What Does Personal Data Include Under the GDPR?

Analysis of GDPR’s definition demonstrates that personal data encompasses “any information relating to an identified or identifiable natural person” (Article 4(1), GDPR). The term’s scope, characterized by its broadness, is confirmed by the European Court of Justice, which interprets “identifiable” to include both direct and indirect identification through identifiers or characteristics.

Key findings reveal:

• Direct identifiers:
  Name, surname, phone number, address, email, and personal identification numbers (e.g., SSN, passport, driver’s license).
• Indirect identifiers:
  IP address, cookie-ID, advertising identifiers, device IDs.
• Location data:
  Home address, live geolocation, and travel patterns.
• Biometric data:
  Fingerprints, facial images/geometry, retina scans.
• Personal characteristics:
  Photographic images (including facial photos), voice recordings.
• Financial information:
  Bank account or credit card numbers.

The Article 29 Working Party emphasizes a contextual approach—information becomes personal if it can single out, contact, or trace an individual, even when combined with other data points [WP29 Guidelines, 2017].

Case law confirms that “online identifiers” such as IP addresses, device IDs, and cookies constitute personal data when linked with other elements that allow identification.

The GDPR further extends protection to special categories (Article 9), including biometric and health data, reinforcing the regulation’s wide coverage. This interpretation aligns with scholarship identifying GDPR as among the strictest privacy frameworks globally.

Summary:

• The GDPR definition is deliberately expansive.
• Both direct and indirect identifiers are protected.
• Context determines identifiability.
• Special attention is given to biometric and sensitive data.