SaaS Agreements – FAQs – Personal Data

It is essential for SaaS providers and SaaS customers to understand what consitutes personal data to ensure that they comply with their respective legal obligations when acting as data controllers and/or data processors.

What is Personal Data?

Articles 4(1) of the General Data Protection Regulation (“GDPR“) defines personal data as:

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

It is important to note that the GDPR only applies to personal data.

Examples of Personal Data

If an individual is directly identifiable from the information, the data is personal data. For example:

  • Name; or
  • Email address.

If, by looking solely at the data you can distinguish an individual from other individuals, that individual will be identified (or identifiable). Remember you don’t have to know someone’s name for them to be directly identifiable, a combination of other identifiers may be sufficient to identify the individual. For example the following identifiers:

  • Location data;
  • Online identifiers – such as an IP address or cookie identifier;
  • Identification data.

Categories of Personal Data

Some personal data is more sensitive in nature. The GDPR refers to this type of personal data as “special categories of personal data”.

Special categories of personal data include personal data about an individual’s:

  • race;
  • ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data (where this is used for identification purposes);
  • health data;
  • sex life; or
  • sexual orientation.

Is Pseudonymised data personal data?

Pseudonymisation is a technique used to change personal data so that it can no longer be attributed to a specific data subject without the use of additional information. Provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person then the data is pseudonymised.

Is anonymous data personal data?

If personal data is truly anonymised i.e. the data cannot be combined with any other data to identify an individual, then the anonymised data is not personal data.

Is information about companies personal data?

Information about companies or public authorities is not personal data as a company or public authority is not a natural person. However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may be personal data.

Is data about a deceased individual personal data?

Information about a deceased person is not personal data.


Irene Bodle is an IT lawyer specialising in SaaS agreements and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: