Yes, according to the definition in OC 11, personal data includes also “online and device identifiers“.
Examples of such identifiers are:
- Internet protocol (IP) addresses;
- cookie identifiers; and
- other identifiers such as radio frequency identification (RFID) tags.
These identifiers refer to information that is related to an individual’s tools, applications, or devices, like their computer or smartphone. The above is by no means an exhaustive list. Any information that could identify a specific device, like its digital fingerprint, are identifiers.
And these identifiers can leave traces which may be used to create a profile of the device user and his identification, especially if combined with unique identifiers and other information received by servers.
Therefore, both dynamic and static IP addresses are considered personal data, as they allow the direct or indirect identification of the individual using the corresponding device.