GDPR Personal Data: What It Is and Why It Matters
Learn what counts as personal data under GDPR, why the definition is so broad, and how to handle it correctly to stay compliant.
Understanding GDPR personal data is the foundation of every compliance program under European data protection law. If you collect, store, or process any information that could identify a living person, the General Data Protection Regulation applies to you.
This article explains what counts as personal data under GDPR, walks through real examples, and outlines the practical steps your business needs to take. This is educational content and not legal advice. Consult a qualified attorney for guidance specific to your situation.
What Is Personal Data Under GDPR?
Article 4(1) of the GDPR defines personal data as "any information relating to an identified or identifiable natural person." The regulation calls this person a "data subject." A person is identifiable if they can be recognized, directly or indirectly, by reference to an identifier such as:
- A name
- An identification number
- Location data
- An online identifier (cookies, device IDs, IP addresses)
- One or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity
The definition is intentionally broad. European regulators and courts have consistently interpreted it to capture as much identifying information as possible, putting the burden on organizations to justify why something should fall outside the definition rather than inside it.
Categories of GDPR Personal Data
Not all personal data is created equal. The GDPR draws a line between ordinary personal data and special category data, and the rules differ significantly between them.
Direct identifiers
These are the data points most people think of first. Names, email addresses, phone numbers, passport numbers, and national ID numbers all directly identify a specific person without additional context.
Indirect identifiers
Indirect identifiers require combining with other data to identify someone, but they still qualify as personal data under GDPR. Examples include:
- IP addresses (confirmed by the CJEU in the Breyer case, C-582/14)
- Cookie and device identifiers
- Employee ID numbers
- Customer reference numbers
- Pseudonymized data where re-identification is possible
Online identifiers
Recital 30 of the GDPR specifically addresses the digital world. It states that natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols. These identifiers, including cookie strings, advertising IDs, and browser fingerprints, may be used to create profiles and identify individuals.
Special category data
Article 9 of the GDPR lists categories that require heightened protection:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data used for identification
- Health data
- Data concerning sex life or sexual orientation
Processing special category data is prohibited unless one of ten specific conditions in Article 9(2) applies, such as explicit consent or a substantial public interest.
What Is Not Personal Data in GDPR
The regulation does not apply to all information. Understanding the boundaries prevents over-compliance that wastes resources and under-compliance that creates risk.
Truly anonymized data falls outside the GDPR entirely. Recital 26 states that the principles of data protection should not apply to information that has been rendered anonymous in such a way that the data subject is no longer identifiable. The key test is whether re-identification is reasonably likely, considering the cost, time, and technology available.
Data about legal entities (companies, organizations) is not personal data unless it relates to identifiable individuals within those entities. A company's registered address is not personal data, but the name and direct email of the company's CEO is.
Deceased persons' data is generally excluded from the GDPR, although some EU member states extend protections through national law.
Aggregated statistics that cannot be traced back to individuals are not personal data, provided the aggregation genuinely prevents identification. Small sample sizes or unusual data combinations can undermine aggregation.
How GDPR Personal Data Affects Your Privacy Policy
Every organization that processes personal data must provide a privacy notice under Articles 13 and 14 of the GDPR. Your privacy policy must clearly explain:
- What categories of personal data you collect
- The purposes for each category
- The lawful basis for processing (consent, contract, legitimate interest, legal obligation, vital interests, or public task)
- Who receives the data, including third-party processors and international transfers
- How long you retain each category
- The rights available to data subjects
The breadth of GDPR personal data means you likely collect more of it than you realize. Website analytics tools, customer support platforms, payment processors, and marketing software all handle personal data. Your privacy policy must account for every processing activity.
A compliance scanner can help identify tracking technologies and cookies on your website that process personal data. Tools like TermsBox scan your site and map the data collection happening across your pages, so your privacy documentation reflects reality.
Lawful Bases for Processing Personal Data
Under Article 6 of the GDPR, you must have at least one lawful basis before processing any personal data. There are six options, and choosing the right one has practical consequences for how you handle that data going forward.
Consent
The data subject has given clear, informed, and unambiguous agreement to the processing. Consent must be freely given, specific, and as easy to withdraw as it was to give. Pre-ticked boxes and bundled consent do not meet the standard.
Contract
Processing is necessary to perform a contract with the data subject or to take steps at their request before entering a contract. An online store processing a shipping address to fulfill an order is a common example.
Legal obligation
Processing is necessary to comply with a legal requirement. Payroll processing, tax reporting, and anti-money laundering checks fall into this category.
Vital interests
Processing is necessary to protect someone's life. This basis is narrow and rarely used outside emergency medical situations.
Public task
Processing is necessary to perform an official function or task in the public interest. This basis applies mainly to public authorities.
Legitimate interests
Processing is necessary for your legitimate interests or those of a third party, provided those interests are not overridden by the data subject's rights. This basis requires a documented balancing test (Legitimate Interests Assessment). Common uses include fraud prevention, network security, and direct marketing to existing customers.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowData Subject Rights Related to Personal Data
When you hold GDPR personal data, data subjects gain a set of enforceable rights. Your processes and systems must be ready to respond within one month of receiving a valid request.
- Right of access (Article 15): Individuals can request confirmation of whether you process their data and obtain a copy.
- Right to rectification (Article 16): Individuals can correct inaccurate data or complete incomplete data.
- Right to erasure (Article 17): Also known as the "right to be forgotten." Individuals can request deletion when the data is no longer necessary, consent is withdrawn, or processing is unlawful.
- Right to restriction (Article 18): Individuals can request that you stop processing while accuracy or lawfulness is disputed.
- Right to data portability (Article 20): Individuals can receive their data in a structured, machine-readable format and transmit it to another controller.
- Right to object (Article 21): Individuals can object to processing based on legitimate interests or direct marketing.
Failing to honor these rights can result in complaints to supervisory authorities and fines of up to 20 million EUR or 4% of annual global turnover, whichever is higher, under Article 83 of the GDPR.
Pseudonymization vs. Anonymization
These two concepts are frequently confused, and the distinction has direct legal consequences.
Pseudonymization replaces direct identifiers with artificial ones (tokens, hashes) while keeping the mapping available separately. Article 4(5) defines pseudonymization as processing personal data so it can no longer be attributed to a specific data subject without additional information, provided that additional information is kept separately. Pseudonymized data is still personal data under GDPR. You must still apply all GDPR requirements, but pseudonymization is recognized as a useful security measure that can reduce risk.
Anonymization permanently removes the ability to identify individuals. Once data is truly anonymized, it is no longer personal data. However, achieving genuine anonymization is harder than most organizations assume. Research has shown that as few as three data points (zip code, birth date, gender) can re-identify 87% of the U.S. population. The European Data Protection Board advises testing anonymization against reasonably likely re-identification attempts.
Practical steps to assess your approach:
- Inventory your data to identify what qualifies as personal data
- Evaluate whether pseudonymization or anonymization suits each use case
- Document your technical measures and test them against re-identification scenarios
- Update your privacy policy to accurately describe which data you process and how you protect it
GDPR Personal Data in Practice: Common Scenarios
Understanding what is personal data in GDPR matters most when you apply it to real business operations.
Website analytics
Google Analytics, Matomo, and similar tools collect IP addresses, device fingerprints, page views, and behavioral data. All of this constitutes personal data. You need a lawful basis (typically consent in the EU), a cookie policy that discloses these tools, and a consent mechanism that blocks tracking scripts until the visitor agrees.
Email marketing
Email addresses are personal data. Subscriber names, open rates tied to individual recipients, and click behavior linked to identifiable users are all covered. Document your lawful basis (consent or legitimate interest for existing customers) and provide clear unsubscribe mechanisms.
Customer support
Support tickets contain names, email addresses, and often detailed descriptions of personal situations. Retain this data only as long as necessary and ensure your support platform has appropriate data processing agreements in place.
Employee data
Payroll records, performance reviews, health information, and disciplinary files all contain personal data, much of it in the special category. Human resources teams must work closely with data protection officers to establish lawful bases, retention schedules, and access controls.
Third-party integrations
Payment processors, CRM platforms, ad networks, and analytics services all process personal data on your behalf. Under Article 28, you must have a data processing agreement with each processor that specifies the scope and safeguards of the processing.
Penalties for Mishandling GDPR Personal Data
The GDPR establishes a two-tier penalty structure. Lower-tier infringements (such as failing to maintain records of processing) can result in fines of up to 10 million EUR or 2% of global annual turnover. Higher-tier infringements (such as violating data subject rights or processing without a lawful basis) can reach 20 million EUR or 4% of global annual turnover.
Notable enforcement actions underscore the stakes:
- Meta (2023): 1.2 billion EUR fine for unlawful data transfers to the United States
- Amazon (2021): 746 million EUR fine by Luxembourg's CNPD for non-compliant ad targeting
- H&M (2020): 35.3 million EUR fine for excessive employee surveillance
Beyond fines, supervisory authorities can order you to stop processing, which can shut down core business operations. Reputational damage and loss of customer trust often exceed the financial penalty itself.
Steps to Audit Your Personal Data Processing
A structured audit reduces risk and builds the documentation regulators expect to see.
- Map your data flows. Identify every system, database, spreadsheet, and third-party service that stores or processes personal data.
- Classify the data. Distinguish between direct identifiers, indirect identifiers, and special category data.
- Assign lawful bases. Document which Article 6 basis applies to each processing activity, and add Article 9 conditions where special category data is involved.
- Review retention periods. Set and enforce maximum retention periods for each data category. Delete or anonymize data when the purpose has been fulfilled.
- Update your privacy policy. Use a privacy policy generator to ensure your notice reflects current processing activities, then review it quarterly.
- Check your processors. Verify that data processing agreements are in place with all third parties and that they meet GDPR standards.
- Test data subject rights workflows. Submit test access, deletion, and portability requests to confirm your team can respond within the one-month deadline.
- Document everything. Maintain records of processing activities under Article 30 and keep evidence of your compliance decisions.
Frequently Asked Questions
What is personal data under GDPR?
Personal data is any information that relates to an identified or identifiable natural person. This includes obvious identifiers like names and email addresses, but also IP addresses, cookie identifiers, location data, and any combination of factors that could single someone out.
Are IP addresses considered personal data under GDPR?
Yes. The Court of Justice of the European Union confirmed in the Breyer case (C-582/14) that even dynamic IP addresses can constitute personal data when combined with other information held by an internet service provider.
What is the difference between personal data and sensitive personal data in GDPR?
Personal data covers any information linked to an identifiable person. Sensitive personal data, defined in Article 9, includes racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, and sexual orientation. Sensitive data requires stricter safeguards and a specific Article 9 condition to process.
Does GDPR apply to anonymized data?
No. Truly anonymized data falls outside the scope of GDPR because it can no longer identify a person. However, pseudonymized data, where re-identification is possible with additional information, remains personal data and is fully subject to the regulation.