What counts as personal data under the GDPR?

Personal data is any information that can identify a living person — directly (name, ID number, face) or indirectly (combinations that single you out).

Personal data (GDPR Art. 4(1)) is any information relating to an identified or identifiable living person. The definition is deliberately broad. Direct identifiers: name, home address, phone number, email, national ID number, passport number, face photo, fingerprint, voice — and yes, an IP address counts (CJEU, Breyer, C-582/14). Indirect identifiers: data that looks harmless alone but identifies someone in combination — “woman, 34, lives in postcode X, drives a Tesla, works at the town hall” pins down one person. Special category data (Art. 9) gets extra protection and is normally off-limits without explicit consent or a specific legal exception: health, sex life or orientation, race or ethnic origin, political opinions, religion, trade-union membership, biometrics used for identification, and genetics. Not personal data: truly anonymous data (not re-identifiable by anyone, by any reasonable means) and data about companies as such. Data about deceased persons falls outside the GDPR itself, though several countries protect it nationally. Pseudonymised ≠ anonymous: if a key exists that can re-link the data to you, it is still personal data (Recital 26). Rule of thumb: in doubt, treat it as personal data — that is how regulators read it too.

Verified against the sources above on 18 July 2026. Information, not legal advice.

← Privacy explained📞 Your data protection authority