What is personal data under GDPR?

Article 4 of the European Union General Data Protection Regulation (GDPR) defines personal data as: “Information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Personal information includes names, addresses, dates of birth, bank details, photos, and online identifiers, such as IP addresses or tracking cookies. Additionally, personal data includes more sensitive data, such as health data, biometric data, e.g., fingerprints and iris scans, and genetic data, e.g., a DNA analysis, that could be processed to identify an individual uniquely.

Under the GDPR, sensitive data also includes an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, sex life or sexual orientation.  Like sensitive data, trade union membership is one of several special categories of data under the GDPR.

The GDPR, which went into effect on May 25, 2018, expanded the definition of personal data as established in previous legislation.

The new data protection law set guidelines for the collection and processing of personal data of people living in the European Union (data subjects). All organizations that collect, store, and process the personal information of EU citizens are subject to the GDPR. Organizations include those that operate or are established outside the EU and who do business with people residing in the EU.