The General Data Protection Regulation (GDPR) adopts a comprehensive approach to the definition of personal data. According to Article 4(1), “personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly” (GDPR, 2016). This definition has several key implications, as detailed below:
- Direct Identifiers: The regulation explicitly includes data such as name, address, phone number, identification numbers, and other data that can unequivocally identify an individual.
- Indirect Identifiers: The scope extends to information that, when combined with other data, can identify an individual. Examples include date of birth, location data, occupation, and even unique physical, physiological, genetic, mental, economic, cultural or social identity markers.
- Online Identifiers: GDPR specifically recognizes that digital information—such as IP addresses, cookies, device identifiers, and location metadata—constitutes personal data if it can be linked to an individual.
- Special Categories: Data considered particularly sensitive—including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification purposes, health data—are classified as ‘special categories’ and are subject to stricter protection measures.
The results of recent regulatory guidance and court decisions reinforce the broad interpretation. For instance:
- The Court of Justice of the European Union (CJEU) held that even dynamic IP addresses may constitute personal data if the controller has legal means of identifying the data subject through additional information.
- Pseudonymized data remains within the definition of personal data as long as the possibility exists for re-identification by reasonable means.
In summary, under GDPR, any information that can be linked—directly or indirectly—to a living individual is within scope. The regulation’s emphasis on identifiability means even information that does not name a person outright may still be protected if re-identification is feasible with available or accessible data. This expansive approach ensures a high level of privacy protection but requires careful assessment by organizations processing any data relating to individuals.
