If you're trying to handle personal data under GDPR, that can feel overwhelming. Especially when you're figuring out exactly what counts as personal information. If you're running a business in Europe or managing EU citizen data (even as a US company), you’ll need to learn the personal data definition under GDPR. Want to know how to comply with GDPR? Then, that's essential.
That’s why we’re here—this guide breaks down everything you need to know about GDPR personal data, including practical examples.
TL;DR: Key points about GDPR personal data
- Personal data = any information about an identifiable person - Not just names and emails, but IP addresses, employee IDs, opinions, and even combinations of generic data that could identify someone
- Context determines everything - The same information might be personal data in one situation but not another, depending on how it's used and what else you know
- Special categories need extra protection - Health data, political views, religious beliefs, biometric data, and sexual orientation require explicit consent or specific legal justification
- PII means something different in GDPR - Unlike US privacy laws that list specific data types, GDPR covers ANY information relating to an identifiable person
- It applies globally to EU data - If you process EU residents' data, GDPR applies regardless of where your company is based
- Both direct and indirect identification count - Even if you need additional information to identify someone, it's still personal data if identification is reasonably possible
- Pseudonymized ≠ anonymous - Data with replaced identifiers is still personal data; only irreversibly anonymized data escapes GDPR
- Business data can be personal too - Work emails, LinkedIn profiles, and professional information about individuals all qualify as personal data
GDPR Personal Data: Context
GDPR personal data definition
So what exactly is personal data under GDPR? The regulation defines it as "any information relating to an identified or identifiable natural person."¹ Sounds straightforward, right? But this definition casts a much wider net than most businesses initially realize.
You might think personal data just means obvious things like names and email addresses. The reality is that GDPR goes well beyond these basics. An identifiable person is someone you can distinguish from others, either directly through the information you have or indirectly by combining it with other data you could reasonably access. And this broad interpretation basically reflects Europe's fundamental view that privacy is a human right, not just a nice-to-have.
UK and US cases
The UK maintains nearly identical rules through UK GDPR, keeping the same personal data definition after Brexit². While UK GDPR and EU GDPR differences exist in some areas, the core definition of personal data remains consistent between both regulations.
Meanwhile, US companies often find themselves confused by this expansive European definition of personal information—especially because they also need to comply with GDPR when they’re handling data from EU/UK citizens. American privacy laws usually list specific data categories that need protection - think Social Security numbers or medical records. But GDPR personal data rules are very different, because they focus on whether information relates to an identifiable person rather than fitting predetermined boxes.
This means that the same information might be personal data in one situation but not another. It's not just about what data you have, but how you use it and what you could potentially learn from it.
The four key elements that define personal data
Breaking down GDPR personal data definition gets easier when you understand its four essential components. Each element must be present for information to qualify as personal data under GDPR.
"Any information" - broadest possible scope
First, we need "any information" - and GDPR means literally any. Numbers, words, images, sounds, even opinions about someone count. The format doesn't matter either. A child's drawing used in psychological evaluation? If it reveals information about the child or their family situation, that's personal data. The regulation doesn't care whether information is stored digitally, written on paper, or captured on video.
"Relating to" - connection requirement
Second comes "relating to" - the information must concern the individual in some way. Simply mentioning someone doesn't automatically create personal data. If you write "the CEO of Apple" in a report about technology trends, you're not processing Tim Cook's personal data unless the information actually relates to him as an individual rather than his corporate role.
"Identified or identifiable" - direct and indirect identification
Third, we have "identified or identifiable" - this is where things get interesting. Direct identification happens when you can immediately pick someone out from your data. But indirect identification matters too. Maybe you can't identify someone from your data alone, but combining it with information from social media or public records would reveal their identity? That still counts as personal data GDPR protects.
"Natural person" - the human element
Finally, "natural person" means living, breathing humans. Companies aren't covered (though information about sole traders is). Deceased individuals don't have GDPR rights, though some EU countries add their own rules.⁶ This human focus distinguishes GDPR from regulations protecting corporate data or intellectual property.
What is considered personal data under GDPR?
Now, let's get specific about GDPR data types and examples of personal data under GDPR. Understanding these categories helps you recognize personal data in all its forms.
Notice how some data requires special category protection? These GDPR data types need explicit consent or another specific legal basis under Article 9.¹ You can't process someone's health data or political opinions using the same justification you'd use for their email address.
Criminal conviction and offense data sits in its own category - not quite special category, but requiring similar elevated protection under Article 10.¹ This includes not just actual convictions but also allegations, proceedings, and even suspicions of criminal activity.
Context is everything: When ordinary data becomes personal
Here's where GDPR gets tricky for many businesses. The same piece of information might qualify as personal data in one context but not another. Understanding this contextual nature prevents both over-compliance and dangerous gaps in protection.
Take employee ID numbers. Within your HR system, they're definitely personal data - they identify specific individuals. But if you're analyzing departmental headcount trends and only looking at anonymized ID ranges, those same numbers might not be personal data anymore. The purpose and potential impact of processing matter as much as the data itself.
Sometimes, combining non-personal data creates personal information. Consider this scenario: you know someone was born on March 15, 1985. Not particularly identifying, right? Now add that they live in zip code 90210. Still pretty anonymous. But throw in their gender and suddenly you might have narrowed it down to just one or two people. This combination effect catches many organizations off guard.
The "motivated intruder" test helps determine identifiability. Would someone reasonably determined, using available tools and public information, be able to identify an individual? You don't need to consider supercomputers or master hackers - just what's realistically possible for someone with moderate resources and determination.³
Time changes things too. Data that's anonymous today might become identifiable tomorrow as new datasets become public or technology advances. A pseudonymized customer database from 2020 might be vulnerable to re-identification using 2025's publicly available information. Regular reviews help catch these shifting risks.
Special categories and sensitive personal data
Not all personal data carries equal weight under GDPR. Special category data demands extra protection because of its sensitivity and potential for discrimination or harm.
Processing special category data requires meeting two conditions. First, you need a standard legal basis under Article 6 (like consent or legitimate interest). Then you need an additional condition under Article 9, such as explicit consent, employment law obligations, or vital interests protection.⁷
Many businesses accidentally collect special category data without realizing it. That employee's sick note? Health data. The prayer room booking system? Religious data. Even seemingly innocent information can reveal protected characteristics - a request for kosher meals indicates religious beliefs, while time off for Pride events might suggest sexual orientation.
GDPR Personal Data: Checklist
PII GDPR differences: US vs. EU
American businesses often struggle with GDPR because PII (personally identifiable information) means something different in the US context. Understanding these differences helps avoid compliance gaps.
Data types vs rights
US privacy laws normally focus on specific data types that could cause harm if exposed. Social Security numbers, financial accounts, driver's licenses - these get protection because their misuse has clear negative consequences. The idea is to prevent identity theft and financial fraud; and that’s why you should know how GDPR differs from CCPA and from other US privacy regulations.
But GDPR flips this logic entirely. Europeans view privacy as a fundamental right, not contingent on potential harm. Any information relating to an identifiable person deserves protection, regardless of sensitivity. This rights-based framework explains why GDPR covers seemingly innocuous data like shopping preferences or browsing history.
Geography
The geography of things also adds another layer. US companies might think they're exempt from GDPR, but the regulation reaches any organization processing EU residents' personal data.⁴ Selling one product to someone in Berlin? Congratulations, you're now subject to GDPR. Your company's location doesn't matter - your customers' location does.
Consider how this affects data classification. That customer database you've categorized into "sensitive" and "non-sensitive" buckets based on US standards? Under GDPR, it's all personal data requiring protection. Sure, some categories need extra safeguards, but even "basic" contact information demands proper handling, lawful basis documentation, and deletion schedules.
Common misconceptions that lead to compliance failures
Let's clear up the myths about personal data GDPR that keep causing expensive mistakes. These misconceptions seem logical but miss crucial nuances in how the regulation actually works.
"We anonymized it, so it's not personal data anymore" Real anonymization requires permanent, irreversible removal of identifying elements. If you kept the key to reverse the process, or if someone could realistically re-identify individuals using other available data, you've only achieved pseudonymization. Pseudonymized data remains fully subject to GDPR requirements.⁵ Many "anonymous" datasets aren't nearly as anonymous as organizations believe.
"Business cards aren't personal data" Wrong. That corporate email john.smith@company.com identifies a specific individual. Professional information gets the same protection as personal contact details. The business context doesn't eliminate privacy rights - employees and business contacts remain data subjects with full GDPR protections.
"It's public information, so GDPR doesn't apply" Information being publicly available doesn't remove your obligations. Data scraped from LinkedIn, company websites, or public records still requires a lawful basis for processing, appropriate security, and compliance with all GDPR principles. While there are certain GDPR exemptions for specific situations, public availability alone doesn't create one.
"IP addresses are technical data, not personal data" The European Court of Justice settled this definitively - dynamic IP addresses are personal data when the website operator has legal means to identify users.⁸ Static IPs are even clearer, as they consistently identify specific devices and, by extension, their users. Your server logs are full of personal data whether you realize it or not.
"Opinions aren't factual, so they're not personal data" GDPR explicitly covers subjective information. Performance reviews, credit assessments, personality evaluations - if they relate to an identifiable person, they're personal data. Even incorrect opinions or false information about someone qualifies. The accuracy doesn't determine the protection requirement.
Best practices to identify and protect GDPR personal data
So you understand what qualifies as personal data under GDPR - now what? Here's how to translate this knowledge into compliant practices that protect both your business and your customers' privacy.
1. Start with a comprehensive data audit. You can't protect what you don't know you have. Document every system, spreadsheet, and sticky note that might contain personal information. Many organizations discover shadow IT systems during this process - that Excel file the sales team maintains, or the customer database someone built in Access years ago.
2. For each data collection point, ask yourself: What are we collecting? Why do we need it? How long must we keep it? If you can't answer all three clearly, you're probably collecting too much. Data minimization isn't just good practice - it's a legal requirement. This connects directly to the seven fundamental GDPR principles that govern how organizations must handle personal data.
3. Build privacy into your processes from the start. When designing new systems or forms, begin with the minimum necessary data and justify additions rather than starting with everything and cutting back. This “privacy-by-design” prevents scope creep and keeps your data collection proportionate to your actual needs.
4. Create clear retention schedules for different data categories. Customer purchase records might need keeping for seven years for tax purposes, while newsletter subscriptions could be deleted after two years of inactivity. Automated deletion prevents indefinite data hoarding and reduces your risk exposure. Remember - you can't breach data you don't have.
5. Don't forget about data in transit and informal storage. Those customer emails containing personal data? The WhatsApp messages with client information? The video recordings of Zoom calls? They all need the same protection as your main database. Establish clear policies about where personal data can be stored and transmitted.
6. Training makes or breaks compliance. Your team needs to recognize personal data in all its forms - from obvious examples like customer addresses to subtle ones like behavioral patterns. Regular workshops using real examples from your business context work better than generic GDPR training. When everyone understands what they're protecting and why, compliance becomes part of culture rather than a checkbox exercise.
Documentation and accountability requirements
GDPR demands you demonstrate compliance, not just achieve it. This accountability principle means maintaining comprehensive records about your personal data processing activities.
Your Records of Processing Activities (RoPA) should detail what personal data you process, your purposes and legal bases, who you share it with, retention periods, and security measures.⁹ This isn't busywork - it's your roadmap for managing personal data responsibly. When regulators come knocking or data subjects exercise their rights, these records prove you're taking privacy seriously.
Privacy notices require careful attention too. Gone are the days of burying details in legal jargon. You must clearly explain what personal data you collect, why you need it, how you use it, who sees it, and how long you keep it. Transparency means actually informing people, not just technically disclosing information in unreadable terms and conditions.
Document your legal basis decisions for each processing activity. Consent might seem easiest, but it's often the weakest foundation since people can withdraw it anytime. Legitimate interest provides more stability but requires documented balancing tests. Contractual necessity works for data essential to service delivery. Choose thoughtfully and document your reasoning.
Need a 100% GDPR-compliant CRM? Meet Zeeg.
Understanding GDPR personal data is one thing - managing it properly is another. Zeeg CRM was built from the ground up with European data protection in mind. Every appointment booked automatically captures customer information in a GDPR-compliant environment, hosted exclusively on German servers.
Differently from US-based CRMs, Zeeg integrates data protection into every feature. Therefore, when clients book appointments, their personal data flows directly into your CRM with proper consent tracking and clear retention schedules. No manual data entry between systems, no questionable international transfers, no compliance gaps.
The platform lets you create custom objects and fields without enterprise pricing barriers - defining exactly what personal data you need while maintaining full documentation for regulators. Whether you're tracking basic contact information or managing special category data for healthcare appointments, everything stays within EU jurisdiction.
Starting at €10/month per user, Zeeg combines appointment scheduling with CRM functionality in one transparent system. Your data protection officer will appreciate the simplicity: one processor, one data flow, complete compliance.
GDPR personal data - FAQ
What exactly is personal data under GDPR?
Personal data means any information relating to an identified or identifiable natural person. This includes obvious identifiers like names and email addresses, but also extends to IP addresses, employee IDs, location data, online identifiers, and even combinations of generic information that could identify someone when put together.
Is a work email address personal data for GDPR?
\Yes. Even though john.smith@company.com is a professional email, it identifies a specific individual. The business context doesn't remove GDPR protection - all information relating to identifiable individuals qualifies as personal data, regardless of whether it's personal or professional.
Do IP addresses count as personal data under GDPR?
In most cases, yes. The European Court of Justice confirmed that dynamic IP addresses are personal data when the website operator has legal means to identify users. Static IP addresses almost always qualify since they consistently identify specific devices and their users. Your server logs are full of personal data.
Is information about deceased individuals personal data?
No. GDPR only protects living individuals. Once someone passes away, their information no longer qualifies as personal data under GDPR. However, some EU member states have additional national rules protecting deceased persons' data.
In GDPR, what's the difference between personal data and special category data?
Special category data is a subset of personal data requiring extra protection due to its sensitive nature. While all special category data is personal data, not all personal data is special category. Special categories include health information, political opinions, religious beliefs, genetic data, biometric data for identification, racial/ethnic origin, sexual orientation, and trade union membership.
Is a sick leave record special category data?
Yes. Any information about someone's health, including sick leave records, medical certificates, disability status, or health insurance claims, qualifies as special category health data requiring additional protection under Article 9 of GDPR.
Do photos count as personal data?
Photos where individuals are recognizable definitely count as personal data. If the photo is used for identification purposes (like an employee ID photo), it might also qualify as special category biometric data. Even photos where people appear in the background could be personal data if individuals are identifiable.
When does information become personal data?
Information becomes personal data when it relates to an identifiable person. Context matters enormously - a job title alone might not identify anyone, but "Marketing Manager at Small Company X" could pinpoint exactly one person. The combination of data points, the purpose of processing, and available additional information all affect whether something qualifies as personal data.
What's the difference between anonymous and pseudonymized data?
Anonymous data has been irreversibly stripped of all identifying elements - it's no longer personal data. Pseudonymized data has had identifiers replaced but can still be re-identified using additional information. Pseudonymized data remains personal data under GDPR and requires full protection.
Can the same information be personal data for one company but not another?
Yes. If Company A processes employee ID numbers to manage payroll, that's personal data. If Company B only sees anonymized ID ranges for statistical analysis without any ability to identify individuals, it might not be personal data for them. The purpose, context, and available information determine the classification.
Does GDPR apply to US companies?
Yes, if they process personal data of people in the EU. Your company's location doesn't matter - your customers' location does. For detailed guidance on GDPR compliance requirements for US companies, including practical implementation steps, check our comprehensive guide.
How does GDPR's definition of personal data differ from US PII?
US privacy laws typically list specific data types requiring protection (SSN, financial accounts, medical records). GDPR takes a broader approach - ANY information relating to an identifiable person needs protection. Data that wouldn't trigger US privacy laws might still require GDPR compliance.
Is publicly available information still personal data?
Yes. Information being public doesn't remove GDPR obligations. Data scraped from LinkedIn, company websites, or public records still requires a lawful basis for processing, appropriate security, and compliance with all GDPR principles.
Do business cards contain personal data?
Yes. Business cards typically contain names, job titles, email addresses, and phone numbers - all personal data requiring GDPR protection. Even though they're meant for sharing, you still need a lawful basis for processing this information and must protect it appropriately.
How long can we keep personal data?
GDPR doesn't specify exact retention periods but requires that personal data not be kept longer than necessary for its purpose. You must define and document retention periods for different data categories. For example, employee records might need keeping for several years for legal reasons, while marketing contacts could be deleted after two years of inactivity.
What if we collect personal data by accident?
If you accidentally collect personal data you don't need, delete it immediately. Document the incident and review your processes to prevent recurrence. Unintentional collection still counts as processing, so you need to handle it properly and ensure it doesn't happen again.
Are cookies personal data?
Cookie identifiers that can be linked to individuals are personal data. This includes tracking cookies, analytics cookies that create user profiles, and any cookies that can be connected to other identifying information. Strictly necessary cookies that don't identify users might not be personal data.
Is encrypted data still personal data?
Yes. Encryption is a security measure, not anonymization. Encrypted personal data remains personal data under GDPR. The ability to decrypt the information means individuals remain identifiable, so all GDPR requirements still apply.
Do we need consent for all personal data processing?
No. Consent is just one of six legal bases for processing personal data. Others include contractual necessity, legal obligations, vital interests, public tasks, and legitimate interests. Choose the most appropriate basis for your specific processing activity - consent isn't always the best option.
What about employee data - is it all personal data?
Yes. Everything in employee files qualifies as personal data - names, addresses, salaries, performance reviews, sick leave records, emergency contacts, and even opinions about their work performance. Some employee data (health information, union membership) qualifies as special category data requiring extra protection.
Is customer feedback personal data?
If the feedback can be linked to an identifiable person, yes. Even pseudonymous reviews might be personal data if you can connect them to customer accounts. Truly anonymous feedback that cannot be linked to individuals wouldn't be personal data, but achieving true anonymity is harder than most businesses think.
Sources:
- Regulation (EU) 2016/679 Articles 4, 9 and 10 - Core Definitions
- UK GDPR - Key Definitions
- Opinion 05/2014 on Anonymisation Techniques
- GDPR Article 3 - Territorial Scope
- Recital 26 - Not Applicable to Anonymous Data
- Recital 27 - Not Applicable to Deceased Persons
- GDPR Article 6 - Lawfulness of Processing
- CJEU Judgment in Breyer v Germany
- GDPR Article 30 - Records of Processing Activities
