Introduction 

The General Data Protection Regulation (GDPR) stands as one of the most influential data protection frameworks globally, setting a high standard for how information is regulated and safeguarded. It provides a structured and comprehensive legal regime that promotes transparency, accountability, and responsible data governance across organisations. By establishing clear rules on how data must be handled, the GDPR strengthens trust between individuals and organisations while ensuring consistency in data practices across jurisdictions.  

Role of personal data in GDPR  

Personal data occupies a central and defining role in GDPR. It acts as the foundation upon which the entire regulatory framework is built, determining when the GDPR applies and how its protections are triggered. The classification of information as personal data brings it within the scope of the GDPR, activating a range of legal obligations for organisations. These include duties relating to lawful processing, transparency, data security, and accountability. In this way, personal data functions as the gateway that connects individuals to the rights and safeguards established under the regulation. 

What constitutes personal data? 

Under the General Data Protection Regulation (GDPR), Article 4(1) defines personal data as any information relating to an identified or identifiable natural person. This definition is intentionally broad and covers both direct identifiers, such as names and contact details, and indirect identifiers like IP addresses. The key idea is identifiability. Data is personal when it can be linked to a person, either directly or through reasonably available means. 

Is business data also personal data? 

Purely commercial or corporate information isn’t personal data and falls outside the scope of GDPR; however, the position changes the moment such information relates to an identified or identifiable natural person. The GDPR is not concerned with whether data arises in a business context, but with whether it can be linked to a human being. Accordingly, professional contact details such as employee email addresses, direct office telephone numbers, and information relating to sole traders are treated as personal data. 

The difficulty lies in determining how far this principle extends. In recent years, Data Subject Access Requests (DSARs) have increasingly been deployed not merely as tools of transparency but as instruments of pre-litigation strategy. Individuals have sought to leverage access rights to obtain extensive internal and commercial documentation. This led to a fragmented judicial approach, with some courts adopting an expansive interpretation treating any information that had an “impact” on an individual as personal data. 

Latest interpretation in this regard  

In it’s December 18, 2025 ruling (I ZR 115/25), the German Federal Court of Justice (FCJ) overturned a lower court's broad interpretation of personal data in a dispute between a policyholder and a private health insurer. The policyholder had submitted a Data Subject Access Request (DSAR) under Article 15 of the GDPR to obtain copies of his premium history, which included the timing and amount of premium adjustments, tariff changes, and contract terminations. 

The FCJ established a strict “identifiability test” for determining what constitutes personal data under Article 4(1) of the GDPR. The court held that it is not sufficient for information to merely have an “impact” or “effect” on an individual. Instead, the information must be inherently linked to a person in a way that allows them to be identified based on it’s content, purpose, or effect. Applying this test, the court concluded that abstract business and contractual information, such as the price of a specific tariff or details about premium adjustments, does not inherently allow for the identification of a specific policyholder; rather, it is considered product pricing information. 

Furthermore, the FCJ drew a clear distinction regarding communications: 

• Documents originating directly from a data subject, such as a request to change a tariff, constitute personal data in their entirety because the individual has expressed themselves in the correspondence. 

  
  

• Subsequent communications by the company regarding the consequences of that request are not automatically considered personal data unless they specifically contain identifying information that meets the strict identifiability threshold. 

The FCJ remanded the case back to the lower court to determine if the requested information actually met this standard of true identifiability rather than focusing on the mere “effect” on the individual discovery. 

Impact of this interpretation 

Impact for Businesses 

• Reduced litigation risk and administrative burden: Companies can push back against overly broad or strategic data subject access requests, avoiding the cost and effort of disclosing large volumes of purely commercial information 

  
  

• Greater legal certainty: Businesses can clearly distinguish between personal data and general business information such as pricing models, premium histories, and internal communications that do not identify an individual. 

  
  

• Stronger defence against mass claims: Organisations can refuse requests that are excessive or driven by abusive intent, supported by rulings such as Brillen Rottler of the Court of Justice of the European Union. 

Implications for Individuals 

• Restricted use of access rights: GDPR can no longer be used as a backdoor tool for gathering evidence in civil disputes or supporting mass claims. 

  
  

• Narrower scope of accessible information: Individuals retain the right to access data that genuinely identifies them but cannot demand abstract contractual details or unredacted internal company documents merely because those documents relate to or affect them. 

  
  

• Re-alignment with the purpose of privacy protection: Access rights are being refocused on safeguarding personal privacy rather than enabling strategic legal advantage. 

Conclusion 

Whether business data qualifies as personal data under the GDPR depends on context and identifiability. The boundary is not fixed but shaped by judicial interpretation. The FCJ’s 2025 ruling marks a turning point by rejecting overly broad interpretations and emphasising genuine identifiability. The CJEU’s guidance further reinforces limits on access rights and prevents their misuse. For organisations, the path forward is clear. They should adopt precise data classification, implement robust DSAR procedures, and treat data governance as a strategic priority. In a data-driven economy, understanding the limits of personal data is essential for both compliance and competitiveness. 

Want to know more?  

Learn more about India's data protection environment, compliance frameworks, and in-depth analyses of privacy policies at Tsaaro.com.