TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. What Is Personal Data Under GDPR? Definition and Examples
Legal Compliance

What Is Personal Data Under GDPR? Definition and Examples

Learn what is personal data under GDPR, with clear definitions, examples, and categories. Understand what the law protects and how it applies to your website.

TermsBox Team|April 3, 202612 min read

Understanding what is personal data under GDPR is the foundation of compliance with European data protection law. Personal data under the GDPR has a deliberately broad definition, and many website operators underestimate how much of the information they collect qualifies.

This guide breaks down the legal definition, walks through categories and real-world examples, and explains how the classification affects your obligations. This is educational content and does not constitute legal advice. For guidance specific to your circumstances, consult a qualified data protection attorney.

The Legal Definition of Personal Data Under the GDPR

Article 4(1) of the GDPR defines personal data as "any information relating to an identified or identifiable natural person." The regulation refers to this person as the "data subject."

A natural person is identifiable when they can be identified, directly or indirectly, by reference to:

  • A name (first name, surname, or combination)
  • An identification number (national ID, passport number, employee ID)
  • Location data (GPS coordinates, IP-based geolocation)
  • An online identifier (IP address, cookie ID, device fingerprint, advertising ID)
  • One or more factors specific to the person (physical, physiological, genetic, mental, economic, cultural, or social identity)

The critical word in this definition is "identifiable." The data does not need to directly name someone. If there is any reasonable means by which the individual could be identified, whether by the data controller alone or by combining the data with information held by another party, the data qualifies as personal data under GDPR.

Recital 26 of the GDPR clarifies that the assessment of whether someone is identifiable should account for "all the means reasonably likely to be used" to identify the person. This includes means available to a third party. The bar is deliberately low because the regulation is designed to protect individuals, not to create loopholes.

Categories of Personal Data Under the GDPR

Personal data under the GDPR falls into several broad categories. Understanding these categories helps website operators audit what they collect and process.

Identity data

This is the most straightforward category. It includes names, dates of birth, gender, nationality, photographs, and other attributes that directly describe who a person is.

Contact data

Email addresses, phone numbers, postal addresses, and social media handles all fall under personal data. Even a work email address like [email protected] is personal data because it identifies a specific individual.

Financial data

Bank account numbers, credit card details, salary information, tax records, and transaction histories are personal data. Payment processors and ecommerce platforms handle this category extensively.

Online identifiers

This category is where many website operators are caught off guard. IP addresses, cookie identifiers, device fingerprints, advertising IDs, and browser metadata all qualify as personal data under the GDPR. The Court of Justice of the European Union confirmed in the Breyer case (C-582/14) that even dynamic IP addresses are personal data when the controller has lawful means to identify the user.

Location data

GPS coordinates, cell tower data, Wi-Fi positioning, and IP-based geolocation are all personal data. Mobile apps and websites that request location access are processing personal data the moment they receive it.

Behavioral data

Browsing history, purchase patterns, search queries, click behavior, and app usage statistics relate to identifiable individuals when linked to a cookie, session, or account. Analytics tools like Google Analytics process behavioral personal data by default.

Special Categories: Sensitive Personal Data Under the GDPR

Article 9 of the GDPR defines "special categories" of personal data that receive heightened protection. Processing this data is prohibited by default unless one of the specific exceptions in Article 9(2) applies.

Special categories include:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data (DNA, gene sequences)
  • Biometric data used for uniquely identifying a person (fingerprints, facial recognition, retinal scans)
  • Health data (medical records, disability status, mental health information)
  • Data concerning sex life or sexual orientation

The exceptions that permit processing special category data include explicit consent from the data subject, necessity for employment law obligations, protection of vital interests when the person cannot consent, and processing for substantial public interest with a legal basis.

For website operators, the most common encounter with special category data involves health-related services, diversity forms, or biometric authentication. If your website collects any of this information, you need a lawful basis beyond standard consent and must implement additional safeguards documented in a Data Protection Impact Assessment.

What Is Not Personal Data Under the GDPR

Knowing what falls outside the definition is just as important for compliance planning. The GDPR does not protect:

  • Truly anonymous data: Information that cannot be linked to an individual by any reasonable means. Recital 26 confirms that anonymous data falls outside the regulation's scope.
  • Legal entity data: Company names, business registration numbers, corporate addresses, and other data about organizations rather than natural persons. The GDPR protects only natural persons.
  • Deceased persons' data: The GDPR does not apply to data of deceased individuals, though some EU member states have enacted national laws extending certain protections.
  • Aggregated statistical data: Data that has been combined and summarized so that no individual can be identified or singled out.

However, pseudonymized data is still personal data under the GDPR. Article 4(5) defines pseudonymization as processing personal data so it can no longer be attributed to a specific person without additional information, provided that additional information is kept separately. Because the data can still be re-linked to an individual, it remains within scope.

How Personal Data Classification Affects Your Website

The broad definition of personal data under GDPR means most websites process personal data, whether they realize it or not. Here is how the classification creates specific obligations.

Lawful basis for processing

Article 6 of the GDPR requires a lawful basis for every processing activity involving personal data. The six lawful bases are consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. Most websites rely on consent (for marketing cookies and newsletters) and legitimate interests (for security logging and fraud prevention).

Privacy policy requirements

If you process personal data, Article 13 requires you to provide specific information to data subjects at the point of collection. This includes your identity, the purposes of processing, the lawful basis, data retention periods, and the individual's rights. A comprehensive privacy policy generator can help structure this disclosure correctly.

Data subject rights

Articles 15 through 22 grant data subjects rights over their personal data, including the right of access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), data portability (Article 20), and objection (Article 21). These rights apply to all personal data you hold about an individual.

Data breach notification

Article 33 requires controllers to notify their supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. Article 34 requires direct notification to affected data subjects when the breach is likely to result in a high risk.

Penalties for mishandling personal data

Getting the classification wrong carries financial consequences. Under Article 83(5), infringements of the basic processing principles, including processing personal data without a valid lawful basis, can result in fines of up to 20 million EUR or 4% of annual global turnover, whichever is higher.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Common Misconceptions About Personal Data Under the GDPR

Several persistent misunderstandings lead website operators into non-compliance.

"We only collect email addresses, so we barely handle personal data." Email addresses are personal data, and the GDPR's obligations apply fully regardless of volume. A single email address triggers the same compliance framework as a database of millions.

"We anonymize our analytics, so GDPR does not apply." Many tools marketed as "anonymous" still collect IP addresses, set cookies, or generate unique identifiers. If any identifier can link data back to an individual, it is pseudonymization, not anonymization, and the GDPR still applies.

"Our website only serves customers outside the EU." Article 3(2) extends the GDPR's territorial scope to any organization that offers goods or services to individuals in the EU or monitors their behavior within the EU. If EU residents visit your website and you place tracking cookies, you are processing their personal data under the GDPR.

"Employee data is handled differently." Employee personal data receives the same protections under the GDPR. Internal HR systems, payroll records, and performance reviews all involve personal data processing and require a lawful basis, transparency, and security measures.

"Hashed data is not personal data." Hashing is a form of pseudonymization. If the original value can be recovered through brute force, rainbow tables, or by the entity holding the hash key, the hashed data remains personal data.

Practical Steps for Identifying Personal Data on Your Website

Conducting a thorough data mapping exercise is the first step toward GDPR compliance. Follow these steps to identify what personal data your website collects and processes.

  1. Audit all data collection points. Review every form, checkout flow, registration process, and contact page. List every field that collects information from users.

  2. Examine cookies and tracking technologies. Use a compliance scanner to identify all cookies set by your website, including third-party cookies from analytics, advertising, and social media integrations. Tools like the TermsBox website compliance scanner can automate this process and categorize cookies by purpose.

  3. Review server logs. Web servers typically log IP addresses, user agents, referrer URLs, and timestamps. These logs contain personal data under the GDPR.

  4. Map third-party data flows. Document every third party that receives data from your website. This includes analytics providers, payment processors, email marketing platforms, CDN providers, and customer support tools. Each data transfer requires either a processing agreement (Article 28) or a valid transfer mechanism for international transfers (Chapter V).

  5. Check embedded content. Embedded videos, maps, fonts, and social media widgets often load resources from third-party servers, transmitting visitor IP addresses and setting cookies in the process.

  6. Document the results. Article 30 requires controllers to maintain a Record of Processing Activities (ROPA) listing each processing purpose, the categories of personal data involved, the recipients, transfer safeguards, and retention periods.

Your privacy policy generator disclosures should reflect the results of this audit. A privacy policy that does not accurately describe your data processing practices is itself a compliance risk.

Personal Data Under the GDPR in Practice: Website Examples

To make the definition concrete, here are common examples of personal data that websites collect, often without fully recognizing it.

Data Type Example Why It Is Personal Data
Form submissions Name, email, phone number Directly identifies the individual
Account data Username, password hash, profile photo Linked to an identified user
IP addresses 192.168.1.1 (logged by server) Can identify a person via ISP records
Cookie IDs _ga=GA1.2.123456789 Tracks behavior of a specific browser user
Device fingerprints Screen resolution + browser + OS + plugins Combination singles out individuals
Payment data Card number, billing address Identifies the cardholder
Location data Latitude/longitude from geolocation API Pinpoints individual's physical position
User-generated content Comments, reviews, forum posts Linked to an account or contains personal details

Even metadata can be personal data. A photograph's EXIF data may contain GPS coordinates and timestamps. An uploaded document's metadata may include the author's name and organization.

Frequently Asked Questions

What counts as personal data under the GDPR?

Personal data under the GDPR means any information relating to an identified or identifiable natural person. This includes obvious identifiers like names and email addresses, but also extends to IP addresses, cookie identifiers, location data, and any combination of factors that could single out an individual. Article 4(1) of the GDPR defines the term broadly and intentionally.

Are IP addresses considered personal data under the GDPR?

Yes. The Court of Justice of the European Union confirmed in Breyer v. Bundesrepublik Deutschland (Case C-582/14) that even dynamic IP addresses qualify as personal data when the data controller has legal means to identify the individual behind the address. Since most website operators can link IP addresses to individuals through their internet service provider or server logs, IP addresses are treated as personal data under the GDPR in practice.

Does the GDPR apply to business contact information?

Yes, the GDPR applies to business contact information when it relates to an identifiable individual. A work email address like [email protected] is personal data because it identifies a specific person. Generic addresses like [email protected] are not personal data. Company names and registration numbers are not personal data either, since the GDPR only protects natural persons, not legal entities.

What is the difference between personal data and sensitive personal data under the GDPR?

The GDPR distinguishes between ordinary personal data and special categories of personal data, often called sensitive data. Article 9 defines special categories as data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data used for identification, health data, and data concerning sex life or sexual orientation. Processing special category data is prohibited by default and requires one of the specific exceptions listed in Article 9(2), such as explicit consent.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: How to Use privacy.apple.com

Apple's data & privacy website at privacy.apple.com lets you download, correct, or delete your data. A step-by-step guide, plus how long a request takes.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • The Legal Definition of Personal Data Under the GDPR
  • Categories of Personal Data Under the GDPR
  • Identity data
  • Contact data
  • Financial data
  • Online identifiers
  • Location data
  • Behavioral data
  • Special Categories: Sensitive Personal Data Under the GDPR
  • What Is Not Personal Data Under the GDPR
  • How Personal Data Classification Affects Your Website
  • Lawful basis for processing
  • Privacy policy requirements
  • Data subject rights
  • Data breach notification
  • Penalties for mishandling personal data
  • Common Misconceptions About Personal Data Under the GDPR
  • Practical Steps for Identifying Personal Data on Your Website
  • Personal Data Under the GDPR in Practice: Website Examples
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.