Your intention and how you actually use the data are critical to an entity's compliance with the GDPR. If I am only using IP addresses for legitimate purposes of monitoring/protecting my network then that is very different to using IP addresses to assist in my tracking of users for advertising purposes for example.
The classification of data of personal data is likely beyond dispute but you are then under obligations on how you actually make use of that data.
Entities should have in place relevant protective measures to ensure that if you have only collected data for a limited purpose, it should not be used for purposes beyond that.
The classification of data of personal data is likely beyond dispute but you are then under obligations on how you actually make use of that data.
Entities should have in place relevant protective measures to ensure that if you have only collected data for a limited purpose, it should not be used for purposes beyond that.