Personal data has become increasingly valuable to companies who can use it to inform their own activities and then sell it to advertisers and other third parties. 

GDPR set new standards for data protection, limiting what companies could do with the data they processed.

To be compliant with GDPR, organizations must understand whether the information they process could be classified as personal data.

GDPR Personal Data

Under GDPR, personal data is considered any information that relates to an individual who can be identified, either directly or indirectly. Examples include a customer number, IP address, telephone or credit card number, location or biometric data.

The examples above are relatively straightforward examples of data that can be used to identify an individual. However, there are other types of data, like names, ethnicity, gender, and political or religious affiliation, that could be combined with other data — like an address, for example — to identify an individual. These types of data make an individual identifiable and therefore also fall under GDPR’s definition of personal data. 

For example, a name like John Smith may not be a unique identifier of one individual. When combined with their telephone number however, it is clear which John Smith is being referred to. 

That means that the same information could be classified as personal data by one organization but not by another. For example, a job title alone may not be data that identifies an individual. But if the organization’s name is also collected and there is only one person with that job title at the organization, then that means the individual could be identified.

So when organizations are considering whether the information they process could be classified as personal data, they must consider all the ways the information could be used to identify that individual.

Below are some examples to help you consider what data could be classified as personal data under GDPR. 

What IS considered personal data: 

  • Names
  • Dates of birth 
  • Physical addresses
  • Phone numbers
  • Email addresses
  • IP addresses and cookie identifiers
  • Radio frequency identification (RFID) tags
  • Identification numbers, such as driver's license or passport numbers
  • Location data, such as GPS
  • Video/audio recordings and photographs
  • Bank account numbers
  • Card payment data 
  • Criminal records
  • Medical records and insurance data
  • Religious or political affiliations
  • Ethnic data
  • Genetic and biometric data
  • Union memberships
  • Current or previous employer data

What is NOT considered personal data: 

  • Data related to the deceased 
  • Inaccurate data that can’t be identified to an individual
  • Information about legal entities

GDPR Sensitive Personal Data

Under GDPR, some personal data is considered sensitive and subject to specific processing conditions. For example, the processing of this data may be necessary for reasons related to legal claims or public health.

Personal data is considered sensitive if it reveals:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • a person’s sex life or sexual orientation
  • trade-union membership
  • genetic or biometric data
  • health-related data