GDPR personal data explained

The General Data Protection Regulation (GDPR), in force since May 25, 2018, requires businesses to protect the personal data and privacy of European Union (EU) citizens, for transactions that occur within EU Member States. The GDPR also regulates the exportation of personal data outside the EU. GDPR compliance gives EU citizens the right to access and control their personal data. 

What is personal data under GDPR?

According to the definition under GDPR, personal data is any information that relates to an identified or identifiable person known as a data  subject. Unrelated pieces of information, which when collected together can lead to the identification of a particular person, are also considered personal data. De-identified or encrypted personal data, which can be re-identified to lead to a person, is still personal data.

Personal data examples include the following: 

  • Name 
  • Address 
  • Location data 
  • Any id that can uniquely identify an individual  

They can additionally include one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Data such as company registration data or company contact email ID that is publicly available, is not considered personal data and does not fall under the scope of GDPR.

Personal data that has been anonymized in such a way that it cannot be reversed, and can no longer lead to identifying an individual, is not considered GDPR personal data. 

What data is protected under GDPR?

Any personal data must be protected for GDPR compliance. GDPR personal data is defined explicitly and covers the following cases:

  • Easily recognized personal identity information, including name, surname, home address
  • Various email IDs, including personal and professional IDs, that can be traced back to individuals
  • Identification or identification card numbers issued by institutions or authorities such as student ID or employee ID
  • Biometric data such as iris scans or fingerprints 
  • Web data including location data, IP address, cookies or RFID tags that can be used to identify individuals
  • Advertising identifiers of mobile phone
  • Racial or ethnic data
  • Health and genetic data including diseases and treatments
  • Unique identifier data held by doctors or hospitals 
  • Religious or philosophical beliefs
  • Political opinions
  • Trade union membership
  • Sexual orientation

Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. Member States can extend the scope of GDPR if required and determine the conditions under which a national identification number or any other identifiers of general application may be processed.

Information relating to dead individuals is in principle not considered GDPR personal data.  However, the data of the deceased may also refer to living persons and in some cases may be allowed to be processed according to GDPR guidelines. For unborn children, the extent of GDPR personal data protection rules before birth depends on the position of the national legal systems about the protection of unborn children.

What is sensitive personal data? 

Some personal data, processing which can create significant risks to the fundamental rights of the individual, is considered as sensitive GDPR personal data. The examples are:

  • Personal data revealing racial or ethnic origin
  • Health and genetic data including mental health and treatments
  • Biometric data such as photographs and fingerprints, processed solely to identify an individual
  • Religious or philosophical beliefs
  • Political opinions
  • Trade union membership
  • Data concerning a person’s sex life or sexual orientation

Sensitive GDPR personal data should not be processed unless the data subject gives explicit consent. Processing sensitive personal data is allowed in specific cases based on Union or Member State law, providing for suitable measures to protect the fundamental rights and the interests of the data subject.

  • For carrying out the obligations and exercising specific rights of the controller or the data subject in the field of employment and social security and social protection law, authorized by Union or Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject
  • To protect the vital interests of the data subject or another natural person where the data subject is physically or legally incapable of giving consent
  • When processing is carried out with appropriate safeguards by a not-for-profit body with a specific aim, relating only to the members, former members, or related persons and the GDPR personal data is not disclosed outside that body without the consent of the data subjects
  • When processing relates to GDPR personal data which is distinctly made public by the data subject
  • For the establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity
  • For reasons of substantial public interest, based on Union or Member State law providing for suitable measures to safeguard the fundamental rights and the interests of the data subject
  • For preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
  • For reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices
  • For archiving in the public interest, scientific or historical research, or statistical purpose 

A customer-centric approach to data privacy 

GDPR by definition applies to all businesses selling goods or services to EU citizens. Businesses registered or located outside the EU may collect and use personal data of EU citizens, and in such situations, they also must comply with the GDPR.

Public concern over privacy has increased significantly with technology providing opportunities to collect, process and use personal data. Identity theft, data breach and other cases highlight the need for strict measures to protect customer data privacy.

Enterprises collect customer data to understand their customers fully and leverage it to deliver a superior customer experience. While collecting customer data is essential, enterprises need to build trust by taking a customer-centric approach in protecting GDPR personal data.

Protecting customer privacy data is a three step process: 

  1. Understand the GDPR personal data collected from customers
  2. Process, store and make that data available to customers for changing and controlling its use
  3. Ensure that the data is never made accessible in any way, which can lead to the identification of a particular individual

An enterprise-wide governed approach to data privacy can build on collaborative automated processes for managing customer Personal Information (PI).

A governed data privacy approach helps to: 

  • Quickly identify the location of PI
  • Provide quick and compliant access to PI
  • Ensure data privacy compliance through visibility into data and regulatory reporting 

Collibra Data Privacy has rich features for PI discovery and classification, business process management and reporting to properly manage GDPR personal data. With Collibra data privacy stakeholders can 

  • Quickly and accurately locate PI through the PI Discovery and Classification feature
  • Document how it is used and for what purpose through Business Process Management
  • Monitor compliance progress for GDPR readiness through Regulatory and Management reporting

Stakeholders from the privacy manager to the data steward can manage data privacy in a centralized location. This allows them to gain visibility into metadata that can be used for privacy use cases. In addition, the platform scales to support new regulations.

Related resources


A customer-centric approach to data privacy


6 typical GDPR questions explained


A guide to data subject rights for data professionals

View all resources

More stories like this one

Jan 25, 2022 - 3 min read

Gaining control of personal information ahead of CPRA

Read more
Feb 25, 2021 - 3 min read

Driving GDPR Compliance

Read more
Jan 28, 2021 - 3 min read

Celebrating International Data Privacy Day

Read more