Personal Information Under GDPR: What Counts and How to Handle It
Understand what qualifies as personal information under GDPR, how to process it lawfully, and what rights individuals have. Practical guide for businesses.
Personal information under the GDPR has a far broader definition than most business owners expect. GDPR personal information rules affect every organization that collects data from individuals in the European Economic Area, regardless of where the business itself is located.
This guide breaks down what counts as personal information, how to process it lawfully, what rights individuals have over their data, and how to build compliant practices into your operations. This is educational content and not legal advice. Consult a qualified attorney for guidance tailored to your situation.
What Is Personal Information Under GDPR?
The GDPR uses the term "personal data" rather than "personal information," but the concepts are interchangeable for practical purposes. Article 4(1) defines personal data as "any information relating to an identified or identifiable natural person." An identifiable person is someone who can be recognized, directly or indirectly, by reference to an identifier.
This definition is deliberately broad. It covers:
- Direct identifiers: full name, email address, phone number, national ID number, passport number
- Online identifiers: IP addresses, cookie IDs, advertising IDs, device fingerprints, session tokens
- Location data: GPS coordinates, cell tower data, Wi-Fi access point logs, delivery addresses
- Demographic data: age, gender, nationality, language preference, marital status
- Financial data: bank account numbers, credit card details, transaction records, salary information
- Employment data: job title, employer name, work email, performance reviews
- Technical data: browser type, operating system, screen resolution (when combined with other data points)
The critical test is not whether the data names someone directly, but whether the data could be used, alone or in combination with other information reasonably available, to identify a specific individual. Recital 26 of the GDPR clarifies that the means reasonably likely to be used for identification should be considered, including the costs and time required.
Pseudonymized Data Is Still Personal Data
A common misconception is that replacing names with codes or tokens removes data from the GDPR's scope. It does not. Article 4(5) defines pseudonymization as processing personal data so it can no longer be attributed to a specific person without additional information. However, pseudonymized data remains personal data because the organization retains the ability to re-identify individuals.
Only truly anonymous data, where re-identification is irreversible and impossible by any reasonable means, falls outside the GDPR. Recital 26 confirms this distinction. In practice, achieving genuine anonymization is technically difficult, and regulators scrutinize anonymization claims closely.
Categories of GDPR Personal Information
The GDPR distinguishes between standard personal data and special categories that receive heightened protection. Understanding this distinction is essential because the rules for processing each category differ significantly.
Standard Personal Data
This covers the identifiers listed above: names, contact details, IP addresses, financial records, and similar information. Processing standard personal data requires a valid lawful basis under Article 6, which is covered in the next section.
Special Categories of Personal Data
Article 9(1) of the GDPR identifies eight categories of sensitive data that receive additional protection:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (when used for identification purposes)
- Health data
- Data concerning sex life or sexual orientation
Processing these categories is prohibited by default. Article 9(2) provides ten exceptions, including explicit consent, employment law obligations, vital interests, and substantial public interest. The bar for lawfully processing special category data is considerably higher than for standard personal data.
Criminal Conviction Data
Article 10 of the GDPR treats data relating to criminal convictions and offenses separately from special categories. This type of data can only be processed under the control of an official authority or when authorized by EU or member state law providing appropriate safeguards.
Children's Data
While not a formal "category" under Article 9, the GDPR applies additional protections to children's personal information. Article 8 requires parental consent for information society services offered directly to children, with member states setting the age threshold between 13 and 16. Privacy notices must use clear, plain language that children can understand.
Lawful Bases for Processing Personal Information Under GDPR
Every time your organization processes personal information, you need a valid legal justification. Article 6 of the GDPR provides six lawful bases, and you must identify and document which one applies before processing begins.
Consent. The data subject has given clear, affirmative agreement to the processing for one or more specific purposes. Consent must be freely given, specific, informed, and unambiguous (Article 4(11)). It must be as easy to withdraw consent as it is to give it.
Contract. Processing is necessary for the performance of a contract with the data subject, or to take steps at their request before entering a contract. This covers situations like processing a shipping address to deliver a product the customer ordered.
Legal obligation. Processing is necessary to comply with a legal obligation to which the controller is subject. Tax record retention is a common example.
Vital interests. Processing is necessary to protect someone's life. This basis is narrow and typically applies only in emergency medical situations.
Public task. Processing is necessary for performing a task in the public interest or in the exercise of official authority. This applies primarily to public bodies.
Legitimate interests. Processing is necessary for the legitimate interests of the controller or a third party, provided those interests are not overridden by the individual's rights and freedoms. This requires a balancing test documented in a Legitimate Interest Assessment (LIA).
You cannot retroactively change your lawful basis. If you initially rely on consent and the individual withdraws it, you cannot simply switch to legitimate interests for the same processing activity. This principle was reinforced by the EDPB in its Guidelines 05/2020.
Your privacy policy generator output must specify which lawful basis applies to each processing activity. Vague statements like "we process your data as necessary" fail to meet the transparency requirements of Articles 13 and 14.
Data Subject Rights Under GDPR
The GDPR grants individuals eight specific rights over their personal information. Your organization must be prepared to respond to these requests, typically within one month of receipt.
Right of Access (Article 15)
Individuals can request confirmation of whether you process their personal data, a copy of that data, and supplementary information about how and why it is processed. This is commonly known as a Data Subject Access Request (DSAR).
Right to Rectification (Article 16)
Data subjects can request correction of inaccurate personal data or completion of incomplete data.
Right to Erasure (Article 17)
Also known as the "right to be forgotten," this allows individuals to request deletion of their personal data in specified circumstances, including when the data is no longer necessary for its original purpose, when consent is withdrawn, or when the data was unlawfully processed. This right is not absolute. Exceptions exist for legal obligations, public interest, and the exercise of legal claims.
Right to Restriction (Article 18)
Individuals can request that processing be limited (data stored but not actively used) while disputes about accuracy or lawfulness are resolved.
Right to Data Portability (Article 20)
When processing is based on consent or contract and carried out by automated means, individuals can request their personal data in a structured, commonly used, machine-readable format and have it transmitted directly to another controller.
Right to Object (Article 21)
Individuals can object to processing based on legitimate interests or public task grounds. For direct marketing, the right to object is absolute: no balancing test is needed, and processing must stop immediately.
Rights Related to Automated Decision-Making (Article 22)
Individuals have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. Exceptions apply when the decision is necessary for a contract, authorized by law, or based on explicit consent.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowRight to Withdraw Consent (Article 7(3))
When processing is based on consent, individuals can withdraw that consent at any time. Withdrawal must be as straightforward as giving consent was.
How to Handle GDPR Personal Information in Practice
Understanding the law is one step. Implementing compliant data handling requires concrete operational measures across your organization.
Map Your Data
Before you can comply with the GDPR, you need to know what personal information you collect, where it comes from, where it goes, and how long you keep it. Conduct a data mapping exercise that documents:
- Every source of personal data (website forms, APIs, third-party integrations, cookies, analytics tools)
- Each processing activity and its lawful basis
- All third parties that receive personal data (processors, sub-processors, partners)
- Data storage locations and retention periods
- Technical and organizational security measures
Article 30 of the GDPR requires controllers to maintain a Record of Processing Activities (ROPA) covering these elements. The ROPA is the foundational document for your entire compliance program.
Implement Privacy by Design
Article 25 of the GDPR requires data protection by design and by default. In practice, this means:
- Collecting only the personal information you actually need (data minimization)
- Setting default configurations to the most privacy-protective option
- Building access controls so employees only see data relevant to their role
- Implementing pseudonymization or encryption where appropriate
- Reviewing privacy implications before launching new features or products
Update Your Privacy Policy
Your privacy policy must meet the disclosure requirements of Articles 13 and 14. At minimum, it must identify the controller, list each processing purpose with its lawful basis, describe data sharing and international transfers, state retention periods, and explain how individuals can exercise their rights. A privacy policy generator can help structure this information correctly, but you must verify the output against your actual practices.
Manage Cookies and Tracking
Cookies and similar tracking technologies frequently process personal information in the form of online identifiers. The GDPR, combined with the ePrivacy Directive, requires informed consent before placing non-essential cookies on a user's device.
This means your website needs:
- A cookie consent mechanism that loads before any tracking scripts fire
- Clear categorization of cookies (necessary, functional, analytics, marketing)
- The ability for users to accept or reject each category individually
- A cookie policy generator output that discloses every cookie, its purpose, its provider, and its duration
Automated scanning tools help ensure your cookie consent implementation matches reality. TermsBox scans websites for cookies and trackers, identifying discrepancies between what your consent banner offers and what your site actually loads.
Respond to Data Subject Requests
Establish internal procedures for handling DSARs and other rights requests:
- Designate a team or individual responsible for intake and triage
- Verify the requester's identity before disclosing any personal data
- Respond within one calendar month (extendable by two months for complex requests, with notification to the requester)
- Log every request, the decision made, and the reasoning for audit purposes
- Provide responses free of charge unless requests are manifestly unfounded or excessive
International Transfers of GDPR Personal Information
When personal information leaves the EEA, additional safeguards apply. Chapter V of the GDPR (Articles 44 through 50) restricts international data transfers to ensure that the protection travels with the data.
Adequacy Decisions
The European Commission can determine that a third country provides an adequate level of data protection. Transfers to adequate countries proceed without additional safeguards. As of 2026, adequate jurisdictions include the United Kingdom, Japan, South Korea, Canada (commercial organizations), Israel, Switzerland, New Zealand, and the United States (under the EU-US Data Privacy Framework for certified organizations).
Standard Contractual Clauses (SCCs)
In the absence of an adequacy decision, the most common transfer mechanism is Standard Contractual Clauses adopted by the European Commission. The current SCCs (Decision 2021/914) require a Transfer Impact Assessment evaluating whether the recipient country's legal framework undermines the protections in the clauses.
Binding Corporate Rules (BCRs)
Multinational organizations can implement BCRs, which are internal data protection policies approved by a supervisory authority, to govern intra-group transfers. The approval process is lengthy, but BCRs provide a comprehensive framework for organizations with complex global data flows.
Practical Considerations
Many common business tools involve international transfers. Using a US-based email provider, analytics platform, or cloud hosting service means personal information leaves the EEA. Audit your vendor stack, ensure appropriate transfer mechanisms are in place, and document the safeguards in your ROPA and privacy policy.
Personal Information GDPR Penalties and Enforcement
The GDPR's enforcement regime gives the rules around personal information real teeth. Understanding the penalty structure helps prioritize compliance investments.
Penalty Tiers
The GDPR uses a two-tier fine structure:
- Upper tier (Article 83(5)): Up to 20 million EUR or 4% of annual global turnover, whichever is higher. Applies to violations of processing principles, lawful basis requirements, consent conditions, data subject rights, and international transfer rules.
- Lower tier (Article 83(4)): Up to 10 million EUR or 2% of annual global turnover. Applies to obligations of controllers and processors, including record-keeping, data protection by design, breach notification, and DPO requirements.
Notable Fines
Enforcement actions demonstrate how regulators interpret personal information rules in practice:
- Meta (Ireland, 2023): 1.2 billion EUR for transferring personal data to the US without adequate safeguards after the Schrems II decision invalidated the Privacy Shield.
- Amazon (Luxembourg, 2021): 746 million EUR for processing personal data for targeted advertising without adequate consent.
- WhatsApp (Ireland, 2021): 225 million EUR for failing to meet transparency requirements in how it communicated data processing to users.
- H&M (Hamburg, 2020): 35.3 million EUR for unlawful processing of employee personal data including health information and family details.
Beyond Financial Penalties
Supervisory authorities can also order organizations to stop processing, delete personal data, or implement specific corrective measures. These operational orders can be more disruptive than fines. A processing ban on core business data can effectively halt operations until compliance is achieved.
Enforcement decisions are public, and media coverage of GDPR fines has made data protection a board-level concern. The reputational impact of a finding that your organization mishandled personal information often exceeds the financial penalty itself.
Frequently Asked Questions
What qualifies as personal information under the GDPR?
Under Article 4(1) of the GDPR, personal information (officially termed 'personal data') is any information relating to an identified or identifiable natural person. This includes obvious identifiers like names and email addresses, but also extends to IP addresses, cookie identifiers, location data, device fingerprints, and any combination of data points that could single out an individual.
Is an IP address considered personal information under GDPR?
Yes. The Court of Justice of the European Union confirmed in Breyer v. Bundesrepublik Deutschland (Case C-582/14) that even dynamic IP addresses qualify as personal data when the controller has lawful means to identify the individual behind them. Both static and dynamic IP addresses are treated as personal information under the GDPR.
What is the difference between personal data and sensitive personal data under GDPR?
Standard personal data includes identifiers like names, email addresses, and phone numbers. Sensitive personal data, defined in Article 9 of the GDPR as 'special categories,' includes racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and data about sex life or sexual orientation. Processing sensitive data requires meeting stricter conditions beyond the standard six lawful bases.
What are the penalties for mishandling personal information under GDPR?
The GDPR imposes a two-tier penalty structure. Violations of data processing principles or data subject rights carry fines of up to 20 million EUR or 4% of annual global turnover, whichever is higher, under Article 83(5). Administrative violations such as record-keeping failures carry fines of up to 10 million EUR or 2% of turnover under Article 83(4).