What is personal data?

We mentioned personal data when we talked about data subjects, and it is now time to dive a bit deeper into the terminology. In short, personal data is anything that discloses your identity, that is unique to you. A few examples include:

your full name

your home address

your credit card number

your birthdate

a photo

your e-mail address

posts on social media and more

Even metadata without an obvious identifier falls under the GDPR’s definition of personal data. While some of them may not point directly to you, such as your full name in the case of a very common name, they will lead to your identification if combined with other data such as your birthdate, or your home address.

Both data subjects and organizations processing personal data need to pay special attention to how the GDPR views this information. Data subjects have various rights with regards to how their personal data can be processed. In the case of organizations and businesses, compliance with the data processing rules is essential within the GDPR in order to avoid fines.


This category covers the usual ‘suspects’:


home address

phone number

your birthdate or place of birth

your ID card

workplace or school

Taken separately, some may not provide a direct link to a natural person. If you have a very common name for instance, you will need more to firmly identify someone. The same is available for a home address, if several people live in the same house, or for your birthdate – odds are more than one person was born on the same date as you or your birth place. However, if you start combining two or more of these data, you can uniquely identify a person. Your ID card, your phone number, your bank account and your credit card number represent data that is unique to each person, therefor will lead to identification.


In this category we can include:

a person's social media accounts and their posts there

your e-mail address


the IP address (in some cases)

It is easy to understand why your social media accounts and what you post on them can lead to your identification. In most cases, to simply create your account you will need to enter some ‘classical’ personal data, such as your name or your birthdate. If from there you post photos of yourself for instance, identification happens easily.

A much discussed topic is the IP address. The GDPR states that IP addresses should be considered personal data as it enters the scope of ‘online identifiers’. Of course, in the case of a dynamic IP address – which is changed every time a person connects to a network – there has been some legitimate debate going on as to whether it can truly lead to the identification of a person or not. The conclusion is that the GDPR does consider it as such. The logic behind this decision is relatively simple. The internet service provider (ISP) has a record of the temporary dynamic IP address and knows to whom it has been assigned. A website provider has a record of the web pages accessed by a dynamic IP address (but no other data that would lead to the identification of the person). If the two pieces information would be combined, the website provider could find the identity of the person behind a certain dynamic IP address. However, the chances of this happening are small, as the ISP has to meet certain legal obligations before it can hand the data to a website provider. The conclusion is, all IP addresses should be treated as personal data, in order to be GDPR compliant.


A special category of personal data is sensitive data which will now include genetic and biometric data, which if processed will lead to the unique identification of a person. On the other hand, data relating to criminal offenses and convictions are handled separately – criminal law is outside of the EU GDPR’s scope. Another type of data that is outside of the GDPR’s scope is fully anonymized data, since no individuals can be identified from it.