What is Considered as Personal Data Under GDPR?

What is Considered as Personal Data Under GDPR?

Image Source

Millions of people are now believers of the necessity of privacy. And all of them now understand that their private details are far less safe now more than ever. Especially now, that the collection of information poses more dangers than advantages, and that it is almost impossible to go through our daily lives without being monitored.

There is a collective feeling that data handling nowadays is much different than in the past. When asked if they think their personal information is safe or not, 70% of adults believe that their private data has become less safe. Only 6% believe that cybersecurity laws and data handling policies have favored the users and that their data is much more secure today than it was during the past.

Fortunately, the European Union’s GDPR or General Data Protection Regulation provides a significant data protection policy for its citizens and businesses. It gives the EU people unprecedented control over their personal data. All citizens and companies, even those outside the EU but handle EU data, must comply with the security and privacy criteria of the GDPR, or face heavy penalties. The term “personal data” is the key to the Global Data Protection Regulation (GDPR) framework. But what is exactly considered as personal data?

What is Personal Data?

Image Source

Name, picture, IP address, or user name are some of the things considered as personal data by GDPR. Personal data is defined in GDPR Article 4 as “any information” that belong or relate to an identifiable natural person (name, physical address, browsing cookies, IP addresses, skin color, etc.). In short, if a piece of specific information, in all shape or form, can lead you to identify a natural person particularly, then that specific information is personal data. But of course, it’s more complicated than that.

For a video reference, watch this short clip from a YouTube channel, Social27:

What is Included in GDPR’s Definition?

In describing a person, GDPR uses the qualifier “natural” to distinguish a real person from companies, which are sometimes referred to as “legal persons.” Moreover, it says that an identifiable natural person or “data subject” can be identified in particular using direct or indirect information that relates to that data subject. In other words, GDPR still considers indirect information, such as hair color or medical records, as personal data. It maintains that anyone can still identify a person using minor or indirect details that may appear useless, but are actually powerful when used collectively with direct or other indirect information.

Therefore, GDPR has a special category of personal data called sensitive personal data for that indirect information. This special category includes information that may sound irrelevant, but are sensitive data that can be used to identify an individual:

  • Ethnic origin or race
  • Religious faith or philosophical beliefs
  • Political affiliations and opinions (Facebook gives you the option to indicate yours)
  • Sexual orientation
  • Genetic data which give unique information (isn’t that an identifier?) about a natural person’s physiology or health
  • Hospital records which reveal information about a natural person’s health status, which include physical and mental health
  • Biometric data of a natural person, which includes fingerprints and facial images

It is interesting to note that GDPR does not refer to the deceased. Yet, their information may still be considered personal data with respect to their heirs, if such data provides a way to identify the heirs. Often, the “identifiability” of a data subject is a moving target since it depends on the context.

Further, data that is wrongly assigned to a specific individual, whether it is totally inaccurate or belonging to another person, is still considered to be personal data as it relates to that particular individual. Only if the data are incorrect to the point that no user can be identified, the data is not personal data.

Recommended Handling of Personal Data

Image Source

GDPR mandates having a privacy policy for the controllers (or the organization that asks for data) to communicate and the users to read. Nevertheless, “communicating” privacy policy does not necessarily mean all things are clear and understood. The adults who say they are reading the entire privacy policies, literally from top to bottom, before agreeing to their terms and conditions, is a minority, 22%. But thankfully, there are other recommendations.

Anonymizing Personal Data

Anonymization of personal data is a type of sanitizing information which intent is to protect personal data. It removes or encrypts identifiable information or “identifiers” of a data subject from data sets, in order to maintain the anonymity of that data subject. It is the permanent alteration of personal data in such a way that it could not be traced back to the data subject. This is also an irreversible process, which means that the data cannot be restored back to its original state.

There are various techniques, but some of them are masking, scrambling, and blurring. Masking hides

Pseudonymizing Personal Data

Data controllers and processors may pseudonymize personal information by handling in such a way that it can no longer be associated with a particular data subject without the use of other personal information. But controllers and processors must maintain that such sensitive data, both the pseudonymized data and the other personal data, are kept separate and are exposed to technological and operational controls to ensure that the personal details are not related to an identifiable natural individual.

However, pseudonymized data is vulnerable to GDPR restrictions because personal data may still be recovered from the data set, unlike anonymized data where it’s completely altered. That’s the difference between anonymization and pseudonymization. The latter carries a higher risk than anonymization and necessitates substantial and organizational controls.

Minimizing Personal Data

GDPR’s “Principles of Data Processing” (Recital 39) states that “Natural persons should be made aware” of the processing of personal data, which includes its risks, safeguards, rules, and users’ and controllers’ rights in such processing. In other words, GDPR mandates transparency between the controller and the data subject (natural person). This transparency requires controllers to communicate with the data subject with an easy to understand information, precise communication of the purposes of processing the data subject’s personal data.

The risks, safeguards, rules, and rights should be well-presented to the data subject to maintain transparency. Moreover, the controllers must maintain the adequacy and relevance of personal data to be collected. In other words, personal data must only be limited to what is necessary for the purposes of the controllers. Furthermore, personal data must only be stored with limited time so that the controller may be able to delete the data or to be checked for periodic review.

Seek a Professional DPO

There numerous recommendations and policies that are set out in the GDPR that we cannot possibly tackle in this article. You can go to their official website and read the entire regulation ( If you are an organization or company that will handle or is handling personal data, and having difficulties or further questions about how to manage personal data, we recommend you to consult a Data Protection Officer (DPO). A DPO is an expert that guides organizations on their compliance with GDPR. They are responsible for various tasks, including, but not limited to:

  • Educating and advising an organization and its employees of their responsibilities;
  • Monitoring and reviewing the organization’s data protection policies;
  • Recommending to an organization’s leaders when Data Protection Impact Assessments or DPIAs are necessary; and
  • Acting as a middleman between an organization and its supervisory or higher authority.

For quality purposes and to avoid any conflict of interest, it is recommended to hire an independent, remote DPO as a part-time consultant. However, GDPR also allows a current employee to assume the role of DPO, as long as they are equipped and reliable. The latter option can be risky, though, so hiring a remote DPO would be the best.


In the final analysis, remember that we are constantly consenting to numerous controllers to collect our data by agreeing to their privacy policies. If we will not carefully read their policies, or if we expose ourselves to unreliable organizations, then the risk is higher. After all, it is still a good thing to remember that the internet and social media are not everything. If we make every bit of our being submerged in its vast and deep waters, then we cannot totally make sure that we will not drown. Thinking before you click. Read before you agree. And learn as much as you can.

What Does it Mean When a Site Uses Cookies?

What Does it Mean When a Site Uses Cookies?

What is a VPN?

What is a VPN?