Personal Data

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

-- Art. 4.1 EU-GDPR

Personal data is always critical data. It should be stored in a way that not authorized people have no access (e.g. by encrypting). If any such data is collected, a table containing the type of data collected, its purpose and which third parties it may be shared with for what purposes should be made.

Encrypted personal data may still be considered personal data. That part is a topic open for discussion and without any legal certainty. However, for our purposes, we may consider encrypted personal data as no personal data anymore if and only if the following criteria are met

• No visible file names or other meta data contains any personal data
• The encryption was done using an algorithm commonly considered secure
• The passphrase is an at least 64 bytes long (pseudo)randomly generated one, if any passphrase used
• The passphrase is never stored on the same medium as the encrypted file
• The passphrase is stored in an encrypted manner

---

For more information on the legal implications, also read the following articles:

• Is encrypted data personal data under the GDPR?
• Op-ed: Encrypted data may still be personal under GDPR