyer to deliver a message after the war: “Tell people that homosexuals are not cowards.”

It took the Dutch government until 1986 - over forty years - to posthumously award Arondeus the Resistance Memorial Cross. The delay is widely attributed to his sexuality.

The principle at stake in Arondeus’s action is one that underpins the GDPR’s approach to data minimisation (Article 5(1)(c)) and storage limitation (Article 5(1)(e)). Comprehensive registries that link identity to religion, ethnicity, or other special categories of data create concentrated risk. When that data is excessive relative to its legitimate purpose and retained beyond what is necessary, it becomes a vulnerability - not for the organisation holding it, but for the people it describes. Arondeus understood this in the most visceral terms: the data had to go, or the people would.

Adolfo Kaminsky - the teenage forger who saved 14.000 lives #

Adolfo Kaminsky
Photo credit: [Adolfo Kaminsky]

Adolfo Kaminsky was born in 1925 in Buenos Aires to a family of Russian-Jewish émigrés. His family moved to Paris when he was seven, and later to Normandy. As a teenager, he worked in a dye shop, where he developed an intuitive understanding of the chemistry of inks, pigments, and staining - knowledge that would define the rest of his life.

When the Nazis occupied France, Kaminsky and his family were at immediate risk. They were briefly interned but released thanks to their Argentine passports. Knowing this protection was temporary, his father asked him to secure false identity papers. Kaminsky did so, and in the process discovered he had a talent for removing, altering, and recreating the stamps, seals, and markings on official documents.

At seventeen, Kaminsky was recruited into the French Resistance. His specific contribution was to run an underground forgery laboratory in Paris, producing false identity papers, birth certificates, ration cards, and passports for Jewish people and others targeted by the Nazis. He was introduced to the network - a Jewish resistance group called La Sixième - when they were struggling to remove Waterman blue ink from identity papers. Kaminsky suggested lactic acid. It worked. He was in.

What followed was an extraordinary feat of endurance and moral clarity. Kaminsky worked in his clandestine laboratory for marathon sessions, sometimes staying awake for three days straight. He later described his reasoning: “In one hour I can make thirty blank documents. If I sleep for one hour, thirty people will die.”

Over the course of the war, Kaminsky’s forgeries saved an estimated 14,000 Jewish lives, including those of hundreds of children who were given new identities and hidden with Christian families.

After the war, Kaminsky continued his work for another thirty years, producing forged documents without payment for the Algerian independence movement, the South African anti-apartheid struggle, and other liberation causes. He died in Paris on 9 January 2023, at the age of 97.

Kaminsky’s story speaks directly to the GDPR principle of accuracy (Article 5(1)(d)) - but it inverts it. Under normal circumstances, organisations are required to ensure that personal data is accurate and kept up to date. Kaminsky’s life’s work was the deliberate creation of inaccurate data: false names, false dates of birth, false nationalities. He did this because the accurate data - the true identities of the people he was protecting - would have been used to murder them. His work is a stark reminder that data accuracy is not a value in isolation. It serves a purpose. And when the purpose is persecution, accuracy becomes complicity.

Irena Sendlerowa - the social worker who buried the truth in jars #

Irena Sendlerowa
Photo credit: [Unknown]

Irena Sendlerowa - known internationally as Irena Sendler - was born in 1910 in Warsaw. Her father was a physician who treated Jewish patients, and she grew up with a deep sense of solidarity with the Jewish community. When the Nazis established the Warsaw Ghetto in 1940, forcing hundreds of thousands of Jewish people into a walled, overcrowded, and starving district, Sendlerowa was working as a social worker with the city’s welfare department. Her role gave her a permit to enter the ghetto, ostensibly to inspect sanitary conditions during a typhoid outbreak.

She used this access to begin smuggling Jewish children out.

The methods were as ingenious as they were harrowing. Babies were hidden in ambulances, sometimes sedated so they would not cry. Small children were placed in sacks, toolboxes, and even coffins. Older children were taught basic Catholic prayers and smuggled through a church that straddled the ghetto wall - entering from the Jewish side and emerging from the other with new Christian identities. One driver kept a barking dog in the front of his ambulance, knowing that German soldiers would avoid searching too close to the animal.

By 1943, Sendlerowa had joined Żegota, the Polish underground Council for Aid to Jews, and was heading its children’s division under the codename “Jolanta.” She and her network of around twenty people placed children in foster families, orphanages, convents, schools, and hospitals, providing each child with forged identity papers and a new Polish name.

But Sendlerowa did something else - something that speaks to a data protection principle we now take for granted. She kept records. She meticulously documented every child’s true name alongside their new identity and placement, encoding the information and hiding the lists in glass jars buried under an apple tree in a neighbour’s garden. Her purpose was explicit: after the war, the children should be reunited with surviving family members. The data existed to serve the rights of the data subjects.

In October 1943, the Gestapo arrested Sendlerowa. She was taken to the notorious Pawiak prison, where she was severely tortured - her legs and feet were broken - and sentenced to death. She revealed nothing. Żegota secured her release through a bribed guard, and she continued her work under a new identity for the remainder of the war.

Sendlerowa’s network saved approximately 2.500 children.

After the war, she dug up the jars and attempted to reunite the children with their families. In most cases, the parents had been murdered at Treblinka. The children, many of them now too young to remember their original identities, were placed permanently with their adoptive families.

Sendlerowa’s careful record-keeping - encoding the data, restricting access, securing it physically, and maintaining it solely for a defined and legitimate purpose - is an almost perfect embodiment of what the GDPR now requires under its accountability principle (Article 5(2)). She understood that data about vulnerable people must be protected with the highest possible safeguards, that the purpose of collecting it must be legitimate and clearly defined, and that retaining it carries both obligation and risk. She bore that burden personally, under threat of death.

Irena Sendlerowa died in Warsaw on 12 May 2008, at the age of 98. She was nominated for the Nobel Peace Prize but did not receive it.

Why these stories matter on this anniversary #

Eight years into the GDPR, it is easy to lose sight of what data protection is fundamentally about. The daily work of compliance - RoPAs, DPIAs, cookie banners, DPAs - can feel distant from questions of life and death. But the regulatory framework we operate under today was not designed in a vacuum. It was built by a continent that had lived through what happens when personal data is collected without limits, repurposed without safeguards, and concentrated without accountability.

The principles codified in Article 5 of the GDPR - purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, accountability - are not bureaucratic abstractions. They are lessons. Lessons paid for by the people described in this post and by the millions they tried to save.

Paul Grüninger falsified data because its intended purpose had become illegitimate. René Carmille built protection into the architecture of the processing system itself. Willem Arondeus destroyed a registry because its comprehensiveness made it lethal. Adolfo Kaminsky created false identities because accurate data would have been a death sentence. Irena Sendlerowa collected data under the strictest possible safeguards because she understood both its value and its danger.

Today, as we mark eight years of the GDPR, these five people deserve to be remembered - not as historical footnotes, but as the first data protection heroes. They stood up knowing the consequences. Several of them paid with their lives.

The least we can do is make sure their work was not in vain.

For a broader view of the events, laws, and societal shifts that shaped data protection and privacy in Europe, explore the interactive timeline on the origins and history of European data protection.

Frequently asked questions #

Why is the history of data misuse relevant to modern data protection laws? #

The GDPR and its predecessor directives were developed in a European context shaped directly by the experience of totalitarianism. The systematic abuse of census data, population registries, and identity systems during the Second World War and under communist regimes demonstrated that comprehensive personal data collection, when combined with state power and absent safeguards, enables persecution and genocide. The principles now codified in the GDPR - purpose limitation, data minimisation, storage limitation, and accountability - are direct responses to these historical lessons. Understanding this history is essential for understanding why the regulation exists and what it is designed to prevent.

How does the GDPR protect against the weaponisation of personal data? #

The GDPR establishes multiple layers of protection designed to prevent personal data from being collected excessively, repurposed without justification, or used in ways that harm the individuals it describes. Article 5 sets out core principles including purpose limitation (data must be collected for specified and legitimate purposes), data minimisation (only data that is adequate, relevant, and necessary should be processed), and storage limitation (data should not be retained longer than necessary). Article 9 provides additional protections for special categories of data such as racial or ethnic origin, religious beliefs, and political opinions - precisely the categories that were weaponised during the Second World War. Article 25 requires Data Protection by Design, ensuring that safeguards are embedded into systems from the outset rather than applied retrospectively.

Who were the key individuals who resisted data-driven persecution during the Second World War? #

Five individuals stand out for their direct resistance to the use of personal data as an instrument of persecution. Paul Grüninger, a Swiss police commander, falsified visa records to save approximately 3,600 Jewish refugees. René Carmille, a French statistician, sabotaged the Nazi census of France by reprogramming punch card machines to prevent the processing of religion data. Willem Arondeus, a Dutch artist, led the bombing of the Amsterdam civil registry, destroying 800,000 identity cards. Adolfo Kaminsky, a teenage member of the French Resistance, forged identity documents that saved an estimated 14,000 Jewish lives. Irena Sendlerowa, a Polish social worker, smuggled 2,500 Jewish children from the Warsaw Ghetto and maintained encrypted records of their identities for post-war reunification. Several of these individuals were executed, tortured, or died in concentration camps as a consequence of their actions.

Author
Tim Clements
Tim Clements is Business Owner of Purpose and Means, a data protection and GRC consultancy based in Copenhagen, operating globally. He helps data protection and GRC leaders simplify complexity into actionable strategies, providing tools, training, and support to engage and influence across the organisation. Tim is a Chartered Fellow of the BCS (British Computer Society).

Browse by Topic

access controls accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 22 article 25 article 28 article 30 article 32 article 35 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness awareness campaigns behaviour change beyond legal board level board reporting case law change management chief people officer cloud infrastructure compliance monitoring consent cookie compliance cross-border transfers customer success dark patterns data accuracy data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection culture data protection day data protection hero data protection leader data quality data residency data retention data science data sovereignty data subject rights datatilsynet deceptive design design thinking direct marketing dora dpia education employee data employee engagement enterprise architecture eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc healthcare history horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 passwords privacy by design privacy culture product management profiling public sector purpose limitation quantum computing records of processing regulatory guidance risk management risk reduction ropa sales security software development special category data standard contractual clauses strategic planning sub-processors supply chain sustainability system design third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Related Posts