Personal Data

Personal data is any information relating to an identified or identifiable natural person (the data subject). Under the GDPR, this is a broad definition—if data can be used to directly or indirectly identify someone, it's personal data. This includes obvious identifiers like names, email addresses, phone numbers, and ID numbers, but also extends to online identifiers (IP addresses, cookie IDs), location data, financial information, and even information about someone's physical, physiological, genetic, mental, economic, cultural, or social identity. The key test is identifiability—can this data, alone or combined with other information, identify an individual? Even if data seems anonymous in isolation, it may be personal data if it can be linked back to a person through other available information. The definition deliberately covers a wide range of data types to ensure robust protection. Personal data that's been pseudonymized remains personal data because it can still be attributed to someone with additional information. Only truly anonymized data—where re-identification is impossible—falls outside the definition. The classification matters because personal data triggers all GDPR obligations including lawful basis requirements, transparency, security measures, and data subject rights. Organizations must be able to identify what constitutes personal data in their systems to comply with privacy laws.