GDPR is based around protecting personal information for individuals and as such, the term ‘personal data’ is a critical entryway into implementing GDPR. In the regulation, ‘personal data’ is specifically defined as:
- Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (1)
- Since the definition includes “any information” this means the term ‘personal data’ ought to be interpreted broadly. In practice, this this means that a lot of classes of information fit into this definition of personal data.
- The scope of personal data includes obvious examples, such as demographic information, contact information, and financial information (e.g., a telephone number, credit card number, passport number) as well as some unexpected classes of information that also fit into the definition of ‘personal data’:
- There is case law in the European Court of Justice which also includes less explicit information, such as when an employee clocks in or out, as well as when an employee takes breaks, within the scope of personal data. (2)
- If IP addresses are collected, those are likely to count as personal data and must be tracked in a data inventory and reported in a DSR (3)
- Personal information is not strictly objective information or facts. Subjective information, including opinions, judgments, or estimates is also considered personal data.(3)
Learn more about GDPR by reading our e-book.
