TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. What Is GDPR Data? Types, Rules, and Compliance Guide
Legal Compliance

What Is GDPR Data? Types, Rules, and Compliance Guide

Learn what GDPR data means, which data types are protected, and how to comply. Covers personal data definitions, special categories, and penalties.

TermsBox Team|April 2, 202613 min read

Understanding what GDPR data is forms the foundation of compliance for any business that serves European users. If your website collects names, email addresses, IP addresses, or sets cookies for visitors in the EU or EEA, the General Data Protection Regulation classifies that information as protected data with strict rules governing how you handle it.

This guide explains what qualifies as GDPR data, the different categories the regulation defines, your obligations as a data controller or processor, and the practical steps needed to stay compliant. This content is educational and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.

What Is GDPR Data? The Legal Definition

GDPR data refers to any personal data that falls under the scope of the General Data Protection Regulation, the European Union's comprehensive data protection law that took effect on 25 May 2018. The regulation defines personal data in Article 4(1) as "any information relating to an identified or identifiable natural person."

An identifiable natural person is someone who can be identified, directly or indirectly, by reference to an identifier such as:

  • A name
  • An identification number
  • Location data
  • An online identifier (IP address, cookie ID, device fingerprint)
  • One or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person

The definition is deliberately broad. The European Court of Justice has consistently interpreted it expansively, ruling that even data requiring significant effort to link back to an individual still qualifies as personal data if identification is reasonably possible.

What makes the GDPR definition different

Unlike older data protection frameworks that focused on obviously identifying information like names and social security numbers, the GDPR captures data that identifies someone indirectly. A browsing history paired with a device fingerprint may not look like personal data on its own, but if that combination can single out an individual, the GDPR treats it as protected data.

This means most websites process GDPR data whether they realize it or not. Running Google Analytics, embedding YouTube videos, or using a Facebook pixel all involve collecting identifiers that fall under the regulation's scope.

Types of GDPR Data Your Website Likely Collects

When asking "what is GDPR data" in a practical context, it helps to look at the specific data types websites commonly process. Most fall into one of three categories defined by the regulation.

Standard personal data

This is the broadest category and includes any information that identifies an individual:

  • Contact information: names, email addresses, phone numbers, physical addresses
  • Account data: usernames, passwords (hashed), profile pictures
  • Financial data: payment card details, bank account numbers, transaction histories
  • Technical identifiers: IP addresses, browser fingerprints, cookie IDs, device IDs
  • Behavioral data: pages visited, clicks, time spent on pages, purchase history
  • Communication data: emails, chat messages, support tickets, form submissions

Special category data (sensitive data)

Article 9 of the GDPR identifies categories of data that require extra protection because of their sensitive nature. Processing this data is prohibited by default unless one of the specific exceptions in Article 9(2) applies:

  1. Racial or ethnic origin
  2. Political opinions
  3. Religious or philosophical beliefs
  4. Trade union membership
  5. Genetic data
  6. Biometric data used for identification
  7. Health data
  8. Data concerning sex life or sexual orientation

If your website collects any of these, for example a health app processing medical information or an HR platform handling diversity data, you need an explicit legal basis such as explicit consent under Article 9(2)(a) or compliance with employment law under Article 9(2)(b).

Criminal conviction data

Article 10 creates a separate category for data related to criminal convictions and offenses. Only official authorities may process this data, or other organizations when authorized by EU or member state law.

How GDPR Data Differs from Non-Personal Data

Not all data your website handles is GDPR data. The regulation only applies to information that relates to an identified or identifiable living person. Several types of data fall outside its scope.

Anonymized data is genuinely irreversible. If you strip all identifiers from a dataset so that no individual can ever be re-identified, even by combining it with other available data, the result is no longer personal data. However, achieving true anonymization is difficult, and regulators scrutinize claims of anonymization closely.

Pseudonymized data is still GDPR data. Replacing a name with a random token does not remove the data from the regulation's scope if the original identity can be restored using additional information held separately. Article 4(5) explicitly defines pseudonymization and confirms it remains subject to the GDPR.

Aggregated statistics fall outside the GDPR when they cannot be traced back to individuals. Stating that "3,000 users visited from Germany last month" is not personal data. But if the dataset behind that statistic can isolate individual visitors, the underlying data is still protected.

Data about deceased persons is generally not covered by the GDPR, though individual member states may extend protections under their own laws.

Legal Bases for Processing GDPR Data

Understanding what GDPR data is also means understanding when you are allowed to process it. Article 6 lists six legal bases, and you must identify at least one before collecting any personal data.

  1. Consent: The individual has given clear, affirmative agreement to the processing for a specific purpose. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not qualify.
  2. Contractual necessity: Processing is necessary to fulfill a contract with the individual or to take steps before entering into a contract. Processing a shipping address to deliver an order is a clear example.
  3. Legal obligation: Processing is required to comply with a legal duty, such as retaining financial records for tax purposes.
  4. Vital interests: Processing is necessary to protect someone's life. This basis is rarely applicable to standard business operations.
  5. Public interest: Processing is necessary for a task carried out in the public interest or in the exercise of official authority. This applies mainly to government bodies.
  6. Legitimate interests: Processing is necessary for your legitimate interests, provided those interests are not overridden by the individual's rights. This is the most flexible basis but requires a documented balancing test.

Most websites rely on consent (for cookies and marketing), contractual necessity (for service delivery), and legitimate interests (for security and analytics). Your privacy policy must disclose which legal basis you rely on for each processing activity, as required by Article 13(1)(c).

GDPR Data Subject Rights

The GDPR grants individuals (called data subjects) a set of rights over their personal data. As a data controller, you must be able to respond to these requests within one month under Article 12(3).

The eight data subject rights

  • Right of access (Article 15): Individuals can request a copy of all personal data you hold about them, along with details about how you process it.
  • Right to rectification (Article 16): Individuals can request correction of inaccurate data or completion of incomplete data.
  • Right to erasure (Article 17): Also known as the "right to be forgotten," individuals can request deletion of their data when it is no longer necessary for its original purpose, when they withdraw consent, or when processing is unlawful.
  • Right to restrict processing (Article 18): Individuals can request that you stop processing their data while a dispute about its accuracy or legality is resolved.
  • Right to data portability (Article 20): Individuals can receive their data in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Right to object (Article 21): Individuals can object to processing based on legitimate interests or public interest, including profiling.
  • Rights related to automated decision-making (Article 22): Individuals have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.
  • Right to withdraw consent (Article 7(3)): When processing is based on consent, individuals can withdraw that consent at any time, and you must make withdrawal as easy as giving consent.

Your privacy policy and data handling procedures must explain how users exercise these rights and provide contact information for requests. Failure to respond within the mandated timeframe is itself a violation.

GDPR Data Protection Obligations for Website Owners

Knowing what GDPR data is only matters if you act on it. The regulation imposes specific obligations on anyone who processes personal data.

Data protection by design and by default

Article 25 requires you to build data protection into your systems from the start, not as an afterthought. This means:

  • Collecting only the data you actually need (data minimization)
  • Setting default privacy settings to the most protective option
  • Implementing technical measures like encryption and pseudonymization
  • Conducting Data Protection Impact Assessments for high-risk processing

Records of processing activities

Article 30 requires organizations with more than 250 employees (or those processing sensitive data, regardless of size) to maintain written records of all processing activities. These records must include the purposes of processing, categories of data subjects and data, recipients, international transfers, and retention periods.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Data breach notification

Articles 33 and 34 require you to notify your supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights. If the breach poses a high risk, you must also notify the affected individuals directly.

International data transfers

Chapter V of the GDPR restricts transfers of personal data outside the EEA. You may only transfer GDPR data to countries that the European Commission has deemed to provide adequate protection, or under appropriate safeguards such as Standard Contractual Clauses or Binding Corporate Rules.

Cookie consent and tracking

The GDPR, together with the ePrivacy Directive, requires informed consent before placing non-essential cookies or similar tracking technologies. This means your website needs a cookie consent mechanism that allows users to make genuine choices. A compliance scanner can identify what cookies and trackers your site sets, making it easier to maintain accurate disclosures in your cookie policy.

Penalties for Mishandling GDPR Data

The GDPR uses a two-tier penalty structure designed to make non-compliance financially painful.

Tier 1 (Article 83(4)): Fines of up to 10 million EUR or 2% of the undertaking's annual global turnover, whichever is higher. This tier covers violations related to:

  • Data protection by design and default obligations
  • Record-keeping requirements
  • Data Protection Officer appointment
  • Certification body obligations

Tier 2 (Article 83(5)): Fines of up to 20 million EUR or 4% of annual global turnover, whichever is higher. This tier covers more serious violations including:

  • Unlawful processing (no valid legal basis)
  • Failure to obtain valid consent
  • Violation of data subject rights
  • Unauthorized international data transfers

Real enforcement examples

Regulators have shown they are willing to use these powers:

  • Amazon received a 746 million EUR fine from Luxembourg's CNPD in 2021 for targeted advertising practices.
  • Meta was fined 1.2 billion EUR by Ireland's DPC in 2023 for transferring EU user data to the United States without adequate safeguards.
  • Google received a 150 million EUR fine from France's CNIL for making cookie rejection more difficult than acceptance.

Small and medium businesses are not exempt. Regulators across the EU have issued fines in the thousands to tens of thousands of euros against small companies for violations like failing to maintain a privacy policy, using cookie consent mechanisms that did not meet GDPR standards, or ignoring data subject access requests.

Practical Steps to Handle GDPR Data Correctly

Compliance with GDPR data requirements involves both legal preparation and technical implementation. Here is a practical checklist.

Audit your data collection

Before anything else, map what personal data your website collects:

  • Review all forms (contact, signup, checkout, surveys)
  • Identify cookies and tracking scripts (analytics, advertising, social embeds)
  • Check third-party integrations and what data they access
  • Document data flows: where data goes, who receives it, and how long you keep it

Tools like a website compliance scanner can automate this process by crawling your site and identifying cookies, trackers, and third-party requests you might not know about.

Establish legal bases

For each type of data you collect, determine and document which legal basis from Article 6 applies. Do not default to consent for everything. Consent adds operational burden because users can withdraw it at any time, so use contractual necessity or legitimate interests where appropriate.

Implement consent mechanisms

For data collection that requires consent, particularly cookies and marketing:

  • Use a consent banner that allows granular choices (not just "accept all")
  • Record consent with a timestamp and proof of what the user agreed to
  • Make withdrawing consent as easy as giving it
  • Do not load non-essential scripts until consent is obtained

Create compliant documentation

Your website needs a privacy policy that discloses every element required by Articles 13 and 14. You can use a privacy policy generator to create a compliant document that covers your specific data practices, including GDPR-required disclosures like legal bases, data subject rights, international transfers, and Data Protection Officer contact details.

Build response procedures

Create internal procedures for handling data subject requests. Define who is responsible for responding, how you verify the requester's identity, where the data is stored, and how you fulfill erasure requests across all systems including backups.

Frequently Asked Questions

What counts as personal data under the GDPR?

Personal data under the GDPR is any information that can identify a living individual, either directly or indirectly. This includes obvious identifiers like names and email addresses, but also IP addresses, cookie identifiers, device IDs, location data, and even behavioral patterns when they can be linked back to a specific person.

Is an IP address considered GDPR data?

Yes. The GDPR explicitly recognizes IP addresses as personal data. Recital 30 of the regulation states that online identifiers such as IP addresses and cookie identifiers can be used to create profiles of individuals, making them personal data when combined with other information.

What is the difference between personal data and special category data?

Personal data is any information identifying an individual, while special category data is a subset that receives extra protection due to its sensitive nature. Special category data includes racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, genetic data, sex life, and trade union membership. Processing special category data requires an explicit legal basis under Article 9.

What are the penalties for mishandling GDPR data?

The GDPR imposes a two-tier penalty structure. Less severe infringements carry fines of up to 10 million EUR or 2% of annual global turnover, whichever is higher. More serious violations, including unlawful processing or failure to obtain valid consent, carry fines of up to 20 million EUR or 4% of annual global turnover.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: How to Use privacy.apple.com

Apple's data & privacy website at privacy.apple.com lets you download, correct, or delete your data. A step-by-step guide, plus how long a request takes.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Is GDPR Data? The Legal Definition
  • What makes the GDPR definition different
  • Types of GDPR Data Your Website Likely Collects
  • Standard personal data
  • Special category data (sensitive data)
  • Criminal conviction data
  • How GDPR Data Differs from Non-Personal Data
  • Legal Bases for Processing GDPR Data
  • GDPR Data Subject Rights
  • The eight data subject rights
  • GDPR Data Protection Obligations for Website Owners
  • Data protection by design and by default
  • Records of processing activities
  • Data breach notification
  • International data transfers
  • Cookie consent and tracking
  • Penalties for Mishandling GDPR Data
  • Real enforcement examples
  • Practical Steps to Handle GDPR Data Correctly
  • Audit your data collection
  • Establish legal bases
  • Implement consent mechanisms
  • Create compliant documentation
  • Build response procedures
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.