What is personal data under the GDPR?

The General Data Protection Regulation (2016/679 EU) (GDPR) defines personal data as "any information relating to an identified or identifiable natural person" (ie an individual rather than, for example, a company). It covers data from which someone can be identified directly or indirectly, in particular by reference to:

  • an identifier such as a name, an identification number, location data or an online identifier (such as an IP address); or
  • factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

The GDPR covers personal data that is stored in a manual filing system if it is accessible according to specific criteria, for example where it is ordered chronologically or alphabetically.