Home Privacy Law GDPR What Is Personal Data (General Data Protection Regulation)

What Is Personal Data (General Data Protection Regulation)

What is personal data under GDPR?

What type of information can be considered personal data?

How do we determine what information is protected and what is not?

In this article, we will break down the notion of “personal data” under GDPR and see how it is defined, what type of information can be considered personal data and see what are the limits of personal data.

Ready to dive in?

Let’s do this.

What is personal data under GDPR?

Personal data is any information relating to an individual allowing his or her identification, directly or indirectly, from the data gathered or from a combination of data.

Article 4(1) GDPR defines personal data as follows:

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

The definition of personal data is interesting as data can be considered personal data if it allows the identification of an individual but also an identifiable person.

Let’s break down this definition into its constituent parts:

  1. Any information
  2. Relating to
  3. Natural person (data subject)
  4. Identified
  5. Identifiable 
  6. Directly or indirectly 
  7. Reference to an identifier 

We will look at each of these aspects of the definition in this article.

For now, we can gather that we are collecting, processing and storing personal data if it relates to:

  1. The direct identification of a data subject
  2. The indirect identification of a data subject
  3. A directly identifiable data subject using identifiers 
  4. An indirectly identifiable data subject using identifiers

Any information 

The definition of GDPR is very broad.

GDPR states that “any information” relating to an identified or identifiable individual can be personal data.

The definition of personal data gives us many examples of what can be considered information about a person, they are:

  1. Identification number
  2. Location data
  3. Online identifier
  4. Physical factors
  5. Physiological factors
  6. Genetic factors
  7. Mental factors
  8. Economic factors
  9. Cultural factors
  10. Social identity factors

As you can see, the definition of personal data can be interpreted very largely and that was intended by GDPR.

The definition of information will include objective information about a person and subjective information about a person.

Objective information is someone’s age while subjective information is a person’s opinion about a subject.

“Relating to” a natural person 

For information to “relate to” a natural person, it must consist of more than just a mere identification of a person.

The information must concern them or have some sort of effect on them even though that was not the primary objective.

It is possible that data may point to an identifiable individual without the data being considered as personal data under GDPR.

Any information you collect, use and process related to an individual that may potentially have an impact on the person is personal information.

How to determine if the information “relates to” a person?

A company must assess whether or not the information they collect, use, process and store actually relates to a person.

What is the content of the data collected?

What is the purpose of the data collected?

By processing the data, what is the impact on the data subject?

Will the processing of data have an effect of any kind on the person?

Difficulty in qualifying data as personal data

Qualifying data as personal data may not be clear in all circumstances.

In some cases, we can clearly reach the conclusion that we are processing personal data.

In other instances, it may not be so straightforward or evident whether or not the data is personal or may allow the identification of a person.

The purpose and reason why data is being processed will have an important impact on determining whether data is personal or not.

If a company cannot ascertain data as personal, the Information Commissioner’s Office of the UK recommends that organizations treat the information with care, determine a clear purpose for processing the data and dispose of it safely.

A natural person (data subject)

When we say personal data, to who does it apply?

For personal data to be relevant under GDPR, it has to be about a data subject.

The term data subject is not specifically defined under GDPR.

We can interpret GDPR’s articles and recitals to assert that GDPR intends to define a data subject as follows:

  1. Individuals located in the European Union
  2. Residents of the European Union
  3. Citizens of the European Union
  4. Residents and Citizens of EU located anywhere in the world
  5. Any person having personal data located in the European Union

You can read our article on what is a data subject under GDPR for additional insights on the notion of data subjects.

Identified natural person

When information allows the direct identification of a natural person located in the EU, resident or citizen of the EU or any personal data in the EU, that information is personal data.

This can include information such as:

  1. Name
  2. Address
  3. date of birth
  4. national identification number

With the information, there is no doubt that a data subject is identified.

When you look at the information you have, if you are able to identify a specific person, then that’s personal data as you can directly identify a natural person.

Identifiable natural person 

An identifiable natural person is not directly identified on the basis of the information you have but can be identified by analyzing the data with other data points.

Possibility of identifying a person

Even though a person cannot be directly identified with the information you have, it can still be considered personal data as there’s the possibility that the person may be identified (or is identifiable).

Missing information to identify a person 

Incomplete information that does not allow you to immediately identify a person can be personal data if you can get the missing information.

Therefore, it’s not relevant whether or not you have the missing information to directly identify the data subject.

Whether you already have the missing information to identify the data subject or you must get it from another source, the data you have can be personal data.

If you can somehow get the missing data, you may have personal information on hand.

Hypothetical possibility of identifying a person

Can a hypothetical scenario that someone may obtain the missing information be sufficient to qualify the data as personal data?

A hypothetical possibility that someone may reconstruct the data to identify a person is not enough.

A company must consider whether or not a person with sufficient means and knowledge would be able to reconstruct the data and identify a person.

If so, you should treat the data as personal data. 

Directly or indirectly 

Directly identifying a person is simple.

If you have information about “John”, you have directly identified John.

That’s personal data.

Instead of using his name, you can identify John using other data points such as his location, height, weight and hair colour.

That’s an example when a person can be indirectly identified.

If you hold information allowing you to combine them to identify a person, that’s personal information.

Information that you do not have and you have a reasonable possibility of accessing can also lead to you having personal information.

Reference to an identifier 

Information can be personal data if used with identifiers can help identify a natural person or allow the identification of a person.

In Article 4(1) GDPR gives us a list of identifiers:

  1. Identification number
  2. Location data
  3. Online identifier
  4. Physical factors
  5. Physiological factors
  6. Genetic factors
  7. Mental factors
  8. Economic factors
  9. Cultural factors
  10. Social identity factors

Recital 30 GDPR provides additional information on what can constitute “identifiers”:

“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

GDPR adds that companies may use online identifiers or other types of identifiers to identify a person, such as:

  1. Device data
  2. Application data
  3. Online tools
  4. Online protocols such as IP addresses
  5. Cookie identifiers
  6. Radiofrequency identifiers 
  7. Other identifiers

Traces left by an individual combined with unique identifiers and server information may allow a company to create profiles on a natural person and identify them.

What is considered personal data?

Any information about a person is personal data and GDPR is designed to protect it.

GDPR defines another class of personal information, the special categories of data, and protects it even further.

This second group contains information GDPR considers much more sensitive.

Special categories of data

What are the “special categories of data”?

Article 9 GDPR defines special categories of data as follows:

  • Racial or ethnic origin 
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (where used for identification purposes)
  • Health data
  • Person’s sex life
  • Person’s sexual orientation

GDPR establishes stricter requirements to process special categories of data so individuals can benefit from additional legal protections.

Pseudonymous data 

Pseudonymous data is personal data under GDPR.

When personal data is “de-identified” by an organization, we say that the data has been pseudonymized. 

Pseudonymous data is not permanently and irreversibly de-identified.

A company generally will have the technical means to recreate the personal data.

A typical example is data encryption. 

When data is encrypted, a person viewing the data will not make out of that data.

However, a company can de-encrypt the data and restore the original information as needed.

Anonymous data 

Anonymous data is not personal data under GDPR.

Anonymous data is when data is permanently anonymized.

An individual or person will no longer be identifiable as the process is irreversible.

Business data

Any business data will not be considered personal data under GDPR. 

Business data can include:

  1. Company registry information
  2. Company address
  3. Company email address
  4. Product information
  5. Service documents
  6. Software documentation

GDPR intends to protect “natural persons” making it clear that legal entities and corporation data are not protected by GDPR.

Inferred data 

Inferred data is data that a company infers or derives from the analysis and assessment of other data.

If a company uses different data points about a person and infers an outcome or makes a prediction, is the inferred data personal data?

Under the guidance of the Working Party on data portability, they indicate that inferred data may be personal but not subject to the portability rights.

This begs the question, if inferred data may be personal data but not subject to the individual rights under GDPR, are companies exempt from the full application and scope of GDPR?

Examples of personal data

Here are some examples of personal data we may see in practice:

  1. First name and last name
  2. Home address
  3. Email address
  4. Telephone number
  5. National identification number
  6. Medical file
  7. Banking information
  8. Account data
  9. Credit card number
  10. Credit history 
  11. Employee number 
  12. Employee timesheets
  13. Employee performance 
  14. Exam answers 
  15. IP address
  16. Cookie ID
  17. Location data 
  18. License plate number
  19. The appearance of the person
  20. Client ID
  21. Person’s opinion
  22. Person’s views

It’s nearly impossible to list all possible information potential personal under GDPR. 

Every organization must assess the data they collect and obtain from other sources and determine whether or not they can identify a natural person or can the person be identifiable.

Editorial Staff
Hello Nation! I'm a lawyer by trade and an entrepreneur by spirit. I specialize in law, business, marketing, and technology (and love it!). I'm an expert SEO and content marketer where I deeply enjoy writing content in highly competitive fields. On this blog, I share my experiences, knowledge, and provide you with golden nuggets of useful information. Enjoy!

Most Popular

What Is Price Fixing (Explained: All You Need To Know)

What Is Price Fixing (Explained: All You Need To Know)

What Is Interest Coverage Ratio (Explained: All You Need To Know)

What Is Interest Coverage Ratio (Explained: All You Need To Know)

What Is Value Based Pricing (Explained: All You Need To Know)

What Is Value Based Pricing (Explained: All You Need To Know)

What Is Inventory Turnover Ratio (Explained: All You Need To Know)

What Is Inventory Turnover Ratio (Explained: All You Need To Know)

Bear With Me Meaning (Explained: All You Need To Know)

Bear With Me Meaning (Explained: All You Need To Know)

Editor's Picks

Contract Pricing (Overview of Pricing Types And Models)

Contract Pricing (Overview of Pricing Types And Models)

Utah Secretary of State (What All Businesses Should Know)

Utah Secretary of State (What All Businesses Should Know)

What Is A Hostile Takeover (Explained: All You Need To Know)

What Is A Hostile Takeover (Explained: All You Need To Know)

Net Working Capital (What It Is And How It Works: Overview)

Net Working Capital (What It Is And How It Works: Overview)

What Is Data Compliance (Regulations And Standards)

What Is Data Compliance (Regulations And Standards)