What Is Personal Data Under GDPR? Definition, Examples, and Compliance

Definition: what “personal data” means under the GDPR

GDPR personal data is any info about an identified or identifiable natural person. If you can link it to a real human, GDPR likely applies.

This answers “gdpr what is personal data” and “what is personal data under gdpr.” It is not limited to names or bank details.

GDPR uses a wide lens. It focuses on the person behind the data, not the data format.

You do not need the person’s name stored in your system. If you can still single out the person, it can be personal data.

• Identified: you already know who the person is.
• Identifiable: you can figure out who the person is.

Key characteristics: what makes data “personal”

Two points drive the test. First, the data must relate to a person. Second, that person must be identifiable.

“Related to” can mean more than facts. It can also cover opinions and judgements about a person. These can still be “what is personal data under gdpr” in practice.

Identifiability can be direct or indirect. Direct links include names and customer numbers. Indirect links include device IDs, location signals, and online IDs.

GDPR also looks at “reasonable means.” That means you consider tools others could use. You also consider what you could likely access.

Check	Examples
Relates to a person	Orders, complaints, notes, scores
Identifiable person	ID numbers, user IDs, device IDs
Reasonable means	What you or partners can realistically match

So, ask a simple question. Can you single out one natural person from this data?

Examples: personal information that often falls in scope

Common examples include names, emails, and phone numbers. Customer IDs and user logins also fit this rule.

Online activity data can also be personal data. Session logs can track a user across pages and time.

Location data is often personal data too. Even rough location can help single out a person with other signals.

Subjective notes can also be personal data. HR comments, service ratings, and risk comments can describe a person’s traits.

Here is a fast list of what teams often find in audits. Use it as a starting point, then test identifiability.

• Contact details: name, email, phone
• Online IDs: account IDs, user IDs
• Device data: device IDs, browser IDs
• Location traces: GPS points, mobile location
• Activity signals: clicks, search terms, sessions
• Evaluations: risk scores, coach notes, reviews

Sensitive personal data: the categories that need extra care

Some personal data is “sensitive.” GDPR calls these special categories of personal data.

These need stronger rules. They also raise risk if mishandled.

Examples include health data, racial or ethnic data, and biometric data. Personal beliefs can also fall in this group.

“Biometric data” can be tricky. It is about data used for identification. It is not just any face or scan file.

Sensitive category	Example	What it implies
Health	Medical notes	Higher harm risk
Race or ethnicity	Group data	Discrimination risk
Biometric data	Face or print templates	Harder to undo
Personal beliefs	Religious or political views	Extra care needed

When you hit sensitive data, tighten your controls. Limit access and set clear retention limits.

Identifiability and data processing: the moving parts

GDPR personal data turns on identifiability. It also turns on how you handle the data.

GDPR uses “identification criteria.” These are the tests for who can be singled out. The test looks at reasonable means, not perfect certainty.

Pseudonymised data can still be personal data. It replaces direct IDs with code or token values. Re-linking is still possible in many systems.

Truly anonymised data is different. It is data where re-linking is not realistically possible. If anonymisation holds, GDPR may not apply.

GDPR also uses “data processing” in a broad way. Collection, storage, use, and sharing are all processing. Analysis and profiling also count as processing.

1. List each data type you collect and why.
2. Test direct and indirect identifiers.
3. Check if the data is pseudonymised or truly anonymised.
4. Log each processing step and its safeguards.

Keep proof of your logic. It helps when a regulator asks questions.

Are cookies and IP addresses personal data under GDPR?

Yes, they can be. This is where people ask “are cookies personal data under gdpr.” Cookie IDs can single out one user.

When a cookie ID can link to a person, it is personal data. That is true even if names are not in the cookie.

IP addresses are similar but context matters. People ask “is ip address considered personal data under gdpr.” It depends on whether you can connect it to a person.

In many sites, teams can link IP logs to accounts. They can also link IP logs to time and actions. That can meet the identifiability test.

So, use a practical method. Ask if a person can be singled out with what you can access.

• If you can match IP logs to accounts, treat IP as personal data.
• If cookies are tied to a user profile, treat cookies as personal data.
• If you cannot link it with reasonable means, document that conclusion.

For compliance, safer is clearer. Treat identifiers as personal data when you can link them.

Implications for businesses: how compliance usually works

If you process personal data, you must meet GDPR duties. This includes rules on notice, choice, and care.

One key role is “who is responsible for data protection compliance.” Usually, the controller decides why and how data is used.

A processor acts on behalf of the controller. This role split matters for contracts and duties.

Businesses also need “what is data compliance” in day-to-day terms. It means you build work steps that meet GDPR rules.

Teams often use software to support those steps. For example, they may use privacy request tools. They may also use records tools for processing activities.

You should also run a data map. This finds where personal data sits across systems. It also shows who has access.

Here are common compliance building blocks. They are not theory. They are work you can assign.

• Set a lawful basis for each processing goal.
• Use clear privacy notices for the data subject.
• Use data minimisation and keep less data.
• Set retention rules and delete when done.
• Protect data with access control and safe storage.
• Plan how you handle rights requests.

Penalties can be large. Regulators can also order changes fast.

Career note and clarifications

You asked about “how to become a data privacy lawyer.” It often means law school plus privacy work experience. You then build skill in GDPR personal data work.

You also asked “what is a data privacy lawyer.” They advise on data protection laws. They also help draft policies and handle disputes.

This is a real compliance path. Many privacy jobs start in legal ops or risk roles.

Quick “scope” check for common situations

If someone asks “which of the following is not personal data under gdpr,” think anonymised data. If it is not linkable, it often falls outside GDPR.

If someone asks “which of the following is personal data under gdpr,” think identifiers and linkable traces. If you can single out one natural person, it counts.

Another common query is “what is personal data gdpr” in a specific workflow. The answer comes from identifiability and purpose.

When in doubt, document your test. That is the best bridge from law to operations.