personal data

Personal data commonly refers to any information that relates to an identified or identifiable natural person. A person is identifiable if they can be identified directly or indirectly, for example by a name, an ID number, location data, an online identifier, or by factors specific to their physical, economic, cultural, or social identity.

What personal data includes

In industrial and manufacturing environments, personal data can appear in many business and technical systems. Examples include:

• Basic identity and HR data, such as employee names, addresses, contact details, and personnel IDs
• Login credentials and identifiers, such as usernames, badge IDs, user accounts in MES, ERP, historian, or QMS systems
• Time, attendance, and shift records linked to specific employees or contractors
• Training, qualification, and competency records associated with named individuals
• Device, network, or system logs when they can be tied back to a specific person (for example, IP logs, access logs, or audit trails showing who performed which action)
• Operational performance data when it is attributable to an individual (for example, workcenter output tied to a specific operator ID)

Personal data may be stored in both IT and OT systems, including ERP, MES, maintenance systems, laboratory systems, access control systems, and document management or electronic batch record tools.

What personal data does not include

Personal data generally does not include:

• Information that has been anonymized so that no individual can be identified, provided re-identification is not reasonably possible
• Purely technical or machine data with no link to a specific person (for example, sensor readings, machine cycle counts, or generic equipment IDs)
• Aggregated statistics about groups, when individuals cannot be singled out or traced

Pseudonymized data, where direct identifiers are replaced with codes, may still be considered personal data if re-identification is possible using additional information.

Operational relevance in regulated environments

In regulated manufacturing and industrial operations, personal data considerations commonly intersect with:

• Access control and user account management for MES, SCADA, historians, and other OT/IT applications
• Audit trails and electronic records that log who created, reviewed, or approved work instructions, batch records, deviations, or CAPAs
• Video surveillance and physical access control to production areas, warehouses, and control rooms
• Quality and safety incident records that reference specific operators or supervisors
• Cross-border data transfers where centralized IT or cloud services process employee or contractor information

Handling personal data typically requires defined governance, retention rules, and technical and organizational controls that align with applicable data protection laws and internal policies. Specific legal requirements depend on jurisdiction and regulation and are outside the scope of this definition.

Common confusion

Personal data is sometimes confused with:

• General business or technical data, such as production volumes, machine parameters, or recipe data. These are not personal data unless they can be linked to an identifiable person.
• Sensitive or special-category data. All such data are personal data, but not all personal data are sensitive. Sensitive categories (such as health data) may be subject to stricter rules than basic identity or contact data.
• Confidential company information. Trade secrets or proprietary process data may be protected for business reasons but are only personal data if they relate to an identifiable individual.

Link to information security and data protection standards

Information security frameworks, such as those used in industrial environments to protect OT and IT, often treat personal data as a specific type of information asset. Controls for access, logging, backup, and incident response can help support data protection obligations but do not, by themselves, establish legal compliance. Data protection regulations define how personal data may be collected, stored, used, and shared and typically require ongoing governance, risk assessment, and change control across systems that process this data.