The GDPR - the General Data Protection Regulation - governs the processing of personal data of people in Europe. Personal data is more than just names and addresses!
The law says (we’re simplifying a bit):
“‘personal data” means any information relating to any “identified” person or “any identifiable person.” This is pretty much anyone who can be identified in any way - through a name, an ID Number, or a photo.
This does not include any information about companies, including trade secrets. It’s just about people (what the law calls “natural persons”).
“Personal data” includes obvious things like name, address, phone number but also much more, like:
Photos or likenesses,
Location data,
Online identifiers, like usernames or aliases,
User behavior data,
Browsing history,
Financial information,
Purchase history or customer data,
IP addresses.
The GDPR distinguishes between personal data and special categories of data (which require enhanced protections).
Special categories of data include:
Biometric data,
Health information,
Racial and ethic origin,
Political opinions,
Genetic data.
Bottom line, the GDPR is very broad and covers pretty much everything that could be considered “personal data.”
So if your company collect any of this data (and you otherwise fall within the scope of the GDPR), you will be on the hook for following the GDPR’s rules.