“What is Personal Data under GDPR?”
“‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’).”
In other words, any information that is clearly about a particular person.
But just how broadly does this apply?
The GDPR guidance clarifies:
“[A]n identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Therefore, it’s reasonable to assume this can include someone’s hair colour, state of mind at the time, personal beliefs and opinions etc. so anything that you write down in your client notes that relates to your client, could be considered personal data.
If you’re asked to disclose the data you hold on a client and you’re unsure how to proceed, it’s best in that instance to seek specialist legal advice.