The General Data Protection Regulation (GDPR), enacted in May 2018, fundamentally redefined what organizations must consider when collecting, using, or storing information about individuals in the EU. At the heart of this legislation is the concept of “Personal Data.” Article 4(1) of the GDPR defines personal data broadly as “any information relating to an identified or identifiable natural person (‘data subject').”
This definition goes far beyond obvious identifiers like a person’s name. It covers anything—directly or indirectly—that could lead to the identification of a living individual. The context in which the data is processed is key: if an organization has the reasonable means to link a piece of information to a specific person, it is likely personal data.
To clarify this extensive scope, here are 10 core examples of personal data, categorized by how they are used and the level of protection they require.
Category 1: Direct Identifiers (Standard Personal Data)
These are the most immediate and common examples of personal data, which directly identify an individual.
1. Name and Contact Details
This is the most straightforward example. It includes a person's full name, home address, personal email address (e.g., john.doe@email.com), and personal phone number.
- Why it's personal data: Alone or together, these elements directly pinpoint a unique, living individual. Even a corporate email address (like
jane.doe@company.com) is considered personal data because it clearly relates to an identifiable employee.
2. National Identification Numbers
Official, government-issued identifiers are a clear form of personal data, often considered highly sensitive due to their pervasive use across public services.
- Why it's personal data: This includes items like Passport Numbers, Driver's License Numbers, and National Insurance or Social Security Numbers. They are designed to uniquely identify a person within a national system, making them a definitive identifier.
Category 2: Digital and Technical Identifiers (Standard Personal Data)
In the modern digital landscape, many of the strongest identifiers are technical, revealing information about an individual’s devices, location, and online activity.
3. IP Addresses
An Internet Protocol (IP) address is a unique numerical label assigned to every device connected to a computer network that uses the Internet Protocol for communication.
- Why it's personal data: While an IP address may not always directly reveal a person's name, the European Court of Justice (ECJ) has ruled that a “dynamic IP address” (one that changes) is personal data when the website operator has the legal means to compel the Internet Service Provider (ISP) to link it to the real user. Since most entities have some legal avenue or possibility to identify the user, it is almost universally treated as personal data.
4. Cookies and Online Identifiers
This includes the unique strings of code embedded in a browser, often referred to as Cookie IDs, Device IDs, or Advertising IDs.
- Why it's personal data: These identifiers are used to track an individual’s browsing habits, purchasing history, and preferences across different websites and services. Even if the identifier doesn't contain a person's name, it allows an organization to build a profile of an “identifiable natural person” based on their behaviour, thus falling squarely under the GDPR definition.
5. Location Data (GPS)
Any data that indicates the geographical position of a device, such as precise GPS coordinates from a smartphone app or vehicle, constitutes personal data.
- Why it's personal data: This information can directly or indirectly trace a person's movements, revealing patterns about their private life, place of residence, or work location. Processing this data without proper justification can have a significant impact on an individual’s privacy.
Category 3: Employment and Financial Data (Standard Personal Data)
Data related to a person’s professional and economic life is a critical area of personal data processing.
6. Professional Data and Employee IDs
This includes an individual's Employee ID Number, specific Job Title, Salary/Payroll Information, and Performance Review scores.
- Why it's personal data: Within an organization, an employee ID is an explicit internal identifier. Performance reviews and salary details are information relating to the individual, having a clear impact on their professional life and status.
7. Financial Transaction Data
Any information detailing a person’s financial activities, such as bank account numbers, credit card details, and detailed purchasing history (online and offline).
- Why it's personal data: This data is directly tied to the individual's economic identity and can be used to infer consumption patterns, lifestyle, and other personal attributes.
Category 4: Special Category Data (Requiring Highest Protection)
The GDPR assigns a special class of data, defined in Article 9, which is considered highly sensitive and requires a higher level of protection and more stringent legal grounds for processing. This data concerns the most intimate aspects of a person’s life.
8. Health Data
This is information relating to the physical or mental health of a natural person, including the provision of health care services, which reveals information about their health status.
- Why it's special category data: Examples include medical records, diagnoses, prescriptions, sick leave certificates, and even raw data from wearable fitness trackers (like heart rate or sleep patterns). Due to its profound potential for discrimination or misuse, its processing is generally prohibited unless a specific condition is met, such as explicit consent or necessity for preventative/occupational medicine.
9. Biometric Data (for Identification)
Biometric data means personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person.
- Why it's special category data: This includes fingerprints, retinal and iris scans, and voice prints when they are processed to uniquely identify an individual. For instance, a facial scan used to unlock a phone is typically internal processing, but a facial recognition system used to track attendance or grant building access is processing it for unique identification.
10. Data Revealing Beliefs and Affiliations
This category covers personal data that reveals deeply held personal tenets and group memberships.
- Why it's special category data: Specifically, this includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and trade union membership. The processing of this information is strictly regulated because its misuse could lead to societal discrimination, bias, or persecution. For example, asking for a person’s religion for a workplace social event is standard personal data, but storing and analysing a database of employees’ religious beliefs for demographic reporting falls into this special category.
The Contextual Rule: Identifiable vs. Identified
The power of the GDPR definition lies in the word “identifiable.”
- Pseudonymisation is the practice of replacing identifiers (like a name) with a code or reference number (a pseudonym). The GDPR explicitly states that pseudonymised data remains personal data if the original identifiers are kept separate and could be used to re-identify the person. It is treated as a security measure, not a way to escape the GDPR entirely.
- Anonymisation occurs when data is irreversibly stripped of all identifying elements, and the individual can no longer be identified by any means reasonably likely to be used. Only truly anonymous data falls outside the scope of the GDPR.
The vast majority of data collected by modern organizations, even technical data, is sufficiently related to an individual to qualify as personal data and must be protected under the regulation.