GDPR Personal Data Explained: 11 Things to Know

Updated September 01st, 2023
GDPR personal data explained

Share this article

According to GDPR, “personal data” refers to any information that can identify an individual, either directly or indirectly. This can include but is not limited to names, identification numbers, location information, online identifiers, or characteristics related to an individual’s physical, mental, or social identity.

In this article we will learn the various components of personal data as defined by GDPR, offering readers an understanding of what is at stake and how it impacts them.

Table of contents

  1. How does GDPR explain personal data?
  2. Understanding personal data with examples
  3. GDPR personal data: 8 Processing principles
  4. 11 components of GDPR personal data
  5. 7 Special categories of personal data
  6. Summarising it all together
  7. GDPR personal data: Related reads

How does GDPR explain personal data?

According to GDPR article 4:

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’).

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or social identity of that natural person.

Understanding personal data with examples

One classic example of personal data under the General data protection regulation (GDPR) is an individual’s email address.

Let’s consider any mail id : [email protected]. At first glance, it might appear to be just a string of characters, but within the GDPR framework, it holds much more significance.

  • This email address serves as an online identifier, capable of being used to send communications, confirm transactions, or recover passwords for online services.
  • It is directly linked to Jane Doe, making her an identifiable natural person, or “data subject” in GDPR terms.
  • Companies that collect this email address for newsletters, account setups, or customer service must adhere to specific guidelines on how it’s stored, used, and protected.
  • Given that an email address can be a gateway to more sensitive information like financial or health records, it must be handled with a high degree of care to respect privacy and data protection rights.
  • The email address, therefore, exemplifies why understanding the broad scope of “personal data” under GDPR is crucial for both individuals and organizations.

These examples all represent personal data that, if improperly handled, could compromise an individual’s privacy or security. Under GDPR, organizations are required to manage such data carefully, with appropriate consent and security measures.

GDPR personal data: 8 Processing principles

The General data protection regulation (GDPR) outlines several key principles that govern the processing of personal data.

These principles serve as the foundation for the protection of personal information within the European Union (and for EU citizens abroad), as well as for entities outside the EU that process the data of EU citizens.

Here are the primary principles:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (Security)
  7. Accountability
  8. Data portability

Let us understand each of them in detail:

1. Lawfulness, fairness, and transparency


Data must be processed lawfully, fairly, and in a transparent manner. This means that organizations must have a valid legal basis for data processing and must be open about how the data is used.

2. Purpose limitation


Personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a way that is incompatible with those purposes. Essentially, you can only use the data for the reason you stated when you collected it.

3. Data minimization


Data collected must be adequate, relevant, and limited to what is necessary for the intended purposes. Organizations should not collect more data than is strictly required for the purpose they have stated.

4. Accuracy


Personal data should be accurate and, where necessary, kept up to date. Inaccurate data should be corrected or removed.

5. Storage limitation


Personal data should be kept in a form that allows identification of data subjects for no longer than is necessary for the intended purpose. After that, the data should either be deleted or anonymized.

6. Integrity and confidentiality (Security)


Personal data should be processed in a manner that ensures its security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. This involves applying appropriate technical or organizational measures to safeguard the data.

7. Accountability


The data controller is responsible for, and must be able to demonstrate, compliance with the other principles. This is a key change from previous legislation; accountability is now a core part of data protection law.

8. Data portability


While not strictly a principle, data portability allows individuals to obtain and reuse their personal data across different services. This facilitates their ability to transfer data easily from one IT environment to another.

By adhering to these principles, organizations can ensure that they are in compliance with GDPR regulations, thereby reducing the risk of legal issues and penalties, while also improving consumer trust.

11 Components of GDPR personal data

The term “components of GDPR personal data” isn’t a standard term in GDPR legislation, but personal data under GDPR can be categorized into various types or components for better understanding. These types or components help clarify what kinds of information are considered “personal data” and thereby subject to GDPR regulations.

  1. Identifiers
  2. Contact information
  3. Online identifiers
  4. Biographical information
  5. Location data
  6. Health data
  7. Financial data
  8. Social and personal characteristics
  9. Employment data
  10. Special category data
  11. Educational data

Let us understand each of them in detail:

1. Identifiers


  • Name:
    • The most basic form of identification, this could be a first name, last name, or both. This can include first names, middle names, last names, or any combination thereof.
    • Names are often collected in nearly all forms of data processing from account creation to transaction records.
  • Identification Numbers: These could be social security numbers, tax IDs, or passport numbers. These could range from government-issued identification like Social security numbers to customer IDs in a database. Such numbers can uniquely identify a person and are sensitive data.

2. Contact information


  • Address: Including both postal and email addresses. This refers to both physical addresses (street, city, state, postal code) and electronic addresses like email. Both can be used to contact or locate someone.
  • Phone Numbers: Both landline and mobile. These can include country and area codes and can refer to mobile, work, or home numbers. Given their direct link to an individual, they are often treated as sensitive data.

3. Online identifiers


  • IP Addresses: Numeric labels assigned to devices connected to a internet. An IP address can reveal the approximate geographical location of a computer and is used in a wide variety of tracking and data-collection applications.
  • Cookies: Small pieces of data stored on the user’s computer by the web browser. These small text files are stored on a user’s device by websites. They can be used to track behavior, remember preferences, and even directly identify an individual in some cases.

4. Biographical information


  • Date of Birth: Information regarding the birth date of an individual. Often used for verification purposes, the date of birth is considered sensitive personal information and is often used in combination with other identifiers for authentication.
  • Gender: Information that relates to an individual’s biological, psychological, or social identity. Information regarding an individual’s gender can be sensitive and subject to special treatment, particularly in settings where data on gender could be used for discriminatory practices.

5. Location data


  • Geographical coordinates: Often captured by smartphones or other GPS-enabled devices. These could be gathered via GPS-enabled devices and can reveal a detailed history of an individual’s movements.
  • Tracking data: Information gleaned from technologies like RFID, NFC, and other tracking systems. Systems like RFID tags or NFC technology can track individuals in physical spaces, such as employees in a building.

6. Health data


  • Medical records: Information about an individual’s physical or mental health. These records contain highly sensitive information about an individual’s medical history, diagnoses, and treatments.
  • Genetic data: Information about inherited or acquired genetic characteristics. This involves information about the inherited genes that could reveal data not just about the individual but also about family members.

7. Financial data


  • Bank account details: Account numbers, sort codes, and other bank details. Includes sensitive information like account numbers, sort codes, and banking institutions.
  • Credit history: Record of an individual’s repayments of debts and other financial transactions. This data contains details about loans, credit cards, mortgages, and other financial commitments, as well as repayment history.

8. Social and personal characteristics


  • Race and ethnicity: Information regarding the racial or ethnic background of an individual. Collecting this data can be sensitive and is often subject to strict consent and use limitations.
  • Religion: Information regarding an individual’s religious beliefs. Religious beliefs can be a sensitive topic and may be subject to additional protections.
  • Political opinions: This would include party affiliations or any other political activities. These are often considered sensitive data because of the potential for misuse, particularly in settings where political discrimination is a concern.

9. Employment data


  • Occupation: The job title or position held by an individual. Information about one’s work, role, title, or profession.
  • Salary: How much money an individual earns. This is highly sensitive data, often subject to additional security measures to prevent unauthorized access or disclosure.

10. Special category data


  • Biometric data: Fingerprints, facial recognition, and other uniquely identifying biological factors. This involves physical characteristics that can be used for automated identification, like fingerprints or retina scans. It is highly sensitive and requires special handling.

11. Educational data


  • Qualifications: Degrees or certifications obtained. This includes the levels of education reached and any qualifications gained or courses completed.
  • Transcripts: Records of educational performance. These are detailed records of an individual’s academic performance and are sensitive data often protected by additional regulation.

Each of these components represents types of personal data that must be handled carefully under GDPR rules, typically requiring explicit consent for collection and strict safeguards for storage and processing.

Understanding these components helps organizations to identify what data they are handling that falls under the purview of GDPR. Once identified, organizations must then ensure that this data is handled in compliance with GDPR principles. Failure to do so can result in significant penalties.

7 Special categories of personal data

The General data protection regulation (GDPR) outlines what it calls “special categories of personal data,” which are types of data considered particularly sensitive and therefore requiring additional protection.

The reason these categories are considered “special” is that they could be used in a way that discriminates against individuals or otherwise unfairly impacts them in significant ways.

Here are the special categories of personal data according to GDPR:

  1. Racial or ethnic origin
  2. Political opinions
  3. Religious or philosophical beliefs
  4. Trade union membership
  5. Genetic data
  6. Biometric data
  7. Health data

Let us understand each of them in detail:

1. Racial or ethnic origin


This includes any information that indicates a person’s racial or ethnic background. Collecting and processing this data is often prohibited unless explicit consent is given, and even then, it’s often subject to strict limitations.

2. Political opinions


Political affiliations or opinions can be highly sensitive, and the misuse of such information could result in discrimination or bias. Extra precautions must be taken when storing and processing this data.

3. Religious or philosophical beliefs


Information about a person’s religious affiliations or philosophical beliefs falls under this category. Such data is considered sensitive because of the risk of discrimination or persecution based on these beliefs.

4. Trade union membership


Being a member of a trade union could subject individuals to various types of discrimination, which is why this information is categorized as sensitive data under GDPR.

5. Genetic data


This refers to information about the inherited or acquired genetic characteristics which give unique information about the physiology or the health of that natural person. This data is highly sensitive given its deeply personal nature and the potential implications it can have for family members and future generations.

6. Biometric data


This includes fingerprints, retina scans, and other data that can be used for the purpose of uniquely identifying a natural person. Due to the highly individualized nature of biometric data, it is categorized as sensitive under GDPR.

7. Health data


Information related to a person’s physical or mental health is considered sensitive due to the potential for misuse, discrimination, or stigmatization.

Organizations that process any of these special categories must adhere to strict rules and are usually required to obtain explicit consent from the individual. They must also implement additional security measures to protect the data and are subject to more stringent requirements regarding data breach notifications. Failure to comply with the regulations for special categories can result in significant penalties.

Summarising it all together

As our lives become increasingly digitized, the scope and scale of our personal data continue to expand. This makes understanding what constitutes personal data under GDPR not just a legal necessity but a social imperative.

From identifiers like your name and social security number to more complex components like biometric or genetic data, GDPR casts a wide net over what is considered personal. Its principles—ranging from transparency and fairness to accountability—are designed to give individuals control over their data, while obliging organizations to handle it with the utmost care.

It’s a fine balance between technological innovation and personal privacy, one that underscores the value and vulnerability of our digital selves.

As consumers, citizens, and data subjects, it is crucial that we remain informed and vigilant, advocating for responsible data management practices that honor both the spirit and the letter of GDPR.

Share this article

[Website env: production]