According to data protection law, personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.
Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
The GDPR protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.
According to Shopify, personal data means any data that can be used to identify an individual, including:
Credit card number
Personal data does not include information that is purely financial and cannot be linked to an individual, such as:
How many times a specific product has sold
How much revenue your store has made
Note: You do not need to disclose or erase purely financial information when you receive a request under the GDPR. In fact, you may not legally be allowed to do so in certain jurisdictions, where you may be required to maintain order records for tax or other legal reasons.