What is Personal Data?

Personal data is any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR. It covers obvious identifiers like name and email, plus IP addresses, cookie IDs, and location data where a person can be singled out, directly or indirectly.

Personal data is the trigger that brings the GDPR into scope: if you process it, the regulation's obligations apply. The EU definition is broader than the US notion of "PII" — online identifiers, device IDs and pseudonymised records all count, because the person remains identifiable. Truly anonymised data falls outside the GDPR; "special category" data (health, biometrics, race, religion under Article 9) carries extra restrictions on top.

For example, a small e-commerce shop holds personal data the moment it stores a customer's shipping address or an analytics cookie tied to a session — even before any sale. Knowing exactly what personal data you hold, and classifying it, is the foundation of a Record of Processing Activities and every downstream control.

A template data inventory and classification scheme accelerate that mapping so you can show an auditor or supervisory authority what you process and why. But documentation alone does not make you compliant — you still have to apply a lawful basis, secure the data, and honour individuals' rights in practice.

Related terms: Data Classification · Records of Processing Activities (RoPA) · Lawful Basis for Processing · Protected Health Information (PHI)

Frequently asked questions

Is personal data the same as PII?
Not quite. "PII" is a US concept usually limited to data that directly identifies someone. GDPR "personal data" is broader — it includes online identifiers, IP addresses and any data from which a person can be singled out indirectly.
Is pseudonymised or anonymised data still personal data?
Pseudonymised data (e.g. a record keyed to a customer number) is still personal data, because the person remains identifiable with extra information. Truly anonymised data — where re-identification is no longer possible — is not personal data and falls outside the GDPR.
Are IP addresses and cookies personal data?
Often yes. Where an IP address or cookie identifier can be linked to an identifiable individual, EU case law and supervisory authorities treat it as personal data, which is why cookie banners and privacy notices are required.

Toolkits that cover Personal Data

EU GDPR

GDPR Compliance Pack for Small Business

14 editable GDPR documents — privacy notices, DSAR procedure, DPIA, breach response, processor DPA checklist — plus a pre-filled Records of Processing Activities (Art. 30) workbook and evidence checklist.

$7930% off with codeView toolkit

Learn more in our GDPR guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.