Quiz Entry - updated: 2026.07.05
How does the GDPR define "personal data," and why is the phrase "identified or identifiable" so important?
Personal data is any information relating to an identified or identifiable natural person — the "identifiable" part means indirect identification counts too.
The GDPR definition (Art. 4(1)) has three load-bearing ideas:
- Natural person. Raw data (numbers, text, audio) is not inherently personal — it becomes personal only when it relates to a living individual. Data about an organization, a deceased person, or a group is not personal data.
- Relates to an individual. This covers practically anything someone is, has said or done, owns, or may think.
- Identified OR identifiable. It's personal not only through direct identifiers (name, contact info) but through indirect identification — if you can single someone out or pin them down by combining datasets.
That last word, identifiable, is why "we removed the names" is rarely enough: the law cares whether a person can be re-identified, not whether you left an obvious label.
Go deeper:
GDPR Recital 26 (gdpr-info.eu) — the "reasonably likely means" identifiability test in the source text.
Personal data (Wikipedia) — the GDPR Art. 4(1) definition vs US "PII".