Guide On GDPR Personal Data And Data Subject

Published on : 18 Oct 2021

GDPR Personal Data and Data Subject

GDPR is a Data Privacy and Data Protection law that needs to be interpreted rightly to achieve Compliance. While Personal Data is the core aspect of the Regulation, many are still unsure about whether or certain information meets the GDPR’s definition of personal data. While there is no definitive list of what is and what is not personal data, determining one can be tricky. So, all that it comes down to, is interpreting the GDPR’s definition of personal data rightly. Today’s article is about understanding GDPR’s definition of Personal Data and interpreting it right. So, let us first learn what Personal Data is and understand the context of it in the GDPR Regulation

What is Personal Data as per GDPR Regulation?

GDPR Article 4, provides the following definition for “personal data”- Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Source (

Personal data covers a broad category of information as defined in the GDPR Regulation. Let us take a closer look at the definition to understand the core elements of the definition a little better 

  • Any information- Any piece of data comprising of subjective and objective information and not limited to any particular format like video, audio, numerical, graphical, and photographic data can contain personal data. 
  • Related to Identifiable or identified data – Information relating to an individual that helps identify them can be considered as identifiers or identifiable data. 
  • Natural person– Natural person can be any individual who is alive and is not a company which is by law sometimes considered a “legal person”. 
  • Data subject– A controller or processor who holds personal information and who can be identified, directly or indirectly, by reference to that personal data (Article 4(1), GDPR).
  • Identify individual directly or indirectly- An individual can be identified directly with certain information in hand or indirectly by using the information they possess and other additional information that they may get access to from another source. So, basically, any information that can lead to direct or indirect identification of an individual will likely be considered personal data under the GDPR.

Source (

Understanding these concepts are crucial for it helps organization in identifying personal data and determining data that falls in scope of GDPR. 

GDPR Personal Data List

CategoryExample of personal Data category
General personal dataName, date of birth, email id, credit card number.
Special category dataRace, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation, criminal records.
Pseudonymized dataReference number, student number, IP address, membership number of the sports club, gamer's user name, or bonus card number.

Information not considered as Personal Data under GDPR Regulation


Data of deceasedInformation relating to a deceased person does not constitute personal data and therefore is not subject to the UK GDPR.

Anonymized dataAnonymous information, namely information that does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
Legal personInformation about a limited company or another legal entity, which might have a legal personality separate from its owners or directors, does not constitute personal data and does not fall within the scope of the UK GDPR.

Final thought – Understanding the context is critical 

Personal data covers a vast category of information. So, it ultimately boils down to understanding the context and interpreting the definition of Personal Data under GDPR appropriately. The information shared above in this article is not an exhaustive list, but a guide to help you understand some of the concepts for determining whether the data processed is Personal Data under the GDPR Regulation.

At this point, understanding the context is very important. Organizations often collect different types of information about people. Even though the piece of data individually may not lead to identifying a person, but it could be a piece of information which along with other information could lead to identifying an individual. This way, the data collected by the organization may fall in the scope of the GDPR Regulation, requiring the organization to comply with requirements. 

EU GDPR Consultant

The more data gets combined and aggregated, it is more likely that the data may fall in the scope of GDPR as Personal Data. This will make things more difficult for organizations, especially for de-identifying data which may ultimately result in higher risks and responsibilities and further lead to potential GDPR fines and penalties

So, it is recommended that organizations looking to achieve GDPR compliance, should approach a qualified DPO for assistance to determine whether your organization is on the right track. We at VISTA InfoSec have the expertise, knowledge, and experience of helping organizations achieve compliance. Our experts can guide your organization in the classification of data and help you in the journey of compliance. For more details on VISTA InfoSec, you can visit our site 

Related Posts:


Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.