The text defines it as « any information relating to a natural person who can be identified, directly or indirectly. »
Personal data is said to concern a natural person, because in the case it concerns a company, it will not be considered personal data. Thus, it will not be protected by the GDPR.
There is a small distinction to make between data that can identify a person directly and indirectly. The first refers for example to the name or the first name. The latter refers to the data that allow indirect identification of a person, such as telephone number, social security number, IP address or license plate.
The distinction is important because from the moment a person can be identified by cross-referencing several data, it is personal data. On the other hand, anonymized or pseudomized data are not affected by the GDPR.
It is essential to point out that the method of storage of the data does not matter, both electronic and paper data are protected by the GDPR. The same goes for the method of processing; which can be automated or manual as long as the data is organized according to predetermined criteria.
Thus, as soon as a processing operation involves personal data, the GDPR applies. This means that the data controller or processor must respect the obligations set out in this text and ensure that it is in compliance with the GDPR.
Data controllers and processors must be aware of their obligations
of those actors, and a brief overview of the steps to ensure they are compliant.