What is considered personal data under GDPR?

Asked by: Nona Walker MD  |  Last update: May 11, 2026
Score: 4.2/5 (3 votes)

Under GDPR, personal data is any information relating to an identified or identifiable natural person (data subject), meaning data that can directly or indirectly point to a specific individual, even if it's just one piece or combined with other data. This includes basic identifiers like names, addresses, and emails, as well as sensitive details such as genetic/biometric data, health info, and online identifiers like IP addresses or cookie IDs, covering both manual and automated records.

What are 5 examples of personal data?

What is personal data?

  • a name and surname.
  • a home address.
  • an email address such as 'name.surname@company.com '
  • an Internet Protocol (IP) address.
  • an identification card number.
  • a cookie ID.
  • the advertising identifier of your phone.
  • data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

Which data is not considered personal data under the GDPR?

By using “natural person,” the GDPR is saying data about companies, which are sometimes considered “legal persons,” are not personal data. A final caveat is that this individual must be alive. Data related to the deceased are not considered personal data in most cases under the GDPR.

Does GDPR apply to deceased?

In legal terms, the General Data Protection Regulation (GDPR) and the Data Protection Act no longer applies to identifiable data that relate to a person once they have died. However any duty of confidence established prior to death does extend beyond death.

What is not a personal data in GDPR?

In terms of origin, non-personal data can be data which never related to natural persons (such as data on weather or supply chains), or data which was initially personal data, but has been anonymised (through use of certain techniques to ensure that individuals to whom the data relates to cannot be identified).

What is personal data under GDPR?

30 related questions found

What qualifies as personal data under the GDPR?

In practice, these also include all data which are or can be assigned to a person in any kind of way. For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.

What are the four types of personal data?

Categories of Personal Data

  • Basic Identifiers: Information such as: ...
  • Sensitive Data (Special Categories): Sensitive personal data requires extra care due to its private nature. ...
  • Behavioral and Digital Identifiers: Data points derived from online behavior or usage patterns, such as: ...
  • Financial Information: Information like:

Is an email address personal data under GDPR?

A work email address is personal data under the UK GDPR if it can identify a specific individual. Generic addresses (such as info@company.co.uk) are less likely to be personal data, but this depends on context. If an email address is personal data, you must handle it in line with GDPR and PECR rules.

What not to do immediately after someone dies?

Immediately after someone dies, avoid distributing assets, selling property, paying creditors, changing account titles, or canceling essential services (like power/water) prematurely, as these actions can create legal and financial problems; instead, focus on getting a death certificate, securing property, arranging immediate care for dependents/pets, and notifying close family, friends, and necessary professionals (like an attorney) to guide the next steps.
 

Is date of birth personal data?

Personal data can cover various types of information, such as name, date of birth, email address, phone number, address, physical characteristics, or location data – once it is clear to whom that information relates, or it is reasonably possible to find out.

What may not be identified as personal data?

Information concerning a 'legal' rather than a 'natural' person is not personal data. Consequently, information about a limited company or another legal entity, which might have a legal personality separate to its owners or directors, does not constitute personal data and does not fall within the scope of the UK GDPR.

What are the 7 GDPR requirements?

The 7 core principles of GDPR (General Data Protection Regulation) are: Lawfulness, Fairness, and Transparency (process data legally and openly); Purpose Limitation (use data only for specified reasons); Data Minimisation (collect only necessary data); Accuracy (keep data correct and up-to-date); Storage Limitation (don't keep data longer than needed); Integrity and Confidentiality (secure the data); and Accountability (be responsible for compliance). These principles guide how organizations must handle personal data, focusing on protecting individuals' privacy rights.
 

Is a phone number considered personal data?

Examples of personally identifiable information (PII) include: Social security number (SSN), passport number, driver's license number, taxpayer identification number, patient identification number, and financial account or credit card number. Personal address and phone number.

What are 10 examples of sensitive personal information?

Definition of Sensitive Personal Information

  • Racial or ethnic origin.
  • Political opinions.
  • Religious or philosophical beliefs.
  • Trade union membership.
  • Genetic data.
  • Biometric data.
  • Health data.
  • Sexual orientation or sex life.

Is an email address considered personal information?

Yes, email addresses are personal data. According to data protection laws such as the GDPR and the CCPA, email addresses are personally identifiable information (PII). Personal information means any info that can be used by itself or with other data to identify a physical person or household.

Which of the following is most likely not personal data under GDPR?

What is not considered personal data under GDPR? The following is not considered personal data under GDPR: Data related to the deceased. Inaccurate data that can't be identified to an individual.

What is the 7 minutes after death?

The "7 minutes after death" idea suggests the brain stays active for a short period, replaying significant memories, a concept linked to scientific findings of brain activity surge after cardiac arrest, potentially explaining near-death experiences and life flashes, though it's more a popular interpretation of research than a fully understood phenomenon. It's a comforting, metaphorical idea that one's life flashes by as a "highlight reel," but the actual science involves rapid brain shutdown, though gamma waves (linked to memory) can spike briefly after the heart stops.
 

Why can't you cut hair after a funeral?

Children or grandchildren of the person who died should wait at least 49 days after the funeral to cut their nails or hair. This comes from the idea that the dead parent gave the children their nails and hair, so they should not be cut during the mourning period or after the burial.

Why not tell the bank when someone dies?

You shouldn't always rush to tell the bank when someone dies because immediate notification can lead to account freezes, blocking access to funds needed for immediate expenses, delaying bill payments, and triggering complex probate processes, especially if accounts lack joint owners or designated beneficiaries, but consulting an attorney first is crucial to understand specific account types and legal obligations before acting. 

Is revealing my email address a breach of privacy?

Personal data is broadly defined as any information that could be used to identify you, whether directly or indirectly. To that end an email address could fall well within the definition however, it should be noted, that not all email addresses are considered personal data.

Can I read my employees' emails?

Employers can access stored emails located on the company system but cannot access private emails. The Computer Fraud and Abuse Act (CFAA). Initially enacted to address computer hacking. However, it also applies to employers whose monitoring goes beyond what they are authorized.

What personal information is sensitive to GDPR?

Definition under the GDPR: data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

What is not personal data?

Information about companies or public authorities is not personal data. However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal data.

What are the top 3 big data privacy risks?

What Are The Top 3 Big Data Privacy Risks?

  • Cyberattacks and hacking.
  • Lack of transparency in data usage.
  • Non-compliance with privacy laws.

Which two data types would be classified as personally?

Personally identifiable information (PII) is any data that can be used to identify someone. All information that directly or indirectly links to a person is considered PII. One's name, email address, phone number, bank account number, and government-issued ID number are all examples of PII.