US Trends

what must data do to be considered personal data by the gdpr?

To be considered personal data under the GDPR, information must relate to an identified or identifiable natural person (a living human), either directly or indirectly.

What must data do to be “personal data” under the GDPR?

The GDPR definition comes from Article 4(1): “any information relating to an identified or identifiable natural person”. That sounds abstract, so in practice data must meet three core conditions :

1. It must be about a natural person

  • The data must concern a human being, not a company or a device by itself.
  • Company registration numbers or pure business IDs alone are not personal data, but the same number linked to a specific director or sole trader can become personal data because it ties back to a person.

Think of it this way: if the information says something about a human’s identity, situation, or behavior, it passes this first test.

2. The person must be identified or identifiable

Data becomes personal when a person can be singled out , either:

Directly identifiable

This happens when the information clearly points to one person on its own.

Examples (each one, by itself, can identify someone in context):

  • Full name plus address
  • National ID or social security number
  • Email like firstname.lastname@example.com
  • Passport or driving license number
  • Exact phone number

Here, the data doesn’t need to be dramatic or sensitive; it just needs to reliably pick out one specific person.

Indirectly identifiable

This is where GDPR gets broader than many expect: a person is identifiable if they can be identified, directly or indirectly, using all means reasonably likely to be used (e.g., other data you hold, typical external data).

Examples:

  • A combination of role + location + employer in a small company (e.g., “the only neurosurgeon in a tiny town”)
  • IP addresses or device identifiers tied to behavior logs
  • Location data showing someone’s daily commute route
  • A rare job title plus birth year in a small community

This is often called the “mosaic effect” : multiple harmless-looking pieces, when combined, make a person stand out. Even if no single field looks like “name”, together they can identify someone, so the dataset is still personal data.

3. The information must “relate to” that person

It’s not enough that a person can be identified; the information must relate to them in some meaningful way.

Data “relates to” someone when it:

  • Describes them (age, health, salary, preferences, criminal record)
  • Is used to evaluate them (credit scores, risk scores, profiles)
  • Affects their rights or interests (eligibility decisions, service limitations, targeted ads)
  • Shows their activities or behavior (transaction history, browsing patterns, location traces)

So a bank account record, even without the customer’s name printed on top, is still personal data if it is tied to that customer’s identity in the system and used to decide things about them.

Concrete examples: when data becomes personal data

Below is a simplified view of how typical data types behave under GDPR.

html

<table>
  <thead>
    <tr>
      <th>Type of data</th>
      <th>Personal data?</th>
      <th>Why?</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>Full name + home address</td>
      <td>Yes</td>
      <td>Identifies a specific natural person directly.[web:5][web:7]</td>
    </tr>
    <tr>
      <td>Email like john.doe@company.com</td>
      <td>Yes</td>
      <td>Directly identifies one employee.[web:5][web:9]</td>
    </tr>
    <tr>
      <td>IP address linked to user profile</td>
      <td>Yes (usually)</td>
      <td>Can identify or single out a person when combined with other data.[web:5][web:9]</td>
    </tr>
    <tr>
      <td>GPS trace of someone’s routes</td>
      <td>Yes</td>
      <td>Shows movements of one identifiable person.[web:1][web:3][web:5]</td>
    </tr>
    <tr>
      <td>Aggregated stats (“30% of users clicked X”)</td>
      <td>Often no</td>
      <td>If individuals cannot be singled out or re-identified, it may be anonymized, not personal data.[web:5][web:9]</td>
    </tr>
    <tr>
      <td>Completely anonymized dataset with no realistic re-identification risk</td>
      <td>No</td>
      <td>Person can no longer be identified by any means reasonably likely to be used.[web:4][web:5]</td>
    </tr>
  </tbody>
</table>

Special categories and online identifiers

Some personal data get extra protection because they are sensitive or uniquely identifying.

Examples of special categories / special identifiers :

  • Health data, genetic and biometric data used for unique identification
  • Racial or ethnic origin, political opinions, religious or philosophical beliefs
  • Trade union membership, data concerning sex life or sexual orientation

The GDPR also explicitly mentions online identifiers , such as:

  • Cookies or device IDs
  • Precise location data
  • Unique browser fingerprints

If these identifiers can be tied to a person or used to profile them, they count as personal data.

Pseudonymization vs anonymization

A common practical question is: “If I remove the names, is it still personal data?”

  • Pseudonymized data (replacing names with codes but keeping the key somewhere) is still personal data, because re-identification is possible with extra information.
  • Truly anonymized data (no realistic way to re-identify individuals, even with other data you reasonably have access to) falls outside GDPR.

In reality, GDPR regulators urge a cautious approach: if you cannot confidently show that re-identification risk is negligible, you should treat the data as personal.

Simple memory hook

You can remember what data must “do” to be personal data under GDPR with this three-step test:

  1. Be about a human – not just a device or company.
  1. Let you identify that human – alone or by combining with other information reasonably available.
  1. Tell you something about them or affect them – their identity, characteristics, behavior, or situation.

If all three are true, then you are dealing with personal data and GDPR duties fully apply. Meta description (SEO-style)
Learn what data must do to be considered personal data under the GDPR: when information is about an identified or identifiable person, how indirect identifiers work, and why pseudonymized data still often falls under GDPR.

Information gathered from public forums or data available on the internet and portrayed here.