Skip to main content
Datenschutz / DSGVO

Personal Data

Any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR.

Personal data is the foundational concept of European data protection law. Under Art. 4(1) GDPR, the term covers all information relating to an identified or identifiable natural person — the "data subject". A person is considered identifiable if they can be directly or indirectly identified, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

In practice, this definition must be interpreted very broadly. Classic examples include names, addresses, dates of birth, email addresses, and telephone numbers. But the concept also extends to IP addresses, cookie IDs, vehicle licence plates, photographs, biometric data, and even seemingly innocuous combinations of data points — provided they allow identification of an individual. Data relating to legal entities or deceased persons is generally not covered by the GDPR.

As a compliance officer, your first step when assessing any new processing activity is to determine whether personal data is involved. Only once this is confirmed do all further GDPR obligations apply: recording the activity in the Record of Processing Activities (Art. 30 GDPR), identifying a valid legal basis (Art. 6 GDPR), and honouring data subject rights (Art. 15–21 GDPR). Accurately distinguishing personal data from genuinely anonymised data is therefore one of the most practically significant tasks in day-to-day compliance work.

Legal Basis

Art. 4(1) GDPR

Practical Example

Your organisation is considering a new marketing analytics platform that tracks user behaviour on your website. The vendor claims the data is anonymised. As compliance officer, you examine whether the collected cookie IDs and IP addresses could realistically allow re-identification of individuals. The vendor stores only truncated IP addresses and can demonstrate that re-identification is technically ruled out — so you conclude that no personal data is being processed. However, if full IP addresses were retained, the GDPR would apply in its entirety, and you would need to conclude a Data Processing Agreement with the vendor, among other obligations.

FAQ

Personal data is any information relating to an identified or identifiable natural person (Art. 4(1) GDPR). This includes not only obvious details like names and addresses, but also IP addresses, cookie IDs, and biometric characteristics — anything that can be linked back to a specific individual.
Genuinely anonymised data — where re-identification is permanently and practically impossible — falls outside the scope of the GDPR. Pseudonymised data, however, is still treated as personal data, since re-identification remains theoretically possible using additional information.
Once personal data is involved, the full GDPR framework applies. A valid legal basis must exist, the processing must be recorded in the ROPA, and data subject rights must be upheld. Non-compliance can result in fines of up to €20 million or 4% of global annual turnover.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Record of Processing Activities (ROPA) Data Subject Rights Technical and Organisational Measures (TOMs) Consent Data Protection Officer (DPO)
Back to Glossary