At first… why is it important, what personal data is?

Because when you process personal data, data protection regulations (like GDPR) apply to you. 

When you don’t process personal data (for example because you work only with anonymous data), you are not subject to the regulations.

So, what is personal data?

Personal data is any information that can be used to identify an individual.

Very important term here is an individual, which means a physical person.

This definition is based on european data protection regulation – GDPR. Other regulations might use a different terms or can have slightly different meaning. For example CCPA also works with the term ‘household’.

Examples of personal data:

• name and surname
• identification number
• e-mail addresses (if they are linked to individual)
• online identifiers (like cookies, IP address or other tools, which can track internet activity)
• genetic information
• health information
• biometric data

More examples

Q: Are business contact details a personal data?

If they contain a name of individual (a contact person in a company), then yes.

A: If they contain a name of individual (a contact person in a company), then yes.

Q: Is an e-mail address like firstname.lastname@company.com personal data?

A: Yes, it is linked to a specific individual.

Q: Is an e-mail address like info@company.com or invoices@company.com personal data?

A: No.

Q: IP addresses?

A: If you have a public website and work with IP addresses of visitors (such as in access log), then yes, this is personal data.

On the opposite, If you have an internal map of servers in the company network, there are no individuals behind these IP addresses.

But if you work with IP addresses provided to end users (employees) or with IP addresses of visitors of your websites, then again, this is personal data.

Q: What about internal identifiers inside the company?

A: If you use some internal usernames like ‘abc1234‘ instead of first name and last name. This is also personal data, because inside the company, you know, which individual is behind which username.

Q: What about internal identifiers inside the company?

A: It depends… usually it is still consider as a personal data, but ‘pseudonymized’.

Q: CCTV recordings?

A: Yes, you can see individuals there.

Q: What if I have statistics data of how my clients or employees behave?

A: If you cannot distinguish individuals, then this is not personal data.

Q: What about anonymous employee survey?

A: Also no. But be careful – even if you removed names, e-mails, company identifiers… what about job titles? How many CEOs do your company have? Or data protection specialists? The best practice is usually to group results at least in 5 persons, so you have no individuals – therefore no personal data – there.

Also, when data is more sensitive, they are called ‘special categories of data’. It is also a term from GDPR and covers data like racial or ethnic origin, genetic data, biometric data, data about sex life etc.