Under the GDPR, personal data is defined as any information relating to an identified or identifiable natural person (the data subject). A person is considered identifiable if they can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
The broad scope of this definition means that many types of data organisations routinely process qualify as personal data, including IP addresses, cookie identifiers, device fingerprints, and pseudonymised data where re-identification remains possible. Understanding what constitutes personal data is the essential first step in GDPR compliance, as it determines which processing activities fall under the regulation's requirements for lawful basis, transparency, and data subject rights.