Rules & Requirements —
What Counts as Personal Data Under GDPR?
GDPR defines personal data as any info that identifies a person—names, IDs, biometrics, IPs — directly or indirectly.
Share this article
What Counts as Personal Data Under GDPR
Here's the thing most lists of "personal data examples" miss: GDPR doesn't treat all personal data the same. There's regular personal data, and there's a stricter tier called "special category data" that needs extra justification just to process at all. Health information and biometric data — both common items on a typical list — aren't just "more sensitive examples." They're legally a different category with their own rules.
The Basic Definition
Personal data is any information that can identify a specific person, directly or indirectly. That's broader than people assume. It's not just names and emails — it includes:
Names, email addresses, phone numbers
ID numbers (national ID, tax ID, passport numbers)
Location data and IP addresses
Online identifiers like cookies and device IDs
Financial data
Any combination of data points that, put together, can identify someone
That last one matters more than it looks. A single data point might not identify anyone on its own, but stack enough of them together — browser type, rough location, login times, language preference — and suddenly you've got something that points to one specific person. GDPR treats that combination as personal data too, even though no individual piece would.
Special Category Data: A Stricter Tier
Article 9 carves out nine specific categories that get extra protection, because misusing them can lead to real discrimination or harm:
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data used to identify someone
Health data
Sex life information
Sexual orientation
Processing any of these is prohibited by default. You need a specific legal basis to do it at all — usually explicit consent, and GDPR sets a high bar for what counts as "explicit" here. It has to be a clear, specific statement about that exact category of data. Burying it in a general terms-and-conditions checkbox doesn't count.
The Part Almost Nobody Thinks About: Inferred Sensitive Data
Here's where it gets genuinely tricky. You don't have to directly collect someone's political opinions or religious beliefs for that data to count as special category data. If you can reasonably infer it from something else, that counts too.
Financial transaction data is the clearest example. A pattern of donations to a political party or a church reveals political or religious leaning, even if "political opinion" was never a field in your database. Regulators have made clear this kind of inference still counts as processing special category data — and it doesn't matter whether the inference is even accurate. If your system is effectively sorting people by likely religion or politics based on spending patterns, you're in Article 9 territory whether you meant to be or not.
Pseudonymization Isn't the Same as Anonymization
This mix-up causes real compliance problems. Pseudonymized data — where you've swapped out names for codes but kept a key somewhere to link back — is still personal data under GDPR. All the same rules apply. Genuinely anonymized data, where there's no way to ever link it back to a person, falls outside GDPR entirely.
A lot of companies think they've "anonymized" data when they've actually just pseudonymized it. If that re-identification key exists anywhere — even locked away and rarely used — GDPR still applies to that data.
Why Getting the Scope Right Matters
Misjudging what counts as personal data causes problems both ways. Treat something as personal data when it isn't, and you're adding unnecessary compliance overhead to data the law doesn't even reach. Miss that something actually is personal data — especially special category data hiding inside something that doesn't look sensitive, like spending patterns — and you've got a real, unaddressed gap that a regulator could flag.
Where This Connects to Other Frameworks
Getting your data inventory right here is foundational work that also pays off for ISO 27001 and SOC 2 — both expect you to know exactly what sensitive data you're holding and where it lives before you can build the right controls around it. Scope this once, well, and the other frameworks get easier to layer on top.
In the Spotlight

Start your GDPR compliance journey with DSALTA's complete checklist.
The General Data Protection Regulation (GDPR) is Europe’s core privacy law, shaping how organizations collect, process, and protect the personal data of EU residents. Non-compliance can result in heavy fines, reputational damage, and loss of customer trust.
GDPR can feel complicated with its broad scope and strict requirements, but DSALTA® makes it manageable. With automated evidence collection, continuous monitoring, and AI- driven risk insights, you can maintain compliance without drowning in manual work. Use this checklist to guide your GDPR journey.
Read more about GDPR compliance with DSALTA.
Stop losing deals to compliance.
Get compliant. Keep building.
Join 100s of startups who got audit-ready in days, not months.




