What Is Personal Data Under GDPR? Definition and Examples

Personal data is any information relating to an identified or identifiable natural person. This definition, set out in Article 4(1) of the GDPR, determines whether the regulation applies. If an organization processes personal data, all 99 articles of the GDPR apply. If no personal data is involved, none of them do.

In September 2025, the CJEU issued a landmark ruling in EDPS v SRB (Case C-413/23 P) clarifying that pseudonymized data is not automatically personal data for every holder — only when re-identification is “reasonably likely” for the specific recipient. This ruling, and the EU Digital Omnibus proposal that followed in November 2025, are reshaping how the definition of personal data is applied in practice.

What Is Personal Data Under GDPR?

How Does Article 4(1) Define Personal Data?

The GDPR defines personal data broadly:

“‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” — Article 4(1) GDPR

The definition contains four cumulative elements:

1. “Any information” — The scope is deliberately broad. It covers objective data (date of birth, address) and subjective data (opinions, assessments). The CJEU confirmed in EDPS v SRB (2025) that personal opinions are inherently linked to their authors and constitute personal data by their very nature.
2. “Relating to” — The information must concern the individual, whether by content, purpose, or effect.
3. “Identified or identifiable” — A person is identifiable when they can be distinguished from all other persons, directly or indirectly. Indirect identification means combining data points to single out a person.
4. “Natural person” — The GDPR protects living individuals only. Data about legal entities (companies), deceased persons, or purely anonymous datasets falls outside its scope.

What Are Common Examples of Personal Data?

The following are personal data when they relate to an identifiable individual:

• Full name (first name + last name)
• National identification or social security number
• Email address (especially corporate addresses containing a name)
• IP address — the CJEU ruled in Breyer (C-582/14) that even dynamic IP addresses can constitute personal data when the controller has legal means to obtain additional identification information from the ISP
• Photographs of a person
• Voice recordings
• License plate numbers
• Location data (GPS coordinates, cell tower data)
• Cookie identifiers and device fingerprints
• CVs and LinkedIn profiles
• Employee records, payroll data, performance reviews

Personal data is not the same as private data. A person’s name on a public business directory is personal data, even though it is not private. The legal definition is broader than the everyday meaning: any data that enables identification falls under the GDPR, regardless of whether the person considers it intimate or confidential.

What Is Not Personal Data?

How Does Anonymization Differ from Pseudonymization?

Understanding this distinction is critical because it determines whether the GDPR applies.

Anonymized data falls entirely outside the GDPR’s scope. Recital 26 states that the regulation “does not concern the processing of anonymous information, including for statistical or research purposes.” Data is anonymous only when re-identification is no longer “reasonably likely” considering all means, costs, and technology available.

Pseudonymized data remains personal data under the GDPR. Pseudonymization replaces identifiers with codes or tokens, but the link to the individual can be restored using additional information held separately. Pseudonymized data benefits from certain regulatory advantages (e.g., it is recognized as a safeguard under Article 89(1) for research purposes), but it does not exempt the controller from GDPR obligations.

What Changed with the 2025 CJEU Ruling on Pseudonymized Data?

On September 4, 2025, the CJEU delivered its ruling in EDPS v SRB (Case C-413/23 P), fundamentally clarifying when pseudonymized data constitutes personal data. The case arose when the SRB pseudonymized shareholder comments — removing names and replacing them with random codes — before transferring them to a consulting firm.

The CJEU held that pseudonymized data “must not be regarded as constituting, in all cases and for every person, personal data.” The key test is whether the recipient has “means reasonably likely to be used” to re-identify the data subject. If the recipient lacks both the additional information and the legal or practical means to obtain it, the data is not personal data in their hands.

This ruling has direct practical consequences. An organization that shares pseudonymized datasets with a third party who has no re-identification capability may not need a data processing agreement for that transfer. However, the data remains personal data for the original controller who holds the re-identification key.

Is the Definition of Personal Data Changing?

In November 2025, the European Commission proposed codifying this principle in the EU Digital Omnibus regulation. The EDPB and EDPS opposed the proposal, warning it would “significantly narrow the concept of personal data.” A leaked Council compromise from February 2026 eliminated the revised definition, instead acknowledging the EDPB’s ongoing work on pseudonymization guidance. The outcome of these negotiations will shape the practical application of the personal data definition for years to come.

What Are Special Categories of Personal Data?

Article 9 of the GDPR defines certain types of personal data as “special categories” that require enhanced protection. Processing these categories is prohibited by default, with limited exceptions:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data used for identification
• Health data
• Data concerning sex life or sexual orientation

Criminal conviction data is governed separately under Article 10 and subject to its own processing restrictions. Organizations processing special categories of data at scale must designate a Data Protection Officer under Article 37.

What Happens When You Process Personal Data?

What Are Your Core GDPR Obligations?

Once an organization determines that it processes personal data, the full GDPR framework applies. The core obligations include:

• Record of processing activities (Article 30) — Every processing activity must be documented with its purpose, legal basis, data categories, recipients, and retention periods.
• Legal basis — Each processing activity must rely on one of the six legal bases in Article 6 (consent, contract, legal obligation, vital interests, public task, or legitimate interests).
• Data subject rights — Individuals have the right to access, rectify, erase, restrict, and port their personal data.
• Security measures — Appropriate technical and organizational measures must protect the data (Article 32).
• Breach notification — Personal data breaches must be reported to the supervisory authority within 72 hours (Article 33). For detailed guidance, see our article on how to handle data breaches under the GDPR.

Compliance platforms such as Legiscope automate the creation of records of processing activities, reducing a process that typically takes weeks to a matter of minutes for standard processing operations.

Disclaimer: This article provides general guidance on the GDPR definition of personal data and does not constitute legal advice. Consult a qualified data protection professional for advice specific to your situation.

Conclusion

The definition of personal data is the gateway to GDPR compliance. Its broad scope — “any information relating to an identified or identifiable natural person” — captures far more data than most organizations initially expect.

The September 2025 CJEU ruling in EDPS v SRB has introduced a more contextual approach to pseudonymized data, while the EU Digital Omnibus negotiations (2025-2026) signal that the definition itself may evolve. Organizations should monitor these developments and ensure their data mapping reflects the current legal landscape.

Last reviewed: March 2026