What Is Personal Data Under GDPR? Definition and Examples
Learn what is personal data under GDPR, with clear definitions, examples, and categories. Understand what the law protects and how it applies to your website.
Understanding what is personal data under GDPR is the foundation of compliance with European data protection law. Personal data under the GDPR has a deliberately broad definition, and many website operators underestimate how much of the information they collect qualifies.
This guide breaks down the legal definition, walks through categories and real-world examples, and explains how the classification affects your obligations. This is educational content and does not constitute legal advice. For guidance specific to your circumstances, consult a qualified data protection attorney.
The Legal Definition of Personal Data Under the GDPR
Article 4(1) of the GDPR defines personal data as "any information relating to an identified or identifiable natural person." The regulation refers to this person as the "data subject."
A natural person is identifiable when they can be identified, directly or indirectly, by reference to:
- A name (first name, surname, or combination)
- An identification number (national ID, passport number, employee ID)
- Location data (GPS coordinates, IP-based geolocation)
- An online identifier (IP address, cookie ID, device fingerprint, advertising ID)
- One or more factors specific to the person (physical, physiological, genetic, mental, economic, cultural, or social identity)
The critical word in this definition is "identifiable." The data does not need to directly name someone. If there is any reasonable means by which the individual could be identified, whether by the data controller alone or by combining the data with information held by another party, the data qualifies as personal data under GDPR.
Recital 26 of the GDPR clarifies that the assessment of whether someone is identifiable should account for "all the means reasonably likely to be used" to identify the person. This includes means available to a third party. The bar is deliberately low because the regulation is designed to protect individuals, not to create loopholes.
Categories of Personal Data Under the GDPR
Personal data under the GDPR falls into several broad categories. Understanding these categories helps website operators audit what they collect and process.
Identity data
This is the most straightforward category. It includes names, dates of birth, gender, nationality, photographs, and other attributes that directly describe who a person is.
Contact data
Email addresses, phone numbers, postal addresses, and social media handles all fall under personal data. Even a work email address like [email protected] is personal data because it identifies a specific individual.
Financial data
Bank account numbers, credit card details, salary information, tax records, and transaction histories are personal data. Payment processors and ecommerce platforms handle this category extensively.
Online identifiers
This category is where many website operators are caught off guard. IP addresses, cookie identifiers, device fingerprints, advertising IDs, and browser metadata all qualify as personal data under the GDPR. The Court of Justice of the European Union confirmed in the Breyer case (C-582/14) that even dynamic IP addresses are personal data when the controller has lawful means to identify the user.
Location data
GPS coordinates, cell tower data, Wi-Fi positioning, and IP-based geolocation are all personal data. Mobile apps and websites that request location access are processing personal data the moment they receive it.
Behavioral data
Browsing history, purchase patterns, search queries, click behavior, and app usage statistics relate to identifiable individuals when linked to a cookie, session, or account. Analytics tools like Google Analytics process behavioral personal data by default.
Special Categories: Sensitive Personal Data Under the GDPR
Article 9 of the GDPR defines "special categories" of personal data that receive heightened protection. Processing this data is prohibited by default unless one of the specific exceptions in Article 9(2) applies.
Special categories include:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data (DNA, gene sequences)
- Biometric data used for uniquely identifying a person (fingerprints, facial recognition, retinal scans)
- Health data (medical records, disability status, mental health information)
- Data concerning sex life or sexual orientation
The exceptions that permit processing special category data include explicit consent from the data subject, necessity for employment law obligations, protection of vital interests when the person cannot consent, and processing for substantial public interest with a legal basis.
For website operators, the most common encounter with special category data involves health-related services, diversity forms, or biometric authentication. If your website collects any of this information, you need a lawful basis beyond standard consent and must implement additional safeguards documented in a Data Protection Impact Assessment.
What Is Not Personal Data Under the GDPR
Knowing what falls outside the definition is just as important for compliance planning. The GDPR does not protect:
- Truly anonymous data: Information that cannot be linked to an individual by any reasonable means. Recital 26 confirms that anonymous data falls outside the regulation's scope.
- Legal entity data: Company names, business registration numbers, corporate addresses, and other data about organizations rather than natural persons. The GDPR protects only natural persons.
- Deceased persons' data: The GDPR does not apply to data of deceased individuals, though some EU member states have enacted national laws extending certain protections.
- Aggregated statistical data: Data that has been combined and summarized so that no individual can be identified or singled out.
However, pseudonymized data is still personal data under the GDPR. Article 4(5) defines pseudonymization as processing personal data so it can no longer be attributed to a specific person without additional information, provided that additional information is kept separately. Because the data can still be re-linked to an individual, it remains within scope.
How Personal Data Classification Affects Your Website
The broad definition of personal data under GDPR means most websites process personal data, whether they realize it or not. Here is how the classification creates specific obligations.
Lawful basis for processing
Article 6 of the GDPR requires a lawful basis for every processing activity involving personal data. The six lawful bases are consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. Most websites rely on consent (for marketing cookies and newsletters) and legitimate interests (for security logging and fraud prevention).
Privacy policy requirements
If you process personal data, Article 13 requires you to provide specific information to data subjects at the point of collection. This includes your identity, the purposes of processing, the lawful basis, data retention periods, and the individual's rights. A comprehensive privacy policy generator can help structure this disclosure correctly.
Data subject rights
Articles 15 through 22 grant data subjects rights over their personal data, including the right of access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), data portability (Article 20), and objection (Article 21). These rights apply to all personal data you hold about an individual.
Data breach notification
Article 33 requires controllers to notify their supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. Article 34 requires direct notification to affected data subjects when the breach is likely to result in a high risk.
Penalties for mishandling personal data
Getting the classification wrong carries financial consequences. Under Article 83(5), infringements of the basic processing principles, including processing personal data without a valid lawful basis, can result in fines of up to 20 million EUR or 4% of annual global turnover, whichever is higher.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowCommon Misconceptions About Personal Data Under the GDPR
Several persistent misunderstandings lead website operators into non-compliance.
"We only collect email addresses, so we barely handle personal data." Email addresses are personal data, and the GDPR's obligations apply fully regardless of volume. A single email address triggers the same compliance framework as a database of millions.
"We anonymize our analytics, so GDPR does not apply." Many tools marketed as "anonymous" still collect IP addresses, set cookies, or generate unique identifiers. If any identifier can link data back to an individual, it is pseudonymization, not anonymization, and the GDPR still applies.
"Our website only serves customers outside the EU." Article 3(2) extends the GDPR's territorial scope to any organization that offers goods or services to individuals in the EU or monitors their behavior within the EU. If EU residents visit your website and you place tracking cookies, you are processing their personal data under the GDPR.
"Employee data is handled differently." Employee personal data receives the same protections under the GDPR. Internal HR systems, payroll records, and performance reviews all involve personal data processing and require a lawful basis, transparency, and security measures.
"Hashed data is not personal data." Hashing is a form of pseudonymization. If the original value can be recovered through brute force, rainbow tables, or by the entity holding the hash key, the hashed data remains personal data.
Practical Steps for Identifying Personal Data on Your Website
Conducting a thorough data mapping exercise is the first step toward GDPR compliance. Follow these steps to identify what personal data your website collects and processes.
Audit all data collection points. Review every form, checkout flow, registration process, and contact page. List every field that collects information from users.
Examine cookies and tracking technologies. Use a compliance scanner to identify all cookies set by your website, including third-party cookies from analytics, advertising, and social media integrations. Tools like the TermsBox website compliance scanner can automate this process and categorize cookies by purpose.
Review server logs. Web servers typically log IP addresses, user agents, referrer URLs, and timestamps. These logs contain personal data under the GDPR.
Map third-party data flows. Document every third party that receives data from your website. This includes analytics providers, payment processors, email marketing platforms, CDN providers, and customer support tools. Each data transfer requires either a processing agreement (Article 28) or a valid transfer mechanism for international transfers (Chapter V).
Check embedded content. Embedded videos, maps, fonts, and social media widgets often load resources from third-party servers, transmitting visitor IP addresses and setting cookies in the process.
Document the results. Article 30 requires controllers to maintain a Record of Processing Activities (ROPA) listing each processing purpose, the categories of personal data involved, the recipients, transfer safeguards, and retention periods.
Your privacy policy generator disclosures should reflect the results of this audit. A privacy policy that does not accurately describe your data processing practices is itself a compliance risk.
Personal Data Under the GDPR in Practice: Website Examples
To make the definition concrete, here are common examples of personal data that websites collect, often without fully recognizing it.
| Data Type | Example | Why It Is Personal Data |
|---|---|---|
| Form submissions | Name, email, phone number | Directly identifies the individual |
| Account data | Username, password hash, profile photo | Linked to an identified user |
| IP addresses | 192.168.1.1 (logged by server) | Can identify a person via ISP records |
| Cookie IDs | _ga=GA1.2.123456789 | Tracks behavior of a specific browser user |
| Device fingerprints | Screen resolution + browser + OS + plugins | Combination singles out individuals |
| Payment data | Card number, billing address | Identifies the cardholder |
| Location data | Latitude/longitude from geolocation API | Pinpoints individual's physical position |
| User-generated content | Comments, reviews, forum posts | Linked to an account or contains personal details |
Even metadata can be personal data. A photograph's EXIF data may contain GPS coordinates and timestamps. An uploaded document's metadata may include the author's name and organization.
Frequently Asked Questions
What counts as personal data under the GDPR?
Personal data under the GDPR means any information relating to an identified or identifiable natural person. This includes obvious identifiers like names and email addresses, but also extends to IP addresses, cookie identifiers, location data, and any combination of factors that could single out an individual. Article 4(1) of the GDPR defines the term broadly and intentionally.
Are IP addresses considered personal data under the GDPR?
Yes. The Court of Justice of the European Union confirmed in Breyer v. Bundesrepublik Deutschland (Case C-582/14) that even dynamic IP addresses qualify as personal data when the data controller has legal means to identify the individual behind the address. Since most website operators can link IP addresses to individuals through their internet service provider or server logs, IP addresses are treated as personal data under the GDPR in practice.
Does the GDPR apply to business contact information?
Yes, the GDPR applies to business contact information when it relates to an identifiable individual. A work email address like [email protected] is personal data because it identifies a specific person. Generic addresses like [email protected] are not personal data. Company names and registration numbers are not personal data either, since the GDPR only protects natural persons, not legal entities.
What is the difference between personal data and sensitive personal data under the GDPR?
The GDPR distinguishes between ordinary personal data and special categories of personal data, often called sensitive data. Article 9 defines special categories as data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data used for identification, health data, and data concerning sex life or sexual orientation. Processing special category data is prohibited by default and requires one of the specific exceptions listed in Article 9(2), such as explicit consent.