GDPR defines Personal Data as
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Practically, for most website owners, this translates to any data that could potentially identify a specific individual. This includes:
- Names and Adresses
- IP Addresses
- Email Adresses
- Financial Information (PIFI)
- Unique Identifiers (like passport or social security numbers)
- Medical information
- Biometric elements (facial recognition, fingerprint)
- A person’s location, occupation, gender, etc.
It's important to note that the GDPR deals with the total sum of information saved on users. So while a data-set in itself might not be enough to identify users, it would still be considered personal data if it could be used to do so when combined with another data-set.
A good example of this is a list of first names. It would not be a breach of GDPR to create such a list, maybe to identify the most popular first name of your users. You wouldn't be able to identify any individual from a list saying 'John, Jane, Mike'. But if you combined this list with any other values, such as surnames, emails or similar, it might be enough to identify an individual. And that would be a breach.
If you have any questions on GDPR, try looking over our Frequently Asked Questions on GDPR.
You're also welcome to contact us at firstname.lastname@example.org if you have any questions.