The term ‘personal data’ is the entryway to application of the Data Protection Basic Regulation and is decide in Art. 4 para. 1 no. 1. Personal data are all information which is related to an identified or identifiable natural person.
Those impacted are identifiable if they can be identified, especially using drill to an identifier such as a name, an identifying number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons. In practice, these also include all data which are or can be assigned to a person in any kind of way. For example, the telephone number, credit card or group number of a person, account data, number plate, appearance and consumer number or address are all personal data.
Since the definition includes “all information,” one must assume that the term “personal data” should be as broadly interpreted as possible. This is also found in case law of the Court of Justice of the European Union. These include also less-clear information, such as recordings of work times which include information about the time when an employee do and ends his work day, as well as breaks or times which do not fall in work time. Also, written answers from a test-taker and any remarks from the test about these answers are “personal data” if the test-taker can be theoretically identified. The same also applies to IP addresses. If the processor has the legal option to oblige the provider to announce additional information which can identify the user who is behind the IP address, this is also personal data. In accession, one must note that personal data need not be objective.