Atlan named a Visionary in the 2025 Gartner® Magic Quadrant™ for Data and Analytics Governance.

What is GDPR Personal Data? 11 Key Components to Know!

Updated December 08th, 2023
GDPR personal data

Share this article

GDPR, or the General Data Protection Regulation, stands as a robust shield in the realm of personal data privacy. Enforced in 2018, it wields significant influence over how organizations worldwide handle individuals’ sensitive information.

According to GDPR, “personal data” refers to any information that can identify an individual, either directly or indirectly. This can include but is not limited to names, identification numbers, location information, online identifiers, or characteristics related to an individual’s physical, mental, or social identity.

Modern data problems require modern solutions - Try Atlan, the data catalog of choice for forward-looking data teams! 👉 Book your demo today

In this article, we will explore:

  1. How does GDPR explain personal data?
  2. What are the benefits of GDPR in managing personal data?
  3. GDPR’s 8 principles of processing personal data
  4. 11 Key components of GDPR personal data
  5. What are the various categories in which personal data is classified?

Ready? Let’s dive in!

Table of contents #

  1. How does GDPR explain personal data?
  2. What are the benefits of GDPR in managing personal data?
  3. Understanding GDPR personal data with examples
  4. GDPR personal data: 8 Processing principles
  5. 11 Components of GDPR personal data
  6. 7 Special categories of personal data
  7. Summarizing it all together
  8. GDPR personal data: Related reads

How does GDPR explain personal data? #

According to GDPR article 4:

Personal data means any information relating to an identified or identifiable natural person (‘data subject’).

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or social identity of that natural person.

What are the benefits of GDPR in managing personal data? #

The benefits of GDPR for personal data are significant and far-reaching. The following are some of the key benefits of complying with GDPR to managing personal data:

  1. Enhanced privacy protection
  2. Increased data security
  3. Streamlined data transfer
  4. Transparency and trust
  5. Legal clarity
  6. Global influence
  7. Empowered individuals

Let’s take a look at each of these benefits in detail:

1. Enhanced privacy protection #


GDPR empowers individuals with greater control over their personal data, ensuring that their privacy is respected. They can access, correct, and request the deletion of their data, putting them in charge of their information.

2. Increased data security #


Organizations are motivated to bolster their data security measures under GDPR. Stricter requirements and mandatory breach notifications encourage improved cybersecurity practices, reducing the risk of data breaches and unauthorized access.

3. Streamlined data transfer #


GDPR’s harmonization of data protection laws within the EU simplifies cross-border data transfers. This benefits businesses and individuals by facilitating international data flow while ensuring data protection standards are maintained.

4. Transparency and trust #


GDPR mandates transparency in data handling. Companies must clearly communicate how they use personal data, fostering trust with customers who appreciate knowing how their information is being managed.


GDPR provides organizations with clear guidelines, reducing legal ambiguity. This legal clarity makes it easier for businesses to understand their obligations, ensuring they comply with the regulation and avoid potential legal issues.

6. Global influence #


GDPR’s impact extends worldwide, influencing data protection regulations in many countries. It encourages other nations to adopt similar measures to safeguard personal data, making it a global standard for privacy.

7. Empowered individuals #


GDPR empowers individuals by giving them control over their data. This control allows them to protect their privacy and personal information, ensuring their data is used in ways they consent to and trust.

Understanding GDPR personal data with examples #

Under the General Data Protection Regulation (GDPR), personal data refers to any information that can be used to directly or indirectly identify a person. This can include a wide range of data types, whether digital or non-digital. Here are some examples of personal data under GDPR:

1. Basic identity information #


This includes names, addresses, and ID numbers. It is the most straightforward form of personal data, as it directly identifies an individual.

2. Web data #


IP addresses, cookie data, and RFID tags are also considered personal data. With the widespread use of the internet, such information is often collected by websites and online services.

3. Health and genetic data #


This is highly sensitive data that includes medical records, genetic data, and biometric data (like fingerprints or facial recognition data). Under GDPR, this type of data has additional protections due to its sensitive nature.

4. Biographical data #


Personal histories, including work history, education, and family information, are classified as personal data. This could include resumes, employment records, or educational transcripts.

5. Racial or ethnic data #


Information about an individual’s race or ethnicity is considered personal data, particularly as it can be used to discriminate or for other malicious purposes.

6. Political opinions #


Under GDPR, political opinions or affiliations are protected as personal data. This includes membership in political parties or movements.

7. Location data #


This includes any data that can be used to determine an individual’s location. This can range from a home address to more dynamic data like location data from a smartphone.

8. Online identifiers #


This encompasses usernames, account numbers, and other identifiers used in digital contexts. These identifiers can often be linked back to an individual, either directly or indirectly.

9. Communication data #


Personal data also includes the content of communications, such as emails, chat logs, and phone call recordings, when they can be linked to an individual.

These examples underscore the broad scope of what constitutes personal data under GDPR. The regulation mandates strict guidelines for the handling, processing, and storage of such data, underscoring the importance of privacy and data protection in the digital age.

GDPR personal data: 8 Processing principles #

The GDPR outlines several key principles that govern the processing of personal data. These principles serve as the foundation for the protection of personal information within the European Union (and for EU citizens abroad), as well as for entities outside the EU that process the data of EU citizens.

Here are the primary principles:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (Security)
  7. Accountability
  8. Data portability

Let us understand each of them in detail:

1. Lawfulness, fairness, and transparency #


Data must be processed lawfully, fairly, and in a transparent manner. This means that organizations must have a valid legal basis for data processing and must be open about how the data is used.

2. Purpose limitation #


Personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a way that is incompatible with those purposes. Essentially, you can only use the data for the reason you stated when you collected it.

3. Data minimization #


Data collected must be adequate, relevant, and limited to what is necessary for the intended purposes. Organizations should not collect more data than is strictly required for the purpose they have stated.

4. Accuracy #


Personal data should be accurate and, where necessary, kept up to date. Inaccurate data should be corrected or removed.

5. Storage limitation #


Personal data should be kept in a form that allows identification of data subjects for no longer than is necessary for the intended purpose. After that, the data should either be deleted or anonymized.

6. Integrity and confidentiality (Security) #


Personal data should be processed in a manner that ensures its security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. This involves applying appropriate technical or organizational measures to safeguard the data.

7. Accountability #


The data controller is responsible for, and must be able to demonstrate, compliance with the other principles. This is a key change from previous legislation; accountability is now a core part of data protection law.

8. Data portability #


While not strictly a principle, data portability allows individuals to obtain and reuse their personal data across different services. This facilitates their ability to transfer data easily from one IT environment to another.

By adhering to these principles, organizations can ensure that they are in compliance with GDPR regulations, thereby reducing the risk of legal issues and penalties, while also improving consumer trust.

11 Components of GDPR personal data #

The term “components of GDPR personal data” isn’t a standard term in GDPR legislation, but personal data under GDPR can be categorized into various types or components for better understanding. These types or components help clarify what kinds of information are considered “personal data” and thereby subject to GDPR regulations.

The following are the 11 key components of GDPR personal data:

  1. Identifiers
  2. Contact information
  3. Online identifiers
  4. Biographical information
  5. Location data
  6. Health data
  7. Financial data
  8. Social and personal characteristics
  9. Employment data
  10. Special category data
  11. Educational data

Let us understand each of them in detail:

1. Identifiers #


  • Name:
    • The most basic form of identification, this could be a first name, last name, or both. This can include first names, middle names, last names, or any combination thereof.
    • Names are often collected in nearly all forms of data processing from account creation to transaction records.
  • Identification Numbers: These could be social security numbers, tax IDs, or passport numbers. These could range from government-issued identification like Social security numbers to customer IDs in a database. Such numbers can uniquely identify a person and are sensitive data.

2. Contact information #


  • Address: Including both postal and email addresses. This refers to both physical addresses (street, city, state, postal code) and electronic addresses like email. Both can be used to contact or locate someone.
  • Phone Numbers: Both landline and mobile. These can include country and area codes and can refer to mobile, work, or home numbers. Given their direct link to an individual, they are often treated as sensitive data.

3. Online identifiers #


  • IP Addresses: Numeric labels assigned to devices connected to a internet. An IP address can reveal the approximate geographical location of a computer and is used in a wide variety of tracking and data-collection applications.
  • Cookies: Small pieces of data stored on the user’s computer by the web browser. These small text files are stored on a user’s device by websites. They can be used to track behavior, remember preferences, and even directly identify an individual in some cases.

4. Biographical information #


  • Date of Birth: Information regarding the birth date of an individual. Often used for verification purposes, the date of birth is considered sensitive personal information and is often used in combination with other identifiers for authentication.
  • Gender: Information that relates to an individual’s biological, psychological, or social identity. Information regarding an individual’s gender can be sensitive and subject to special treatment, particularly in settings where data on gender could be used for discriminatory practices.

5. Location data #


  • Geographical coordinates: Often captured by smartphones or other GPS-enabled devices, these could be gathered via GPS-enabled devices and can reveal a detailed history of an individual’s movements.
  • Tracking data: Information gleaned from technologies like RFID, NFC, and other tracking systems. Systems like RFID tags or NFC technology can track individuals in physical spaces, such as employees in a building.

6. Health data #


  • Medical records: Information about an individual’s physical or mental health. These records contain highly sensitive information about an individual’s medical history, diagnoses, and treatments.
  • Genetic data: Information about inherited or acquired genetic characteristics. This involves information about the inherited genes that could reveal data not just about the individual but also about family members.

7. Financial data #


  • Bank account details: Account numbers, sort codes, and other bank details. Includes sensitive information like account numbers, sort codes, and banking institutions.
  • Credit history: Record of an individual’s repayments of debts and other financial transactions. This data contains details about loans, credit cards, mortgages, and other financial commitments, as well as repayment history.

8. Social and personal characteristics #


  • Race and ethnicity: Information regarding the racial or ethnic background of an individual. Collecting this data can be sensitive and is often subject to strict consent and use limitations.
  • Religion: Information regarding an individual’s religious beliefs. Religious beliefs can be a sensitive topic and may be subject to additional protections.
  • Political opinions: This would include party affiliations or any other political activities. These are often considered sensitive data because of the potential for misuse, particularly in settings where political discrimination is a concern.

9. Employment data #


  • Occupation: The job title or position held by an individual. Information about one’s work, role, title, or profession.
  • Salary: How much money an individual earns. This is highly sensitive data, often subject to additional security measures to prevent unauthorized access or disclosure.

10. Special category data #


  • Biometric data: Fingerprints, facial recognition, and other uniquely identifying biological factors. This involves physical characteristics that can be used for automated identification, like fingerprints or retina scans. It is highly sensitive and requires special handling.

11. Educational data #


  • Qualifications: Degrees or certifications obtained. This includes the levels of education reached and any qualifications gained or courses completed.
  • Transcripts: Records of educational performance. These are detailed records of an individual’s academic performance and are sensitive data often protected by additional regulation.

Each of these components represents types of personal data that must be handled carefully under GDPR rules, typically requiring explicit consent for collection and strict safeguards for storage and processing.

Understanding these components helps organizations to identify what data they are handling that falls under the purview of GDPR. Once identified, organizations must then ensure that this data is handled in compliance with GDPR principles. Failure to do so can result in significant penalties.

7 Special categories of personal data #

The GDPR outlines what it calls “special categories of personal data,” which are types of data considered particularly sensitive and therefore requiring additional protection.

The reason these categories are considered “special” is that they could be used in a way that discriminates against individuals or otherwise unfairly impacts them in significant ways.

Here are the special categories of personal data according to GDPR:

  1. Racial or ethnic origin
  2. Political opinions
  3. Religious or philosophical beliefs
  4. Trade union membership
  5. Genetic data
  6. Biometric data
  7. Health data

Let us understand each of them in detail:

1. Racial or ethnic origin #


This includes any information that indicates a person’s racial or ethnic background. Collecting and processing this data is often prohibited unless explicit consent is given, and even then, it’s often subject to strict limitations.

2. Political opinions #


Political affiliations or opinions can be highly sensitive, and the misuse of such information could result in discrimination or bias. Extra precautions must be taken when storing and processing this data.

3. Religious or philosophical beliefs #


Information about a person’s religious affiliations or philosophical beliefs falls under this category. Such data is considered sensitive because of the risk of discrimination or persecution based on these beliefs.

4. Trade union membership #


Being a member of a trade union could subject individuals to various types of discrimination, which is why this information is categorized as sensitive data under GDPR.

5. Genetic data #


This refers to information about the inherited or acquired genetic characteristics which give unique information about the physiology or the health of that natural person. This data is highly sensitive given its deeply personal nature and the potential implications it can have for family members and future generations.

6. Biometric data #


This includes fingerprints, retina scans, and other data that can be used for the purpose of uniquely identifying a natural person. Due to the highly individualized nature of biometric data, it is categorized as sensitive under GDPR.

7. Health data #


Information related to a person’s physical or mental health is considered sensitive due to the potential for misuse, discrimination, or stigmatization.

Organizations that process any of these special categories must adhere to strict rules and are usually required to obtain explicit consent from the individual. They must also implement additional security measures to protect the data and are subject to more stringent requirements regarding data breach notifications.

Failure to comply with the regulations for special categories can result in significant penalties.

Summarizing it all together #

At its core, GDPR revolves around several key components designed to safeguard personal data. These include stringent consent requirements, ensuring data portability, appointing Data Protection Officers (DPOs) for oversight, and implementing mandatory breach reporting.

Moreover, GDPR empowers individuals with greater control over their data, granting them the right to access, rectify, or even erase their personal information from databases. In a data-driven era, GDPR serves as a guardian of personal data rights and privacy.

As consumers, citizens, and data subjects, it is crucial that we remain informed and vigilant, advocating for responsible data management practices that honor both the spirit and the letter of GDPR.

Share this article

[Website env: production]