What is Personal Data?
Understanding what qualifies as personal data under GDPR and other privacy laws - with examples and special categories.
What is Personal Data?
Under GDPR, personal data means "any information relating to an identified or identifiable natural person". An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
This definition is intentionally broad. If information can be used to identify a person - either on its own or when combined with other data - it's considered personal data and subject to privacy law protections.
Key Principle
The test is whether a person can be identified from the data, not whether you intend to identify them. If identification is reasonably possible, it's personal data.
Categories of Personal Data
Personal data comes in many forms. Here are the main categories:
Identity Information
- • Name
- • Date of birth
- • Gender
- • Passport number
- • Social Security number
Contact Details
- • Address
- • Email address
- • Phone number
- • Social media handles
Financial Information
- • Bank account
- • Credit card number
- • Payment history
- • Income
- • Credit score
Biometric Data
- • Fingerprints
- • Facial recognition
- • Voice patterns
- • DNA
- • Retina scans
Online Identifiers
- • IP address
- • Cookie IDs
- • Device IDs
- • Location data
- • Browsing history
Special Category Data
- • Health records
- • Racial/ethnic origin
- • Political opinions
- • Religious beliefs
- • Trade union membership
Special Categories of Personal Data (Sensitive Data)
GDPR Article 9 defines certain types of personal data as "special category" data, also known as sensitive data. These categories receive extra protection and generally require explicit consent or another specific legal basis to process:
Higher Protection Required
Processing special category data is prohibited unless a specific exception applies. Extra safeguards are required.
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for unique identification
- Health data
- Data concerning sex life or sexual orientation
Direct vs Indirect Identification
Personal data includes both information that directly identifies someone and information that can identify them indirectly:
Directly Identifying
Information that directly identifies an individual without needing additional data
Examples:
Full name, National ID number, Passport number, Social Security number
Indirectly Identifying
Information that can identify someone when combined with other data
Examples:
IP address + timestamp, Device ID + location, Employee ID + department
Pseudonymous Data
Data processed in a way that can no longer identify someone without additional information kept separately
Examples:
Tokenized customer IDs, Hashed email addresses (if key is separate)
Common Misconceptions
❌ Myth: Anonymized data is still personal data
Reality: Truly anonymized data (where re-identification is not reasonably possible) is NOT personal data under GDPR. However, most "anonymization" is actually pseudonymization, which is still personal data.
Example: If you delete names but keep age, location, and purchase history, individuals may still be identifiable.
❌ Myth: IP addresses aren't personal data
Reality: IP addresses ARE personal data under GDPR. They can be used to identify devices and, by extension, individuals - especially when combined with other information.
❌ Myth: Business contact information isn't personal data
Reality: Business emails like john.smith@company.com are personal data because they identify an individual. Generic emails like info@company.com are not.
❌ Myth: Dead people's data is protected
Reality: GDPR only protects living individuals. However, some national laws and professional ethics may require protection of deceased persons' data.
What About Company Data?
Information about companies (legal entities) is generally not personal data. However, there are important exceptions:
NOT Personal Data
- • Company registration number
- • Company name
- • Generic company email (info@company.com)
- • Company address
- • Company phone number (main line)
IS Personal Data
- • Sole trader/proprietor information
- • Individual employee emails
- • Employee names and roles
- • Direct phone lines to individuals
- • Owner/partner information in small businesses
Personal Data Across Different Privacy Laws
Different privacy laws use slightly different terminology:
| Law | Term Used | Definition |
|---|---|---|
| GDPR (EU) | Personal data | Information relating to an identified or identifiable natural person |
| CCPA (California) | Personal information | Information that identifies, relates to, or could reasonably be linked with a consumer or household |
| PIPEDA (Canada) | Personal information | Information about an identifiable individual |
| COPPA (US) | Personal information | Information that can be used to identify, contact, or locate a child |
While the terminology varies, the core concept is similar: information that can identify a person is protected.
How to Determine if Data is Personal
Use this decision tree to determine if information qualifies as personal data:
Does it relate to a natural person?
If no, it's not personal data. Companies don't count (except sole traders).
Is the person identified or identifiable?
Can you identify the person from this data alone or combined with other information you have or could reasonably obtain?
Is re-identification reasonably possible?
Consider the effort, time, and resources required. If re-identification is theoretically possible but would require unreasonable effort, it may not be personal data.
Is the person still alive?
GDPR only applies to living individuals. Information about deceased persons is generally not personal data (but check local laws).
If you answered YES to questions 1, 2, 3, and 4 → It's personal data
Protect Personal Data with Compliant Policies
Create privacy policies that properly address all categories of personal data you collect
Related Articles
What is GDPR?
Learn about the EU's General Data Protection Regulation and how it protects personal data.
Data Controller vs Processor
Understand the difference between controllers and processors under GDPR.