100 Overlook Center, 2nd floor, Princeton, New Jersey, 08540, USA

What is Personal Data under GDPR?

6 out of 10 Americans believe that it is impossible to avoid the collection of personal data in everyday life. They are right. A study by WhoTracks.Me found that 82% of web traffic contains third-party Google scripts and confirmed that half of them collect personal user data. Google tracks 40% of web traffic, Facebook 15%, Twitter and Microsoft 4%.


More and more users are worried about how companies use their data. For example, the latest version of Apple iOS includes a new privacy feature, which requires mobile apps to ask users for permission to collect data. As of April 2022, among those who have already installed the iOS 14.5 updates, only 25% have allowed tracking.


Under the GDPR, a business must be transparent and open about what personal information it collects from customers to have an opportunity to use internet marketing tools and monetize IT products. Let's find out what is considered personal data and how companies can increase customer confidence and ensure their data security.


What data is considered personal?

Personal data is any information that can be used to identify a person. The GDPR rules do not apply to the personal data of a legal entity.

The more that personal data is combined, the more difficult it is to keep that data depersonalized. This creates higher risks and responsibility under the GDPR. While the GDPR has guidelines to determine what constitutes personal data, there is no explicit definition. The regulation includes only the concept and general principles for classification. So let's look at examples.

When a user places an order for a laptop in an online store, they fill out a form with personal data which includes their name, surname, phone number, and e-mail. In addition to the personal data, the online store receives order data, which includes the model and color of the laptop. In this case, first name, last name, telephone number, and an e-mail would be considered personal data. But the model and color of the device are not considered personal data because it is impossible to identify a specific person using this information. 

This approach can be different if a business deals with profiling for advertising purposes, so it is crucial to analyze business conditions to identify all types of data which is considered personal. When lawyers draw up a Privacy Policy and determine the list of personal data in a document, they study the context. Following the previous example, the online store may conduct massaging by phone number advertising accessories for a specific laptop model. So the model becomes the criteria for profiling, and the status of personal information is obtained. The buyer must consent to the automated processing of such data for marketing purposes. This requirement is established by article 22 of the GDPR.


Let's take a look at an example of how best to create a list of personal data in order to stay compliant with GDPR regulations. Stalirov&Co IT lawyers wrote the Privacy Policy for Insurance Hunter, a paid lead generator for insurance companies. Using it users from the US and the EU fill out a questionnaire, and software algorithms select the best financial solution based on personal preferences. To realize its goals, Insurance Hunter collects:

  • Identification data: name, date of birth, age.
  • Biographical information: marital status, gender and employment status.
  • Contact details: home or other physical address, email address and phone number.
  • Driver Details: insurance policy information, car accident details, and car information.
  • Financial data: credit information and annual income.
  • Health data: biometric parameters (height, weight) and health information.

In addition to the personal data gathered through the questionnaire, the Insurance Hunter’s platform receives technical data automatically when the user visits the website:

  • IP address, other device address or ID.
  • Web browser and device type.
  • Geolocation data.
  • Hardware and software settings and configurations.
  • The pages the user is viewing.
  • Site actions.


What is sensitive data under GDPR?

All of the information collected by Insurance Hunter is personal data, however, not all is “personal sensitive data”. Among the personal information collected, processed and stored by Insurance Hunter some is considered “personal sensitive data”, for which the GDPR requires a legal, purposeful goal. Without a legal, purposeful goal the collection of the following data is prohibited by the GDPR. 

  • Racial or ethnic origin.
  • Political views.
  • Religious or philosophical beliefs.
  • Membership in a trade union.
  • Genetic and biometric data.
  • Data about health, sex life or sexual orientation.

The processing of such data is only permitted with the express data subject consent for specific purposes.


Is an IP address considered personal data?

Individuals may be assigned internet identifiers, such as IP addresses or cookie identifiers. Together with other personal data, they can be used to create profiles or identify a person. So, following Preamble 30 of the GDPR, the IP address is considered to be personal data, when in conjunction with other additional information a person can be identified.


What individual personal data rights should a company guarantee?

The GDPR has established eight rights of data subjects, the violation of which leads to fines.

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Right to object to automated decision making and profiling

The Stalirov&Co IT lawyers have detailed the most important of them and what fines a company faces if they do not ensure the proper implementation of these rights.


Right to be informed

Users have the right to access comprehensive information about their data collection, processing and storage. This rule means that it is essential for businesses to describe in public documents all actions using personal data. Read more about how to write a GDPR Privacy Policy here.

Failing to provide publicly accessible information regarding the collection, processing, and storage of personal data will lead to financial penalties.

In October 2022, four banks in Greece received fines of 20,000 EUR for violating their clients’ right to information. All four banks collected data on the last ten transactions and stored them on the customer’s bank card without the customers' explicit consent. The Greek Data Protection Authority found that the banks did not inform the customers about this and therefore violated article 13 of the GDPR.

In order to limit your liability, it is essential to present information concisely, clearly and in simple language. Place Privacy Policies in intuitive places, so the user is always one or two clicks away from accessing the document.


Right of access

The right of access allows a user to view the information a company stores about them. In order to access this data, the data subject must submit a request to exercise this right. The information must be provided without delay and free of charge.

Deutsche Bank in Spain received a 20,000 EUR fine for failing to respond to a request in a reasonable amount of time. An even more significant fine of 830,000 EUR had to be paid by a Dutch financial company for demanding a fee when people requested access to their data. The free inquiry was only available once a year by mail.

The steps for gaining access to user data should be as simplified as possible. Technical difficulties experienced by a company cannot be an argument for reducing the fine.

For example, the Finnish Data Protection Ombudsman received 11 complaints against Otavamedia regarding the lack of response to inquiries. Otavamedia explained that the requests were not considered due to technical issues with email management and received messages were not forwarded to customer support. The problem was discovered only seven months later. But the ombudsman drew attention to the fact that Otavamedia had to test the new email system before using it to ensure that requests were answered and that the data subjects' rights were respected. This failure required Otavamedia to pay a fine of 85,000 EUR.


Right to rectification

The GDPR requires that each customer is able to correct their inaccurate or incomplete personal data without delay.

A client of the Spanish bank CAIXABANK repeatedly and unsuccessfully requested an update of his address in the bank's database. For this, the business had to pay a fine of 25,000 EUR.


Right to erasure and right to be forgotten

The GDPR has established six conditions when a user can request the deletion of data:

  • Personal data is no longer needed for the purposes it was initially collected.
  • A natural person withdraws consent to the processing of his data.
  • A person objects to data processing for specific purposes, such as marketing.
  • Personal data was processed unlawfully.
  • Personal data must be deleted under local laws.
  • Personal data is processed in connection with providing online services to a child.


In addition to deletion, data subjects may request the de-indexing of Google pages that link to information about them. The data will still be on the original sites but won't appear in Google's search results, so it's less likely to be seen.

Since the introduction of the de-indexing procedure, Google has received 1,347,534 requests. But not all of them were successfully processed. Because of this, in 2020, Google received a 7 million EUR fine from the Swedish Data Protection Authority for deleting not all requested pages. In addition, the Data Protection Authority demanded that Google stop informing the website owners about which web page link was removed and who made the request. Such a rule allows the site owner to republish information on a different web address, which Google again indexes. It makes the right to be forgotten impracticable.


Right to object

Under article 21 of the GDPR, at any time, a user may object to processing their data for specific purposes. For example, they can apply with a request to stop direct marketing. This right is absolute. The company cannot override the customer's objection and must immediately stop using the data for direct marketing purposes.

Spanish Vodafone customers complained to the company about promotional calls, emails and SMS messages that continued even after they exercised their right to object. Many users of Vodafone services were contacted even though their numbers were on the Robinson List, a free ad exclusion service in Spain. Before making a call or sending an advertisement, the company must review this list. But even the presence of customer data on this list did not stop Vodafone and they were forced to pay 8 million EUR for violating article 21 of the GDPR. 


Right to object to automated data processing 

Under article 22 of the GDPR, users have the right to contest any automated decision made based on the processing of their data.

For example, in 2014, Amazon developed an artificial intelligence tool for recruiting. Based on candidates' personal data, artificial intelligence assigned them one to five stars. But after a year of use, it turned out that the system could not evaluate software developer candidates in a gender-neutral way. This was because Amazon's computer models had been trained to evaluate candidates based on resumes submitted to the company over the past ten years. Most of them came from men, so the Amazon system decided that male candidates were preferable. In this case, the candidates' rights can be protected in only one way - to introduce an objection procedure, as provided by article 22 of the GDPR. A candidate should have the right to contest the result and require that a decision made by the algorithm be reviewed by a human.


The company's task is to describe to customers how they can exercise their rights and how to contact the company. To do this, public documents on websites and applications must include support service contacts. It is crucial to consider requests promptly and give detailed answers in case of refusal. The Data protection officer handles communication with clients. In the following article, Stalirov&Co IT lawyers explain who needs a DPO and what functions this specialist performs.

Article navigation
Latest articles

Latest cases

All cases
For the full operation of the website and the improvement of service provision, we use anonymous data provided by Сookies!
Call me back IT lawyer will contact you
to discuss details
Service order IT lawyer will contact you
to discuss details
Thanks for reaching out!

An IT lawyer will contact you with legal solutions

Thank you for your request!

An IT lawyer will call you back to discuss details

Thank you for your feedback!

We would love it if you tell your friends and colleagues about us

Thank you for your inquiry!

The IT legal team will contact you with options solutions

Thank you for your inquiry!

An IT lawyer will contact you with a few more questions

Thank you for your interest!

Await advice from IT lawyers

Thank you for your inquiry!

The IT legal team will prepare a solution for you

Thank you for contacting us!

An IT lawyer will analyze your situation and offer a solution