GDPR › Personal data

Personal Data

Personal data is any information that can identify a natural person. This includes everything from names and email addresses to IP addresses, location data and cookies. When your organisation processes such information, you must comply with GDPR.

Back to Dictionary

What is personal data?

Personal data, or personal information, is any form of information that can be linked to a specific individual. GDPR defines it broadly: if the information can directly or indirectly identify someone, it is personal data.

Direct identification is the most obvious type. A name, a national identification number or a photograph of a person's face points directly to the individual. But indirect identification also counts. A combination of job title, employer and age may be enough to single out a specific person, even without a name.

Rule of thumb: If you are in doubt whether a piece of information is personal data, it probably is. GDPR interprets the concept broadly, and data protection authorities follow this approach.

Examples of personal data

Here are the most common types of personal data that organisations process:

Contact information: Name, address, telephone number, email address.
Digital identifiers: IP addresses, cookie IDs, device IDs.
Public identifiers: National identification numbers, passport numbers, employee numbers.
Location data: GPS coordinates, address history, travel data.
Biometric data: Fingerprints, facial recognition, voiceprints.
Employment data: Salary information, employment contracts, performance reviews.

Ordinary and sensitive personal data

GDPR distinguishes between two categories. Ordinary personal data includes things like name, address and telephone number. They require a valid legal basis for processing, but the rules are relatively straightforward.

Sensitive personal data (GDPR Article 9) is a different matter. This includes information about:

Health and medical data
Race or ethnic origin
Political opinions
Religious beliefs
Trade union membership
Sexual orientation
Genetic and biometric data

Sensitive data is prohibited from being processed as a default. Your organisation may only do so if one of GDPR's specific exceptions applies.

What does GDPR require?

When your organisation processes personal data, there are several fundamental requirements to meet:

Lawful basis: You must have a legal basis for all processing.
Transparency: Data subjects must know what you use their data for.
Purpose limitation: You may only use data for the purpose you have stated.
Data minimisation: Only collect what you actually need.
Storage limitation: Delete data when you no longer need it.
Security: Protect data with appropriate technical and organisational measures.

Personal data in practice

Most organisations process far more personal data than they realise. Your HR system contains employee data, your CRM system is filled with customer information, and your website collects IP addresses and cookies from visitors.

The first step is to gain an overview. You must document what personal data you process, where it resides and who has access. GDPR requires you to maintain a record of processing activities under Article 30.

Frequently Asked Questions about Personal Data

What is personal data?

Personal data is any information that can identify a natural person directly or indirectly. This includes everything from names and addresses to IP addresses, location data and cookies.

Is an email address personal data?

Yes. A work email such as john@company.com is personal data because it can identify a specific person. Even generic addresses like info@company.com can be personal data if they are in practice only used by one person.

What is the difference between ordinary and sensitive personal data?

Ordinary personal data includes things like name, address and telephone number. Sensitive personal data covers special categories such as health data, trade union membership, biometric data and information about race or religion. Sensitive data is subject to stricter processing rules.

Are IP addresses personal data?

Yes. The Court of Justice of the EU has established that dynamic IP addresses are personal data because the internet service provider can link the address to a specific person. This means your organisation must treat IP addresses in accordance with GDPR.

What is the first step to GDPR compliance for personal data?

The first step is to gain a complete overview of what personal data your organisation processes, where it is stored and who has access. GDPR requires a record of processing activities under Article 30, which serves as the foundation for compliance.