GDPR Personal Data: What Does it Constitute? [With Infographic]

You must’ve heard the oft-used metaphor that data is the new oil. With the sheer amount of data that is collected about people online and the various ways it’s used to target them, data holds a lot of value in the digital economy. It is in this context that the General Data Privacy Regulation (GDPR) came into being in the European Union. The key focus of GDPR was to regulate the use of personal data and give fundamental rights to people on how their data is used by businesses. 

This blog will address what constitutes GDPR personal data, what the GDPR requirements concerning personal data are and how you can handle personal data and stay GDPR compliant. 

The GDPR set out to protect the personal data of residents in the EU and to reshape the way organisations across the region approach data privacy. Personal data is any form of data that can be used to identify an individual i.e. natural person.  In the GDPR, it is defined broadly to apply to several types of data including data collected via the Internet of Things (IoT), cookies, RFID tags, and so on. 

GDPR personal data list 

GDPR personal data definition

Article 4 (1) of the GDPR defines as:

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

A list of online identifiers include:

• Devices
• Applications
• Tools and Protocols
• IP (Internet Protocol) addresses
• Cookie identifiers
• Radio Frequency Identification (RFID) tags

The GDPR broadens the traditional scope and definition of personal data to include data from devices and IoT that are are an intrinsic part of the internet economy. The GDPR notes that online identifiers can leave traces which, when combined with other unique identifiers or information can be used to create profiles of individuals and identify them.

Recital 30  of the GDPR clarifies the definition of “online identifier”: 

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

GDPR mandates extra rules for processing data that is considered special categories of personal data or sensitive personal data. The following personal data is considered sensitive and includes:

• Personal data related to racial or ethnic origin, political opinions, religious or philosophical beliefs 
• Trade union membership
• Genetic data, biometric data 
• Health-related information
• Data concerning a person’s sex life or sexual orientation

GDPR requires any organization processing personal data to have a valid legal basis for that processing activity. In GDPR, “processing” is defined as the use of personal data and includes activities such as the collection, recording, organisation, structuring, storage, adaptation, retrieval, disclosure, dissemination, combination, restriction, erasure, or destruction of data.

6 lawful bases of GDPR that underpin the GDPR’S data protection regime:

Consent: The individual has given consent for the organization to process their personal data processing. 

Performance of a contract: Data processing is necessary to enter into or perform a contract with the individual.

Legal obligation: Data processing is necessary to comply with a law such as employment, information security or consumer laws.

Vital interest: Data processing is necessary to protect the “vital interests” of the data subject.

Public interest: Data processing is necessary for the performance of tasks carried out by a public authority or private organisation acting in the public interest.

Legitimate interest: Personal data may be processed on the basis that the business has a legitimate interest in processing those data, provided that the legitimate interest does not risk the rights or freedoms of individuals.

Consent is one of the lawful bases used by websites to collect personal data. When websites use consent, it must fit the definition of consent as stated in 

Article 4(11) of the GDPR.

“Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by a statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

The opt-in checkboxes on the contact form and cookie banners are a direct result of GDPR’s requirement for a lawful basis for processing. Under the GDPR, valid consent is significantly harder to obtain because you need to fulfil certain requirements for the same. 

As you’ve seen, cookies can be considered personal data in the GDPR. Therefore, GDPR requires websites to seek consent for dropping cookies on a user’s browser. 

Whether you have a small blog or a high-traffic website, GDPR applies if your site has EU and UK visitors. Scan your website for cookies and find out whether you need to collect cookie consent from users. 

Cookies that do not require consent

You can use cookies on your website without consent, where all of the cookies in use on your site can (legitimately) be considered as ‘strictly necessary’ or ‘essential’ for the functioning of your website. You can read more about strictly necessary cookies.

Cookies that require consent

Cookies other than strictly necessary cookies require the user’s consent. These cookies are not necessary for the basic functioning of a website but are used for purposes like tracking and advertising, analytics, performance and so on. 

Here’s a checklist to help you achieve GDPR-compliant cookie consent.

• Give users full control to accept, decline or change cookie settings on a cookie banner
• Show cookie audit table (with name, type, purpose and duration) on the second layer for full disclosure of cookies 
• Show auto-translated banner to users as per their browser language to respect GDPR’s right to know
• Auto-block third-party cookies till the user gives consent
• Record all user consents for proof of compliance as consent should be demonstrable as per GDPR
• Add a callback widget for the banner so users can revoke consent at any time. For valid consent, it should be easily withdrawable.
• Add a detailed cookie policy on your website and link it to your cookie banner

If you are a website owner, you need to obtain consent before setting cookies on a website visitor’s device. CookieYes is a cookie consent trusted by 1 Million+ website, big and small, to comply with privacy laws like the GDPR, ePrivacy Directive, CCPA, LGDP, POPIA and so on. You can collect, manage and store cookie consent for foolproof GDPR compliance.

• Information about companies or public authorities.
• Personal data relating to deceased individuals.
• Anonymous data i.e. data that does not relate to an identified or identifiable natural person.
• Unstructured paper records that do not fall within the scope of filing systems as cited in Article 2 of the GDPR.
• Data from personal and household activities like an address book.

Article 4(5) of GDPR defines pseudonymisation as the processing of personal data in such a manner that they can no longer be attributed to a specific data subject without the use of additional information, with technical and organisational measures to ensure that they are not attributed to an identified or identifiable natural person. 

While pseudonymous data safeguards personal data and is low-risk in terms of a potential data breach, it can still be considered to be personal data since the process is reversible, and can be used to identify the individual. Recital 26 explains:

“…data which have undergone pseudonymization, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person.”

The UK’s regulator, ICO maintained a similar position, noting that

Personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

Personal data that is anonymized is not treated as personal data of GDPR. Recital 26 of GDPR explains: 

“The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.” 

The GDPR does not set specific limits on data retention. It requires that the personal data is stored is no longer than necessary for the purposes for which that data is processed, as per the principle of storage limitation. 

Article 5(1) of GDPR states that personal data shall be:

“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;”

GDPR also noted that personal data may be stored for longer periods in case it is processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes as per Article 89(1) and is subject to appropriate technical and organisational measures to safeguard the rights and freedoms of individuals. 

When deciding the time period for data retention, you should:  

• Consider the purpose for which you hold the information 
• Securely delete information that is no longer needed for the purpose it was collected or 
• Update, archive or securely delete out-of-date information

Individuals have strengthened rights under the GDPR with regard to their personal data. These include:

Right to be informed: Individuals have the right to be informed about how organisations use their personal data. This includes providing information on the data retention policies and the individual’s rights under the GDPR. 

Right of access: Individuals have the right to confirm whether their personal data is being processed, to receive information about that processing and to have a copy of all the personal data an organization have about them.

Right to rectification: Individuals have the right to get their personal data corrected if it is incorrect or incomplete. 

Right to erasure: individuals can request the deletion or removal of personal data in specific circumstances. This can involve withdrawing previously given consent or request to delete data that is no longer necessary for the purpose for which it was collected). 

Right to restrict processing: Individuals can block or restrict the processing of personal data. 

Right to data portability: Individuals can request to access their data in a commonly used format so it can be transferred to another data controller, or request that the data be transferred directly to another data controller.

Right to object: Individuals can object to their data being used for direct marketing.

Rights in relation to automated decision-making and profiling: Individuals have the right not to be subject to a decision based on automated processing.

If you are a website owner or publisher, be it a small business website or blog, you need to establish a lawful basis for collecting any personal data. If consent is your legal basis, you need to ensure that it complies with GDPR standards.

01 Obtain cookie consent

We’ve seen in the previous section how cookie consent is a key requirement if you use cookies on your website. To recap, you need to:

• Display a compliant cookie consent banner
• Allow the user to withdraw cookie consent at any time 
• Be able to demonstrate that the user has given consent

Along with GDPR, EDPB guidelines also mandate that websites cannot assume consent if users ignore cookie consent and continue browsing. Nor can cookie banners have pre-ticked boxes. Similarly, cookie walls which prevent the user from accessing the website until they give consent are unlawful as users have no genuine choice in this scenario.

02 Provide an updated privacy policy

The privacy policy on your website should inform your customers or visitors why you’re collecting their data, what you plan to do with it, how long you’ll retain it, where it is stored, and how they can access it. For GDPR compliance, your privacy policy should primarily:

• Inform users about the personal data you collect, your purpose for collecting and how you are ensuring that their personal data is protected 
• Describe the users’ rights under GDPR
• Be available in a concise, transparent, and accessible form 
• Be written in clear and plain language
• Direct users on how to access and rectify their data

You can try a free privacy policy template and generate a custom policy for your website in no time.

03 Provide opt-in forms 

GDPR requires that the user gives consent via unambiguous indication by clear affirmative action. Clear affirmative action means someone must take deliberate and specific action to opt-in or agree to data processing.

For GDPR-compliant data collection, you should:

• Add opt-in box on subscription forms and other web forms
• Add unsubscribe button on emails and newsletters
• Get opt-in consent separately for different purposes

This example newsletter subscription form from CookieYes is an example of an opt-in consent form. You can also note that there is clear information on how one can unsubscribe i.e. withdraw their consent at a later time.

You cannot rely on pre-ticked boxes, default settings or blanket acceptance of terms and conditions as signs of consent. Similarly, users should be provided with the ability to withdraw their consent.

04 Keep mailing list clean 

Under GDPR, email lists require active consent. Email consent must be separated from such as privacy policy and, terms and conditions. Businesses should request consent for a particular purpose and specify this explicitly. For instance, if you wish to send marketing emails, you must take consent for that specific purpose. Hence, you need to use active opt-in for your mailing list, including the ones through subscription forms.

Keep in mind that for GDPR compliance, if your mailing list includes subscribers who were automatically opted-in or were included through a purchasing list, then you will need to obtain consent from them again. Also, ensure that your email marketing tool is GDPR compliant and can help you in keeping your email marketing compliant.

05 Add data access request forms

GDPR gives individuals the right to access and receive a copy of their personal data. This is usually done through data subject access request (DSAR) forms on websites.  Individuals have DSAR verbally, in writing, through emails and through social media. But, it’s best practice to add a DSAR page on your website to streamline the process. 

Here’s what organisations should keep in mind when dealing with a subject access request:

• Verify the data subject’s identity
• Review and assess the nature of the request
• Collate the data
• Deliver the requested information 
• Record your response

Note that a third party (a relative, friend or solicitor) can also make a DSAR on the individual’s behalf. In that case, they should provide evidence of their entitlement to act on behalf of the individual.

What is not personal data under GDPR?

Non-personal data can be categorized as data that does not relate to an identified or identifiable natural person. For instance, anonymized data that cannot be attributed to a person is non-personal data. Other examples of data not considered personal data include corporate email addresses (such as info@company.com), and company registration numbers. 

Are emails personal data?

Yes, an email address can most often clearly indicate to a particular individual and is, therefore, personal data. This is especially true for work email that typically includes their first/last name and where they work. 

Is name personal data?

Yes as per GDPR, an individual’s name is personal data. However, it may not always be considered personal data. The  UK’s ICO explains: “By itself the name John Smith may not always be personal data because there are many individuals with that name.”

What is the processing of personal data?

GDPR defines processing very broadly and includes any operation done to personal data whether automated or not. As per GDPR processing includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.