The General Data Protection Regulation (GDPR) governs the processing of the personal data of natural persons in the EU. Put simply, anything that relates to an identified or identifiable living person falls under the GDPR as soon as that data is processed wholly or partly by automated means or as part of a filing system. Three questions are therefore decisive: which data is affected, which activities count as processing, and who is subject to the regulation.
Which data falls under the GDPR?
What is protected is personal data, meaning any information that makes a person directly or indirectly identifiable.
Examples of personal data
- Name, address, phone number, and email address
- Location data, IP addresses, and online identifiers (e.g. cookies)
- ID card, social security, or customer numbers
- Economic, cultural, or social characteristics of a person
Special categories (particularly sensitive data)
Stricter rules apply to certain data under Article 9 GDPR:
- Racial or ethnic origin, political opinions, religious or philosophical beliefs
- Health data as well as data concerning a person's sex life or sexual orientation
- Genetic and biometric data used for unique identification
- Data on trade union membership
What counts as processing?
The GDPR applies as soon as personal data is processed. The term is defined very broadly and covers practically any handling of data:
- Collecting, recording, and storing
- Organizing, altering, and retrieving
- Using, disclosing, and transmitting
- Erasing or destroying
What does not fall under the GDPR?
- Anonymous data: information that can no longer be attributed to any person.
- Data of deceased persons: the GDPR protects only living persons (national rules may differ).
- Purely private or household activities: for instance a private address book with no professional context.
Who does the GDPR apply to?
The regulation applies to controllers and processors. Territorially, it applies not only to companies in the EU but also to providers outside the EU, provided they offer goods or services to people in the EU or monitor their behaviour (the marketplace principle).
How Kertos supports data protection
Knowing what falls under the GDPR is the first step. Keeping a lasting overview of all data types, processing activities, and obligations is the real challenge. Kertos combines an agentic compliance platform (KAIA) with accredited in-house experts who work alongside your team:
- Automated data discovery: personal data and processing activities are identified and classified.
- Record of processing activities: the record required under Article 30 GDPR is maintained in a structured way and kept current.
- Data subject requests: access and deletion requests are handled in an automated way.
- External DPO mandates: on request, Kertos provides an external Data Protection Officer and takes on the subject-matter responsibility.
This is reflected in Kertos's track record: a 100% audit pass rate, roughly 80% less manual compliance effort, a customer satisfaction of 98%, and customers like AskUI reaching ISO 27001 certification in just 8 to 10 weeks. This keeps data protection not only understandable but under lasting control.
