← Glossary·Privacy

Personal Data (GDPR)

GDPR

Any information relating to an identified or identifiable natural person (data subject) — Art. 4(1).

Under GDPR Art. 4(1), personal data is any information relating to an identified or identifiable natural person — directly or indirectly, by reference to an identifier such as a name, ID number, location data, online identifier, or one/more factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.

Why it matters
GDPR's definition is intentionally broad — IP addresses, cookies, and device IDs all qualify. This makes virtually every web product a controller of personal data the moment an EU visitor lands.

Related terms

PII (Personally Identifiable Information)
Information that can identify a specific individual, directly or in combination with other data.
Data Subject
The identified or identifiable natural person to whom personal data relates (GDPR Art. 4(1)).
Lawful Basis (Legal Basis for Processing)
One of six GDPR Art. 6 grounds that must apply for personal data processing to be lawful.

Does your program actually cover Personal Data (GDPR)?

Run a free ComplianceIQ audit against GDPR and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free GDPR auditBack to glossary