What is personal data?

All data related to an identified or identifiable person are personal data.

In other words, data that can be used to identify a person directly or indirectly, such as by combining an individual data item with some other piece of data that enables identification, are personal data. Persons can be identified by their name, personal identity code or some other specific factor.

Examples of personal data:

  • E-mail address, such as firstname.lastname@company.com
  • Telephone number
  • Identity card number
  • Car registration number
  • Positioning data (e.g. from a mobile phone)
  • IP address
  • Patient records
  • A pet's veterinary records
  • Data on the hereditary diseases of the person's great-great-grandparents

Examples of data that are not personal data:

  • A company's business ID
  • A shared e-mail address, such as info@company.com
  • Anonymised data

The General Data Protection Regulation protects personal data

Compliance with the requirements of the General Data Protection Regulation (GDPR) is required when processing personal data. The GDPR protects personal data regardless of the technology used for processing them. Neither does the storage method of the data matter: they can be stored in an IT system, video surveillance system or paper archive.

With regard to the applicability of data protection regulations, it is also irrelevant whether the processing of personal data has been centralised in one location or dispersed across several locations, systems or processors. The essential consideration is that the data concerning a specific individual can be obtained from the centralised or dispersed data set by certain criteria, such as the name or personal identity code. In other words, if their purpose of use is the same, the data belong to the same logical data file even if they are collected from different sources, stored in different locations or processed by different parties.

For as long as the data can be used to identify persons directly or restored to an identifiable format, they constitute personal data and are subject to the GDPR.

Read more:

Pseudonymised and anonymised data
GDPR: Articles 2, 4(1), 4(5); recitals 14, 15, 26, 27, 29, 30
The Data Protection Working Party's statement 4/2007 on the concept of personal data