Yes, actually the AVG (GDPR) is very broad in what it considers personal data.

Sadly that means it is not enforced well since it is too broad to be enforced in a meaningful way. And therefore it is violated A LOT, both by companies or people since no one can be bothered!

AVG (GDPR) includes the following things as personal data: name, address, phone number, passport photo, information about someone's behavior on websites, allergies, customer or staff numbers, recognizable recordings and more.

Rule of thumb, any information that can be used to relate a specific person.