IU GDPR Working Group

  1. ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  2. The word "in" is used broadly in this instance. The GDPR applies to the personal data of data subjects regardless of whether they are citizens or residents of the EU. (See Chapter 1, Article 3 of the GDPR for more information on "Territorial Scope".)
  3. Non-compliance may be subject to administrative fines up to 20 000 000 EUR, or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.