The definition in GDPR is that personal data is: "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
If that definition did not make you wiser ;-) we have tried to explain this further:
- the definition of personal data is very broad and wide ranging - hence if you are in doubt as to if certain data is "relating to an identifiable person", it most likely is personal data.
- You do not need to be able to directly refer the data to a "named person". It is enough that you can refer the data to a specific individual. A good example is a tracking cookie - you can not identify the person name, but you can track a specific person - hence the data is personal data
- Remember that data kept under pseudonyms are still personal data if you can refer the data back to an individual:
To make things easier we have made a list of potential personal data points in the GDPR wizard that are commonly used in companies. But if you have others please add these by using that function under the list of suggestions.