GDPR (1) What does the term ‘personal data’ refer to?

13 July 2017

It is impossible to discuss the GDPR without reflecting on the definition of ‘personal data’. The GDPR defines personal data as “any information relating to identified or identifiable natural persons”. As with all definitions, every word matters, and so each of the terms contained in the above definition is considered separately below.

  • Natural persons:
    The definition of personal data encompasses data about private individuals who are still living, but not data concerning legal entities. It therefore excludes companies that are clients or suppliers, although it does include the details of contact persons, for instance.
  • Identified persons:
    A person may be identified by means of their surname, first name, address and date of birth, for example. The more data you have collected and the smaller the group of people concerned, the easier it is to trace information back to one individual.
  • Identifiable persons:
    Data that cannot be linked to a person may contain a key that allows the data to be combined with other data. If this could result in the identification of an individual, the data concerned are personal data. The GDPR explicitly states that such data will continue to be classified as personal data so long as it is possible to combine the data by making reasonable efforts.
  • Any information:
    This term clearly indicates that the data in question are not restricted to digital information contained in databases, and that personal data also include data collected on paper, visual materials, sound recordings and other information. Some of the previous legislative initiatives were limited to digital information, but this is specifically not the case when it comes to the GDPR.
  • Information relating to a person:
    Information that, on its own, indicates nothing about a person can still be considered personal data if it is linked to a person. Examples include location information (i.e. information indicating a person’s location at a particular moment).

The term ‘personal data’ therefore covers a vast array of data, including your name, address, date of birth, marital status, and partner’s and children’s names, the medical file kept by your GP and a list of any criminal convictions. You no doubt often make information about your qualifications, knowledge of languages and work experience available on purpose. You probably share personal experiences on social media with friends and family only, and keep them screened off from the outside world. However, have you ever considered data such as the list of all the items you bought in your favourite supermarket during the past year, or your internet search history? Personal data even include the precise location of your mobile phone (and therefore most likely your own location) at various times.


To gain an idea of the amount of data that comes within the scope of the GDPR, try listing all the personal data you come across in your own working environment and all the data that your employer or business contacts at other companies are likely to hold about you. Complete this exercise before reading further.

Have you finished your list? Did you give any consideration to the following items?

  • Drawers full of business cards, or spreadsheets containing contact details
  • The home telephone numbers of your colleagues, or the direct number of a consultant that you were given in confidence for use in an emergency
  • Photos taken during the most recent staff party
  • Your CV
  • Evaluation or appraisal interview reports
  • Records of days worked, absences and sick leave
  • Camera images taken at entrances to business premises or in the workplace
  • Logs that the IT department keeps of the hours you are logged on to the network or specific applications, as well as the websites you visit.
  • Your email messages (their content, the number of messages and the recipients )
  • Questionnaires you complete in order to receive information from a supplier, download a white paper or sign up for a newsletter (e.g. your areas of interest, your hobbies, your position within your company, and how much experience you have).

Although this list is by no means exhaustive, it clearly shows why legislation is needed to ensure that all those who use personal data handle such data with due care and adhere to a number of rules. At the same time, it is also inevitable, and even necessary, that personal data can be used by private individuals, the government and even businesses. The GDPR seeks to ensure a good balance is found between an individual’s right to privacy and the possibility that businesses may make cross-border use of the wealth of data that is available. Future posts on this blog will explain how the GDPR seeks to strike a balance between these two perspectives. The kind of data used and the intended purpose are of crucial importance when determining the obligations that have to be fulfilled. The next instalment of this blog will therefore take a closer look at the different levels of sensitivity that apply to personal data and what the law refers to as ‘special categories’. A future post will go on to consider the precise definition of data processing and the related roles and responsibilities.

Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is Certified Information Security Manager (ISACA) and has been awarded the CIPP/E (Certified Information Privacy Professional/Europe) credential by the IAPP (International Association of Privacy Professionals), which is the world’s largest organisation of privacy professionals.

If you have any questions or comments, please write to us at