What is Personal Data Under GDPR? Definition & Examples

Why It Matters

The definition of personal data is the gateway to GDPR. If information qualifies as personal data, the full weight of GDPR applies to its processing. The EU's definition is intentionally broad — much broader than the traditional US concept of "Personally Identifiable Information" (PII). Understanding what constitutes personal data prevents organizations from unknowingly processing regulated information without safeguards.

What Counts as Personal Data

GDPR defines personal data expansively. Examples include:

Direct identifiers:

Full name, date of birth, national ID number
Email address, phone number, home address
Photograph, voice recording

Indirect identifiers:

IP address, cookie identifier, device fingerprint
Location data, GPS coordinates
Employee ID, student number, customer account number
Behavioral data, purchase history, browsing patterns

Often overlooked:

CCTV footage of identifiable individuals
Pseudonymized data (still personal data under GDPR)
Metadata that can identify a person in context
Online identifiers like advertising IDs

Special Categories of Personal Data

Article 9 defines special category data that receives extra protection:

Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data and biometric data (when used for identification)
Health data
Sex life or sexual orientation

Processing special category data is prohibited by default and only permitted under specific exceptions (explicit consent, employment law obligations, vital interests, etc.).

What Is NOT Personal Data

Truly anonymized data (where identification is irreversible)
Company registration numbers (about legal entities, not individuals)
Generic role-based email addresses (info@company.com) — though this is debated
Aggregated statistical data where individuals cannot be identified

Pseudonymization vs Anonymization

Pseudonymized data (e.g., replacing names with codes) is still personal data because re-identification is possible with additional information. GDPR encourages pseudonymization as a security measure but does not exempt it from regulation.

Anonymized data is not personal data — but true anonymization is difficult to achieve. If there is any reasonable means of re-identification, the data remains personal.

Key Regulation

GDPR Article 4(1) — definition of personal data
GDPR Article 9 — special categories of personal data
GDPR Article 4(5) — pseudonymization
Recital 26 — the identifiability test

Personal Data

Why It Matters

What Counts as Personal Data

Special Categories of Personal Data

What Is NOT Personal Data

Pseudonymization vs Anonymization

Key Regulation

GDPR vs UK GDPR: Key Differences, Transfer Mechanisms, and Practical Implications in 2026

AI Literacy Under the EU AI Act Article 4: What Every Organisation Must Do Before August 2025

What Is a Privacy Impact Assessment (PIA)? Complete Guide for 2026

Want more than the definition?

Personal Data

Why It Matters

What Counts as Personal Data

Special Categories of Personal Data

What Is NOT Personal Data

Pseudonymization vs Anonymization

Key Regulation

GDPR vs UK GDPR: Key Differences, Transfer Mechanisms, and Practical Implications in 2026

AI Literacy Under the EU AI Act Article 4: What Every Organisation Must Do Before August 2025

What Is a Privacy Impact Assessment (PIA)? Complete Guide for 2026

Want more than the definition?