What Counts as Personal Data Under GDPR?

Under the General Data Protection Regulation (GDPR), personal data refers to any information related to natural persons that can identify them either directly or indirectly. The term is defined in Article 4(1). Personal data refers to any information that pertains to an identified or identifiable natural person. This includes data processed through automated means or data that is part of a filing system.

Personal data includes a wide range of identifiers. The most straightforward examples include names, identification numbers, location data, and online identifiers like IP addresses and cookie identifiers. It’s important to note that a combination of these identifiers can also help distinguish an individual from others, meaning that you don't always need a person's name to classify information as personal data.

Additionally, personal data may include sensitive categories such as special data types or information related to criminal convictions. This kind of data is subject to stricter processing requirements. 

It's essential to understand that anonymised data, which cannot be traced back to an individual, is not subject to GDPR. Furthermore, information about deceased individuals and data related to companies or public authorities do not count as personal data either. However, data about individuals acting as sole traders or in specific roles, such as employees or directors, may still be considered personal data if it can identify them as individuals.