How Does the GDPR Define Personal Data? How Should It Be Handled?

May 6, 2022 - Ensighten

The EU's General Data Protection Regulation (GDPR) sets out laws for organizations regarding how to process and store Personal Data, as well as identifying rights individuals have over their personal information. All organizations that interact with citizens of the EU—from private companies to non-profit organizations to government agencies—fall under the purview of the GDPR. Since non-compliance with the GDPR could not only result in serious fines but also loss of trust and good reputation, taking the necessary steps to adhere to the GDPR is the obvious choice.

To ensure compliance with the GDPR, it’s essential to understand what constitutes Personal Data and the requirements regarding processing and safeguarding this information. 

What is Considered Personal Data under the GDPR?

Personal Data, a legal term defined by the GDPR, is “…any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”

Personal data includes:

  • Name and surname
  • Phone number
  • Home address
  • Date of birth
  • Credit card or bank account number
  • Identification card number
  • Medical data
  • Photograph where an individual is identifiable
  • Internet Protocol (IP) address 
  • Unique cookie identifiers 
  • Tracking location data
  • Individual targeted advertising data 

Although one piece of personal information alone may not be enough to identify an individual, when multiple pieces are collected together it could, thus qualifying this information as Personal Data. 

What are the GDPR's requirements for the processing of Personal Data? 

Personal Data use is regulated in all phases under the GDPR, from collecting and processing to storing and destroying. The GDPR outlines a cautious and meticulous approach to Personal Data processing, beginning with collecting the least amount of Personal Data possible, while keeping that data for the least amount of time, and all the while keeping it secure.

GDPR Enforcement Actions are Up 70% Year-over-Year. Get the Report.

Compliance to the GDPR necessitates that organizations:

  1. Be transparent when collecting and processing the Personal Data of customers, consumers, and employees, and keep records of organizational policies and actions relating to the data’s use. 
  2. Limit what Personal Data, especially sensitive data, is processed to only what is necessary for business processes.  
  3. Retain Personal Data only as long as it’s needed for its original purpose. 
  4. Process and store the data in a secure way, so as to protect against unlawful loss, destruction, damage, or theft. For example, use techniques such as anonymization, pseudonymization, and/or encryption. 
  5. Create plans for possible data breaches, and train employees on proper procedures related to processing Personal Data. 

What does the GDPR define as "sensitive data?"

The GDPR describes sensitive data as personal information that must be protected and treated with high security. Sensitive data, if revealed, could leave a person vulnerable to crime. This data will generally fall into one of these categories:  

  • Race or Ethnicity
  • Sexual Orientation
  • Political, philosophical, or religious beliefs
  • Genetic information
  • Biometric information (biological measurements, including distinguishing physical characteristics, that can be used to identify a person) 
  • Trade union membership

There are strict requirements to process this sensitive personal data under the GDPR, and organizations must document a specific legal purpose for its use or obtain consent from data subjects. Allowable purposes for the use of sensitive data are:

  1. Having consent from, or a legal contract with, an individual 
  2. A legal obligation requiring the processing of the data
  3. Necessary use relating to public interest, such as information on governmental authorities, schools, or law enforcement departments
  4. Necessary use relating to public health
  5. Necessary use relating to scientific or historical research and statistics 

What is non-personal data? 

Non-personal data under the GDPR is information that is non-sensitive in nature, or data that has been anonymized and cannot be de-anonymized. Any encrypted data that could be reversed and used to identify a person, however, is still personal data. 

Non-personal data under the GDPR also includes:

  • Information about a deceased person
  • Information about public authorities and companies
  • An age range
  • Aggregate demographic, economic, and social data

Is Personal Data the same as Personally Identifiable Information (PII)?

Personal Data, as we have defined it under the GDPR, is different than a similar term⁠: Personally Identifiable Information (PII). PII is a term commonly used in countries outside of the EU, particularly the US, and does not reference specific legal regulations. Although there is no one established definition, PII is most commonly defined as data that is used to directly identify a specific person. Categories of PII include:

  • Name and surname
  • Phone number
  • Home address
  • Date of birth
  • Social Security number
  • Driver’s license or passport number
  • Credit card or bank account number
  • Medical data

Everything that would be categorized as PII would be considered Personal Data under the GDPR. However, since Personal Data encompasses a broader range of information, including data that may indirectly identify an individual, not all Personal Data would be considered PII. Laws regarding PII are under the authority of individual governments and organizations and vary in standards of protection as well as individual rights to control of their data. 



Founded in 2009, Ensighten is the global cybersecurity leader providing client-side protection against data loss, ad injection, and intrusion while enhancing website performance.

Learn more about Ensighten and our solution

Online skimming blog

Learn why third-party components on your website could be leaving you vulnerable to online skimming attacks

Read Now

Web skimming webinar

Learn more about how online skimming attacks happen and how you can protect against them

Watch Now

Online demo

See the Ensighten solution in action to learn how we can help protect your website against online skimming

Book Now