According to the GDPR, personal data include all information about an identified or identifiable natural person. The identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Therefore, not only does personal data include the identification data of the person (name and surname) or address data (address of residence), but it can also take various forms, for example phone number (including business phone number), e-mail address (also in the form such as firstname.lastname@example.org), photos (e.g. on an ID card), voice recordings (e.g. on the hotline), as well as image (through visual monitoring functioning in your company), special features of appearance (e.g. dimensions of work clothes), fingerprints (e.g. on the iPhone you use), eye retina (e.g. in the access control system), or even the IP address or a note on the candidate’s CV. All these sorts of data can be recognised as personal data.
Long story short: personal data is all information that your company collects about its employees, customers/clients or contractors.
Personal data will follow our every footstep whenever this data allows us to determine the identity of a specific person, even if it would entail making some efforts and obtaining additional information (an identifiable natural person). This includes any reasonably and probable means that could be used to identify an individual.
This concept is not limited in any way whatsoever, and what is within its scope may change depending on technological progress. However, the determinant of whether we are dealing with personal data is each time whether given information can be assigned to a specific person. If this is the case, then we are dealing with personal data.