GDPR: What exactly is being understood as ‘personal data’?

Reading Time: 3 minutes

The General Data Protection Regulation (GDPR) protects personal data within the European Union. It is applicable to all data in both paper and digital documents, that can be used to identify a person. But what is exactly being understood as ‘personal data’? Are IP addresses personal data? And is encrypted data also considered as personal? In this article, we explain what constitutes personal data in the GDPR.

Personal data in the GDPR definition

According to the GDPR definition ‘personal data’ means: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The GDPR applies to all data concerning EU citizens in every business-related context:

  • Customer information
  • Vendor information
  • Website visitor information (IP addresses are considered as persona data)
  • Employee information

Directly or indirectly identifiable

Personally Identifiable Information (PII) is any information that can be used to identify and locate a single person. With the name and first name of a person linked with his/her address, a person can be directly identified. With other data like profession or postal code a person cannot be directly identified, but with a unique combination of this kind of data, a person can be indirectly identified. For example: an archiving consultant at Docbyte or a male Docbyte employee living in Namur.

It is important to know which personal data is hidden where in your documents and systems.

The link between information is key

Knowing your company is handling personal data as described in the GDPR is not enough. The tricky part is the link between information. A name in one document and an address in another document is no problem as long as this data cannot be linked to each other.  If you can deduce a relation or connection between this data, it is considered as ‘personal data’, which means the GDPR should be applied. Discover 10 other things you need to know about the GDPR.

Which personal data is your company managing?

To make sure your company complies with the GDPR, the recommended first step is to look at the personal data of all your employees stored in documents and systems. And that can be a long list:

  • Contract information
  • Contact information (address, phone number, national number, …)
  • Payment information (bank account, …)
  • Family composition
  • Email address
  • Office and phone number
  • Medical information
  • Car identification
  • Call log
  • Time sheet
  • Meal voucher card information
  • Expense report
  • Phone / laptop information
  • Passport / ID copy or extracted information

It is not only important to know where this information is stored, you should also know who is managing it:

  • Databases
  • Third-party Cloud
  • Company social network
  • Active directory
  • Paper document
  • Third-party companies:
    • Social secretary
    • Payroll institution
    • Car leasing company
    • Medical Insurance

Extended personal data

The GDPR clears up some of the ambiguities that existed in the past about what is being considered as personal data. The term ‘personal data’ has been extended to several domains:

  • Online identifiers and location data: The GDPR makes clear that IP addresses, mobile device ID’s and the like are all personal data and must be protected in compliance with the GDPR. These types of data are now subject to fairness, lawfulness, security, data export and other data protection requirements just like every other type of personal data.
  • Pseudonymous data: The GDPR uses the term ‘pseudonymous data’ to indicate personal data that has been subjected to technological measures like hashing or encryption. Pseudonymous data is considered as personal data in the GDPR definition.
  • Genetic data and biometric data: The GDPR defines genetic data (such as an individual’s gene sequence) and biometric data (such as fingerprints, facial recognition and retinal scans) as sensitive personal data. According to the GDPR this sensitive data requires a data protection impact assessment to detect potential processing risks and take measures to guarantee compliance.

The impact of GDPR on your organization

With the GDPR it is clear that Europe reinforces its protective approach for personal data. All organizations must analyze what data they collect and whether it is subject to the personal data requirements of the GPDR. In particular, they should pay attention to the special protection of sensitive data such as genetic and biometric data.

The impact of the GDPR for online businesses is significant due to the explicit description of online identifiers and location data as personal data. Even for advertising, analytics and social media platforms outside of the EU, the GDPR will have considerable consequences. They will be required to treat these identifiers as personal data protected by the European law or they risk losing EU business.

Learn how you can prepare your organization for the GDPR and contact us now to start handling your compliance issues via