Personal data under GDPR is any information relating to an identified or identifiable natural person. This definition, set out in Art. 4(1) GDPR, is the gateway to the entire regulation: if an organisation processes personal data, all 99 articles of the GDPR apply. If no personal data is involved, none of them do. Understanding what constitutes personal data GDPR is the first compliance question every organisation must answer.
Key Takeaways
- Art. 4(1) GDPR defines personal data as “any information relating to an identified or identifiable natural person” — the scope is deliberately broad.
- Personal data includes obvious identifiers (names, emails) and indirect identifiers (IP addresses, cookie IDs, location data) that can identify someone in combination.
- Pseudonymised data remains personal data under GDPR. Only truly anonymous data — where re-identification is impossible — falls outside scope.
- Special categories (Art. 9) — health, biometric, genetic, racial origin, political opinions, religious beliefs, sex life — require enhanced protection and an Art. 9(2) legal basis.
- The September 2025 CJEU ruling in EDPS v SRB (C-413/23 P) clarified that pseudonymised data is not automatically personal data for every recipient — only when re-identification is “reasonably likely.”
How Art. 4(1) GDPR Defines Personal Data
The GDPR defines personal data broadly:
“‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” — Art. 4(1) GDPR
The definition contains four cumulative elements:
-
“Any information” — The scope is deliberately broad. It covers objective data (date of birth, address) and subjective data (opinions, assessments). The CJEU confirmed in EDPS v SRB (2025) that personal opinions are inherently linked to their authors and constitute personal data by their very nature.
-
“Relating to” — The information must concern the individual, whether by content, purpose, or effect. A medical report relates to the patient by content. CCTV footage of an employee relates to them by purpose (monitoring). A credit score relates to the individual by effect (determines their access to finance).
-
“Identified or identifiable” — A person is identified when they are distinguished from all others within a group. They are identifiable when identification is possible — directly or indirectly — by combining available data points.
-
“Natural person” — The GDPR protects living individuals only. Data about legal entities (companies), deceased persons, or purely anonymous datasets falls outside its scope.
Categories of Personal Data GDPR
Personal data GDPR covers a vast range of information. The key is not whether the data seems sensitive, but whether it can identify a person.
Direct Identifiers
These identify an individual on their own:
- Full name (first name + last name)
- National identification or social security number
- Passport number
- Photograph of a face
- Fingerprint or other biometric data
Indirect Identifiers
These identify someone when combined with other available information:
- IP address — The CJEU ruled in Breyer v Germany (C-582/14, October 2016) that even dynamic IP addresses constitute personal data when the controller has legal means to obtain additional identification information from the ISP.
- Cookie identifiers and device fingerprints — tracking technologies that create unique profiles
- Location data (GPS coordinates, cell tower data, Wi-Fi connection logs)
- Email address — especially corporate addresses containing a name (john.smith@company.com)
- Employee ID numbers paired with organisational directories
- Vehicle licence plates combined with registration databases
Professional and Behavioural Data
- CVs, LinkedIn profiles, professional qualifications
- Employee records, payroll data, performance reviews
- Purchase history and browsing behaviour
- Voice recordings (customer service calls)
- Keystroke patterns and usage analytics
Key distinction: Personal data is not the same as private data. A person’s name on a public business directory is personal data under GDPR, even though it is not private. The legal definition covers any data that enables identification, regardless of whether the person considers it intimate or confidential.
For a detailed analysis of whether IP addresses constitute personal data, see our dedicated guide.
What Is Not Personal Data: Anonymisation vs Pseudonymisation
Understanding this distinction is critical because it determines whether the GDPR applies at all.
Anonymous Data
Anonymised data falls entirely outside GDPR scope. Recital 26 states that the regulation “does not concern the processing of anonymous information, including for statistical or research purposes.” Data is anonymous only when re-identification is no longer “reasonably likely” considering all means, costs, and technology available.
True anonymisation is difficult to achieve. Simply removing names is rarely sufficient — combinations of age, location, and profession can re-identify individuals in datasets. The Article 29 Working Party’s Opinion 05/2014 on Anonymisation Techniques remains the primary reference, identifying three risks: singling out, linkability, and inference.
Pseudonymised Data
Pseudonymised data remains personal data under GDPR. Pseudonymisation replaces identifiers with codes or tokens, but the link to the individual can be restored using additional information held separately. Pseudonymised data benefits from certain regulatory advantages — it is recognised as a safeguard under Art. 89(1) for research purposes and counts towards data minimisation under Art. 5(1)© — but it does not exempt the controller from GDPR obligations.
In January 2025, the EDPB adopted Guidelines 01/2025 on Pseudonymisation, setting out detailed legal and technical requirements for pseudonymisation to be effective as a safeguard under Art. 5, 25, and 32 GDPR.
The 2025 CJEU Ruling: EDPS v SRB (C-413/23 P)
On September 4, 2025, the CJEU delivered its ruling in EDPS v SRB (Case C-413/23 P), fundamentally clarifying when pseudonymised data constitutes personal data. The case arose when the SRB pseudonymised shareholder comments — removing names and replacing them with random codes — before transferring them to a consulting firm.
The CJEU held that pseudonymised data “must not be regarded as constituting, in all cases and for every person, personal data.” The key test is whether the recipient has “means reasonably likely to be used” to re-identify the data subject. If the recipient lacks both the additional information and the legal or practical means to obtain it, the data is not personal data in their hands.
Practical consequence: An organisation that shares pseudonymised datasets with a third party who has no re-identification capability may not need a data processing agreement for that transfer. However, the data remains personal data for the original controller who holds the re-identification key.
EU Digital Omnibus Proposal (2025-2026)
In November 2025, the European Commission proposed codifying the EDPS v SRB principle in the EU Digital Omnibus regulation. The EDPB and EDPS opposed the proposal, warning it would “significantly narrow the concept of personal data.” A leaked Council compromise from February 2026 eliminated the revised definition, instead acknowledging the EDPB’s ongoing work on pseudonymisation guidance. The outcome will shape the practical application of the personal data GDPR definition for years to come.
Special Categories of Personal Data (Art. 9)
Art. 9 GDPR defines certain types of personal data as “special categories” that require enhanced protection. Processing these categories is prohibited by default, with limited exceptions under Art. 9(2):
| Special Category | Examples |
|---|---|
| Racial or ethnic origin | Nationality, ethnicity recorded in HR systems |
| Political opinions | Party membership, political donations |
| Religious or philosophical beliefs | Religious affiliation, dietary requirements indicating beliefs |
| Trade union membership | Union dues deducted from payroll |
| Genetic data | DNA test results, genetic predisposition data |
| Biometric data (for identification) | Fingerprints, facial recognition templates, iris scans |
| Health data | Medical records, sick leave data, disability status |
| Sex life or sexual orientation | Dating app profiles, medical records indicating orientation |
Processing special category data requires one of the legal bases in Art. 9(2) — typically explicit consent (Art. 9(2)(a)), employment law obligations (Art. 9(2)(b)), or substantial public interest (Art. 9(2)(g)).
Criminal conviction data is governed separately under Art. 10 and may only be processed under the control of official authority or with specific Member State authorisation.
Organisations processing special categories of data at scale must designate a Data Protection Officer under Art. 37(1)©.
What Happens When You Process Personal Data
Once an organisation determines that it processes personal data GDPR, the full regulatory framework applies:
- Record of processing activities (Art. 30) — every processing activity must be documented with its purpose, legal basis, data categories, recipients, and retention periods.
- Legal basis — each processing activity must rely on one of the six legal bases in Art. 6: consent, contract, legal obligation, vital interests, public task, or legitimate interests.
- Data subject rights — individuals have the right to access, rectify, erase, restrict, and port their personal data.
- Security measures — appropriate technical and organisational measures must protect the data (Art. 32).
- Breach notification — personal data breaches must be reported to the supervisory authority within 72 hours (Art. 33).
- Data accuracy — Art. 5(1)(d) requires that personal data be accurate and kept up to date. For implementation guidance, see our article on data accuracy under GDPR.
Compliance platforms such as Legiscope automate the creation of records of processing activities, reducing a process that typically takes weeks to a matter of minutes for standard processing operations.
FAQ
What counts as personal data under GDPR?
Art. 4(1) GDPR defines personal data as any information relating to an identified or identifiable natural person. This includes names, email addresses, IP addresses (per the Breyer ruling), location data, cookie identifiers, and any combination of data that can identify someone indirectly. The scope is deliberately broad — if in doubt, treat it as personal data.
Is pseudonymised data still personal data under GDPR?
Yes, for the controller who holds the re-identification key. The September 2025 CJEU ruling in EDPS v SRB (C-413/23 P) clarified that pseudonymised data is not automatically personal data for every recipient — only when re-identification is “reasonably likely” for the specific entity holding the data. Only truly anonymous data falls outside GDPR scope entirely.
Does GDPR apply to business contact data?
Generally yes. An individual’s work email address (john.smith@company.com) is personal data because it identifies a specific person. Generic addresses (info@company.com) are not personal data. B2B contact databases containing individual names, direct phone numbers, or professional titles linked to identifiable individuals are subject to GDPR.
What is sensitive personal data (special category data) under GDPR?
Art. 9 lists special categories: health data, biometric data, genetic data, racial/ethnic origin, political opinions, religious beliefs, trade union membership, and data concerning sex life or sexual orientation. Processing requires explicit consent or another Art. 9(2) legal basis. Criminal conviction data under Art. 10 has separate restrictions. Violations involving special categories carry higher penalties.
Conclusion
The personal data GDPR definition in Art. 4(1) is the gateway to the entire regulation. Its broad scope — “any information relating to an identified or identifiable natural person” — captures far more data than most organisations initially expect. The September 2025 CJEU ruling in EDPS v SRB introduced a more contextual approach to pseudonymised data, while the EU Digital Omnibus negotiations (2025-2026) signal that practical application of the definition may evolve. Organisations should ensure their data mapping reflects the current legal landscape and treats borderline cases conservatively — the cost of wrongly classifying personal data as non-personal far exceeds the cost of compliance.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope
