Quick answer: Under GDPR, personal data is any information that identifies or can identify a living individual, either directly or indirectly. This includes names, ID numbers, location data, online identifiers, financial details, and biometric data. Some data, such as health records, religious beliefs, and ethnic origin, is classified as special category data and requires stronger legal protection.
GDPR applies whenever an organization processes personal data. Under the regulation, personal data means any information that identifies a living individual or could be used to identify them. This applies either on its own or when combined with other data.
This includes obvious identifiers like names and ID numbers, as well as online identifiers, location data, and employment and financial records. Getting this definition right is the starting point for every GDPR compliance decision a business makes.
This article is for general information purposes only and does not constitute legal advice. For advice specific to your situation, consult a qualified legal professional.
Personal data is defined in Article 4(1) of the GDPR as "any information relating to an identified or identifiable natural person." An identifiable person is someone who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
The definition is intentionally broad. It covers far more than a name on a form. Any piece of information that could be used to single out an individual, either alone or alongside other data, falls within its scope.
There are two ways a person can be identified from data:
GDPR Recital 26 clarifies that when assessing whether identification is reasonably possible, all available means must be considered. This includes the cost and time required, the technology available, and how the data is likely to be used.
For a broader overview of how the regulation approaches this concept in practice, see Protecting Personal Data under GDPR.
GDPR protects information linked to living individuals. It does not apply to data about people who have died.
The regulation also does not generally apply to information about companies or other legal entities on its own. A company registration number, a business address, or a corporate email address in the format info@company.com typically falls outside GDPR's scope. Such information does not identify a specific individual.
However, business records frequently contain personal data. A work email in the format firstname.lastname@company.com identifies an employee. A contract signed by a named individual includes personal data.
A client record containing a contact's name and phone number is personal data, even if it also contains company details.
The key question is always whether a living individual can be identified from the information, not whether the record also relates to a business.
Personal data covers a wide range of information. It is useful to think about it in categories.
These are pieces of information that identify a person on their own, without needing to be combined with anything else.
These are pieces of information that may not identify someone alone but can do so when combined with other available data.
The European Data Protection Board (EDPB) and the UK Information Commissioner's Office (ICO) have both confirmed that IP addresses and cookie identifiers qualify as personal data in most circumstances. They can be used to identify a user indirectly when combined with other information held by the controller or available to them.
The following are all examples of personal data under GDPR:
This list is not exhaustive. If information relates to a living individual and could reasonably be used to identify them, it is likely to be personal data under GDPR.
If your website collects any of this data from users, review the privacy-document requirements covered in 3 Legal Documents Your Website Cannot Do Without.
Special category data is a subset of personal data that is considered more sensitive and is subject to stricter processing rules under GDPR.
Article 9 of the GDPR prohibits the processing of special category data unless a specific legal condition applies. The threshold for lawful processing is higher than for ordinary personal data. Organizations must demonstrate both a lawful basis under Article 6 and a separate condition under Article 9.
Special category data includes information about:
The heightened protection exists because misuse of this type of data can cause serious harm. Consequences can include discrimination, loss of employment, or physical danger to the individual concerned.
Note that biometric data is only special category data when processed for the purpose of uniquely identifying a person. Examples include fingerprint scanning or facial recognition used for access control. A photograph is personal data, but it only becomes special category data if processed through facial recognition technology.
For a concise summary of how GDPR distinguishes ordinary personal data from sensitive data, see Protecting Personal Data under GDPR.
Not all data falls within GDPR's scope. The following types of information are generally not considered personal data:
Truly anonymous data. If data has been anonymized so that re-identifying any individual is impossible, even using all reasonably available means, it falls outside GDPR. GDPR Recital 26 confirms this, but also cautions that anonymization must be genuine and irreversible.
Simply removing a name is rarely sufficient.
Purely corporate information. A company's registered name, business address, VAT number, or general contact email does not relate to an identifiable individual. It is not personal data on its own.
Aggregated statistics. Data combined and summarized so that no individual can be identified from the result is not personal data. For example, "35% of users accessed the platform on mobile" is not personal data.
The practical test is always the same: can a living individual be identified from this information, directly or indirectly, using reasonably available means? If the honest answer is no, GDPR does not apply to that data.
These three categories are often confused. The distinction matters because GDPR treats them very differently.
Pseudonymization means replacing direct identifiers, such as a name, with a code or token, while keeping a separate key that allows re-identification. GDPR Article 4(5) defines pseudonymization as a security measure that reduces risk, but pseudonymized data is still personal data because re-identification remains possible. GDPR still applies in full.
Anonymization goes further. Truly anonymous data cannot be linked back to any individual by any reasonably available means. Only at this point does the data fall outside GDPR's scope entirely.
Achieving genuine anonymization is technically demanding and should be assessed carefully before treating data as exempt.
For a related discussion about how changing definitions of identifiability could affect GDPR scope, see EU Omnibus Package: What Legal Teams Need to Know.
The definition of personal data is the gateway to GDPR compliance. If the data an organization processes does not include personal data, GDPR does not apply. If it does, every obligation under the regulation is triggered.
Getting the classification right has direct consequences for:
Lawful basis. Organizations must identify a lawful basis under Article 6 before processing personal data. No classification, no lawful basis assessment.
Data minimization. GDPR requires that only the personal data necessary for the stated purpose is collected. This cannot be applied without knowing what counts as personal data in the first place.
Retention and deletion. Personal data must not be kept longer than necessary. Identifying what data is personal data is the first step in building a compliant retention schedule.
Security obligations. Article 32 requires appropriate technical and organizational measures to protect personal data. Knowing what data qualifies determines where those controls must be applied.
For practical guidance on building those controls, see In-House Legal Guide to Safeguarding Company Data.
Vendor contracts. Where a third party processes personal data on behalf of an organization, a data processing agreement is required under Article 28. This obligation only arises if personal data is involved.
Breach notification. A personal data breach involving personal data must be reported to the relevant supervisory authority within 72 hours under Article 33. Organizations cannot assess breach obligations without first knowing whether the data involved is personal data.
If your team is operationalizing these obligations at scale, see Navigating GDPR in EU With Legal Compliance Software. It offers a practical look at how organizations manage ongoing compliance.
Assuming work email addresses are not personal data. A work email in the format firstname.lastname@company.com identifies a specific employee. It is personal data.
Treating IP addresses as non-personal. IP addresses are personal data in most contexts. Both the EDPB and the Court of Justice of the European Union have confirmed this position.
Confusing pseudonymization with anonymization. Replacing names with codes does not remove data from GDPR's scope. The data is still personal data as long as re-identification is possible.
Overlooking personal data in contracts and HR records. Signed contracts, offer letters, performance reviews, and supplier agreements frequently contain personal data. These records are subject to GDPR even if they are primarily business documents.
Ignoring CRM and marketing data. Customer names, contact details, and behavioral data held in CRM or marketing platforms are personal data. They require a lawful basis, appropriate security, and a clear retention policy.
Organizations using AI systems should also be careful not to miss privacy risks in model training, monitoring, and data use. See Privacy Issues With AI for related guidance.
