Episode 15 - Personal Data And The GDPR: What’s Covered And What’s Not

The GDPR defines personal data very broadly. But it is not an all-encompassing effort to protect all personal data from every conceivable use or misuse.

“Personal data” is defined by Article 4.1 as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” This defines personal data to include relatively non-sensitive information such as a phone number or email address, as well as more sensitive information such as biometric, genetic and other information about a person.

The GDPR does not protect the data of legal entities. Only personal data of natural persons are addressed. Business, non-profit organization and government data are not covered. (Recital 14). Only data that relate to an identified or identifiable natural person are regulated by the GDPR. (Article 4.1)