What Does GDPR Cover?

The General Data Protection Regulation (GDPR) encompasses a broad and precise definition of personal data, extending well beyond basic identifiers. According to Article 4(1) of the GDPR, personal data refers to “any information relating to an identified or identifiable natural person (‘data subject’)” [1]. This includes, but is not limited to:

• Names
• Identification numbers
• Location data
• Online identifiers (such as IP addresses)
• Email addresses, phone numbers, and physical addresses

The GDPR further expands the scope by categorizing certain data as special categories of personal data. These are subject to heightened protection due to their sensitive nature. Article 9(1) lists these categories, including:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data (where used for identification)
• Health data
• Data concerning a person’s sex life or sexual orientation

The regulation explicitly prohibits processing such special categories unless specific conditions are met, such as explicit consent or substantial public interest [2].

Applicability
The GDPR applies extraterritorially. Article 3 outlines that any organization, regardless of its physical location, must comply if it:

• Offers goods or services to individuals in the EU/EEA
• Monitors the behavior of individuals within the EU/EEA

Empirical analysis demonstrates that non-EU organizations are frequently subject to GDPR obligations when collecting or processing EU residents’ data, especially in digital commerce and web analytics scenarios [3].

Key Results

• The definition of personal data under the GDPR is intentionally broad, ensuring coverage of traditional and emerging forms of identification (e.g., cookies, device IDs).
• Sensitive personal data, as defined by GDPR, necessitates stricter processing standards and explicit legal bases.
• The GDPR’s reach is global: entities outside the EU/EEA must assess their data processing activities for potential coverage.
• The regulation’s interpretation by supervisory authorities and courts has consistently favored comprehensive protection, emphasizing the regulation’s goal of safeguarding data subjects’ rights [4].

References:
[1] Regulation (EU) 2016/679 (General Data Protection Regulation), Article 4(1). Official Journal of the European Union
[2] Regulation (EU) 2016/679, Article 9(1).
[3] Kuner, C., Bygrave, L. A., & Docksey, C. (2020). The EU General Data Protection Regulation (GDPR): A Commentary. Oxford University Press. OUP Reference
[4] Voigt, P., & Von dem Bussche, A. (2017). The EU General Data Protection Regulation (GDPR): Practical Guide. Springer. Springer Reference