Personal Data

Definition under Article 4 (1) GDPR — any information relating to an identified or identifiable person

· Category: GDPR · Compliance-Kit
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.

TL;DR

Under Article 4 (1) GDPR, personal data means any information relating to an identified or identifiable natural person. A person is identifiable where they can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier or specific characteristics.

What is personal data?

Three core criteria:

CJEU C-582/14 (Breyer): IP addresses are personal data where the controller is legally or practically able to attribute them to a person.

Practical example

Practical examples: - Name, address, email, telephone number - IP address, cookie IDs, session IDs - Employee personnel number, customer number - Photo, video, voice recording - Location data (GPS), vehicle registration number - Behavioural data (click behaviour, purchase history) - Genetic, biometric and health data (special categories, Article 9)

Frequently asked questions

Are anonymised data personal data?
No. Genuine anonymisation (irreversible, no re-identification risk) renders data non-personal — the GDPR does not then apply. Pseudonymisation is NOT sufficient — the data remain personal.
Are IP addresses personal data?
Yes, CJEU C-582/14. Including dynamic IP addresses, where identification is possible with proportionate effort (e.g. via a request to the provider).
What are special categories (Article 9)?
Data revealing race, ethnic origin, political opinions, religion, trade-union membership, genetics, biometrics, health, or sex life. Subject to higher protection requirements.

See also