Why It Matters
The definition of personal data is the gateway to GDPR. If information qualifies as personal data, the full weight of GDPR applies to its processing. The EU's definition is intentionally broad — much broader than the traditional US concept of "Personally Identifiable Information" (PII). Understanding what constitutes personal data prevents organizations from unknowingly processing regulated information without safeguards.
What Counts as Personal Data
GDPR defines personal data expansively. Examples include:
Direct identifiers:
- Full name, date of birth, national ID number
- Email address, phone number, home address
- Photograph, voice recording
Indirect identifiers:
- IP address, cookie identifier, device fingerprint
- Location data, GPS coordinates
- Employee ID, student number, customer account number
- Behavioral data, purchase history, browsing patterns
Often overlooked:
- CCTV footage of identifiable individuals
- Pseudonymized data (still personal data under GDPR)
- Metadata that can identify a person in context
- Online identifiers like advertising IDs
Special Categories of Personal Data
Article 9 defines special category data that receives extra protection:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data and biometric data (when used for identification)
- Health data
- Sex life or sexual orientation
Processing special category data is prohibited by default and only permitted under specific exceptions (explicit consent, employment law obligations, vital interests, etc.).
What Is NOT Personal Data
- Truly anonymized data (where identification is irreversible)
- Company registration numbers (about legal entities, not individuals)
- Generic role-based email addresses (info@company.com) — though this is debated
- Aggregated statistical data where individuals cannot be identified
Pseudonymization vs Anonymization
Pseudonymized data (e.g., replacing names with codes) is still personal data because re-identification is possible with additional information. GDPR encourages pseudonymization as a security measure but does not exempt it from regulation.
Anonymized data is not personal data — but true anonymization is difficult to achieve. If there is any reasonable means of re-identification, the data remains personal.
Key Regulation
- GDPR Article 4(1) — definition of personal data
- GDPR Article 9 — special categories of personal data
- GDPR Article 4(5) — pseudonymization
- Recital 26 — the identifiability test