Personal data is the central focus of the GDPR, as the Regulation only applies to those instances when personal data is being processed. The term is not new, it was present in the Data Protection Directive. However, the GDPR broadens the spectrum of what type of data falls under this category. We can practically divide this data into three types.

The first is the classical personal data, where we find items such as the name of a data subject, their address, phone number, ID, birthday and more.

Digital personal data includes the email address, someone’s social media account and their posts, metadata and even IP addresses. Until the GDPR it was not usual to view IP addresses for example as personal data. The Regulation, however, specifically discusses the idea of online identifiers, which includes IP addresses. With static ones, the reason is easy to understand. The debate comes when we discuss dynamic IP addresses, which change each time a user access the network. However, the GDPR does consider them personal data, as the Internet Service Provider has records of each address allocated to a certain user, and can, if need be, identify the data subject.

Finally, sensitive data include biometric and genetic data, health data, political views, religious convictions or trade union membership.

Another important aspect is that the Regulation refers to data about natural persons. In other words, it does not apply for legal entities such as corporations or other organizations. This has made many people wonder if the GDPR would apply to business to business operations. And the answer is it does, because even in B2B you may still be able to identify natural persons. For example, you might have the name of the people you are exchanging emails with, if that email address is something like While the data of the company in itself is not personal data, anything that can help you identify a person is.

Articles: 4,9

Recitals: 26,30,34,35,51