The definition of personal data under the GDPR is broad and covers any information that relates to an identified or identifiable natural person. This means that personal data can include information such as name, email, phone number, address, date of birth, race, gender, political opinions and more. The GDPR protects personal data on all levels, platforms and technologies, and requires organizations to process it only for a specific purpose and keep it for a limited time.
The unlinked aggregated data used for statistical purposes by an Italian company would most likely NOT be covered by the definition of personal data under the GDPR. Aggregated data is data that has been processed in such a way that individual records are no longer identifiable. For example, if a company collects the names and email addresses of its customers and then calculates the average age of its customers, the resulting data is aggregated and not personal. Therefore, this type of data would not be subject to the GDPR.
However, this does not mean that the Italian company can use this type of data without any restrictions or obligations. The GDPR still applies to any processing activity that involves personal data in any form or manner. For example, if the Italian company uses this type of data to create a profile or a segment of its customers based on their characteristics or preferences, it may still need to comply with certain principles and conditions under the GDPR. For instance, it may need to obtain consent from its customers before using their aggregated data for marketing purposes; it may need to ensure that its aggregated data is accurate and up-to-date; it may need to limit the retention period of its aggregated data; and it may need to respect the rights of its customers regarding their personal data.
References:
What is personal data? | ICO
What is considered personal data under the EU GDPR?
[GDPR personal data – what information does this cover?]
