What is personal data?
GDPR is designed with the intention of protecting personal information for individuals and as such, the term ‘personal data’ is a critical entryway into implementing GDPR. In the regulation, ‘personal data’ is specifically defined as:
Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (1)
Since the definition includes “any information” this means the term ‘personal data’ ought to be interpreted broadly. In practice, this this means that a lot of classes of information fit into this definition of personal data.
The scope of personal data includes obvious examples, such as demographic information, contact information, and financial information (e.g., a telephone number, credit card number, passport number) as well as some unexpected classes of information that also fit into the definition of ‘personal data’:
- There is case law in the European Court of Justice which also includes less explicit information, such as when an employee clocks in or out, as well as when an employee takes breaks, within the scope of personal data. (2)
- If IP addresses are collected, those are likely to count as personal data and must be tracked in a data inventory and reported in a DSR (2)
- Personal information is not strictly objective information or facts. Subjective information, including opinions, judgments, or estimates is also considered personal data. (2)
Real World Example
ACME Company is an EU-based franchise that sells indoor home furnishings. One of the key features that their application offers users is the opportunity to upload a photo of a room in their home, and create a scalable layout that allows potential customers to see how different furnishings would look in rooms of their home. Every user needs to first create a profile tethered to an email address and password in order to take advantage of this feature. The information stored as part of any user profile, including images of their home, is therefore considered “personal data” under the scope of GDPR.
Sources:
1: Personal Data. Article 4 EU GDRP "Definitions". http://www.privacy-regulation.eu/en/article-4-definitions-GDPR.htm
2: GDPR. Issues: Personal Data. https://gdpr-info.eu/issues/personal-data/
Our GDPR e-book breaks it all down. Dive deep into the key concepts of GDPR by downloading our e-book.