What is personal data under the GDPR?
The General Data Protection Regulation (2016/679 EU) (GDPR) defines personal data as "any information relating to an identified or identifiable natural person" (ie an individual rather than, for example, a company). It covers data from which someone can be identified directly or indirectly, in particular by reference to:
- an identifier such as a name, an identification number, location data or an online identifier (such as an IP address); or
- factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
The GDPR covers personal data that is stored in a manual filing system if it is accessible according to specific criteria, for example where it is ordered chronologically or alphabetically.