Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.

Why ask questions about personal data?

The term "personal data" often comes up in discussions about digital technology, privacy, and data protection obligations. However, few people understand its exact definition. It is essential to understand what this concept covers, particularly to avoid confusion between personal data, professional data, and company data.

This article provides a clear answer to the question: what exactly is personal data, and why is its processing so strictly regulated?

Two lawyers or attorneys examining legal documents relating to the protection of personal data, with a book entitled "The Law" in the foreground.

Definition of personal data according to the CNIL (National Commission for Information Technology and Civil Liberties) the GDPR

According to the CNIL (National Commission for Information Technology and Civil Liberties) and the General Data Protection Regulation (GDPR), personal data is any information relating to an identified or identifiable natural person. If data allows, directly or indirectly, an individual to be identified, it is considered personal.

Identified or identifiable?

  • An identified person: last name, first name, social security number, photo, personal or professional email address.
  • An identifiable person: IP address, cookies, login details, client number, client any combination of data.

Some data does not identify a person directly, but can do so indirectly through cross-referencing. This is also a matter of security and data processing.

Example: A user ID + browsing history = identification possible via a CRM tool.
This type of operation constitutes processing that is subject to the same rules and controlled by the data controller.

In all cases, the processing of personal data must serve a Purpose ( it must be justified), comply with security obligations, and allow the Data subject their GDPR rights, including their right to rectification, portability, erasure, etc.

Concrete examples of personal data

To better understand what data protection entails, here are some practical references classified by category.

  • Identification data: First and last name, date and place of birth, postal address and email address, telephone number, identifiable photographs, etc.
  • Professional data related to a natural person: email address of the type prenom.nom@entreprise.com, employee badge or employee number, CV, evaluations or HR data, etc.

This data is protected by law because it concerns an identifiable natural person, even in a professional context. Its unregulated dissemination may constitute a violation of protection obligations.

What we often forget: technical data can sometimes be personal

Certain technical data, also known as metadata, may seem insignificant at first glance. However, it can constitute personal data when it allows a person to be identified, either directly or indirectly.

Examples:

  • A user's IP address
  • Login details for a secure area
  • The time of last activity on an account
  • Browsing logs on a website or application

Although this information comes from technical systems, it is often used in processing operations: activity monitoring, traceability, performance measurement, security, etc. It therefore falls squarely within the scope of GDPR.

📌 Did you know? Even a single hour of connection time, if linked to a user account, must be considered personal data. It is subject to Data retention protection obligations, particularly regarding Data retention periods and the Purpose processing.

What is not personal data: beware of false friends

It is essential to distinguish between personal data and company data. Data relating to a legal entity is not personal data within the meaning of the regulations.

Some examples of non-personal data: a contact email address such as contact@dipeeo.com, or a company name or SIRET number.

However, a professional email address containing a person's name (firstname.lastname@...) remains personal data because it identifies an individual. It is not the use of the data, but the identification of the person that defines its personal nature. In other words, data used in a professional context, if it allows a natural person to be identified directly or indirectly, remains personal data within the meaning of GDPR.

Conclusion: protecting personal data means respecting fundamental rights

Personal data is any information related to an identifiable natural person, regardless of the context (private or professional). What matters is the ability to identify an individual, either directly or indirectly.

Understanding this definition also means understanding the rights that every individual has over their data: access, rectification, erasure, portability, objection, etc. These rights are central to the GDPR entail specific obligations for data controllers.

📌 For more information:
Read our full article on managing the rights of data subjects to find out how to exercise or respect them in practice.

In France, the CNIL (National Commission for Information Technology and Civil Liberties) is the reference authority for any questions, complaints, or additional information related to the protection of personal data.

Samia Rahammia
Samia Rahammia

IT and Data Lawyer and Marketing Project Manager