How do the GDPR and the Swiss revDSG legally define "personal data"?
Both define personal data as any information relating to an identified or identifiable natural person — the affected individual is called the "data subject" (betroffene Person).
* The identifiability test that turns information into personal data. *
The two leading frameworks use almost identical wording, which is why the concept travels across both regimes:
| Framework | Legal definition |
|---|---|
| EU GDPR, Art. 4 No. 1 | "All information relating to an identified or identifiable natural person (the 'data subject')." |
| Swiss revDSG, Art. 5 | "All information relating to a specified or identifiable natural person." |
The decisive word is "identifiable." Data does not need to name you directly to be personal — if you can be singled out indirectly (for example by combining an account number with a lookup list, or an address with a registry), it already counts as personal data.
Examples explicitly raised in the source: name, place of residence, date of birth, phone number, religious affiliation, account number. Note that some of these (religion) are not just personal data but specially protected data.
Why it matters: This single definition is the on/off switch for the entire law. If data is "personal," the whole DSG/GDPR apparatus (purpose limitation, justification, data-subject rights) applies. If it genuinely is not, the law does not reach it at all.
Go deeper:
GDPR Art. 4 — Definitions — the exact statutory wording of "personal data" / "data subject".
Federal Act on Data Protection (FADP/revDSG), official text — the live Swiss law (SR 235.1).