The GDPR only applies to Personal Data, which is defined in Article 4:
‘[P]ersonal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Use of the word "only" in this context is clearly understated. Personal Data is an extremely broad category. It covers any data about an identifiable natural person. It is important to note that this is significantly broader than the concepts of PII or even PHI in the U.S.. In contrast, the GDPR provides that personal data is literally any data about an identifiable person. We previously examined in the Driven blog Who is covered under the GDPR.
The GDPR does not encompass all data about a person. There are a few exceptions, the most important of which in this context is Recital 14, which carves out a specific exception for data pertaining to “legal persons.” A legal person, by contrast to a natural person, is a legal entity. Complicating matters for data analysis is the fact that a legal person and a natural person can be the same person and have significant identifier overlap. A sole proprietorship is a classic example of this scenario. Identifiers for Jane Q. Smith’s law practice may include her name, her phone number, and her office address. Or they could include her home address if she works from a home office.
Whether data is related to a natural person or a legal person can be an area of uncertainty that requires specific contextual analysis.