This guidance discusses determining what is personal data in detail. Read it if you have detailed questions not answered in the Guide, or if you need a deeper understanding to help you determine what is personal data in practice. DPOs and those with specific data protection responsibilities in larger organisations are likely to find it useful.

If you haven’t yet read what is personal data? in the Guide to GDPR, you should read that first. It sets out the key points you need to know, along with practical checklists to help you comply.

Contents

What is personal data?

What does the GDPR say?

Are there categories of personal data?

What about unstructured paper records?

Is pseudonymised data still personal data?

What about anonymised data?

Is information about deceased individuals personal data?

What about information about companies?

What are identifiers and related factors?

What is identifiability?

What information can be an identifier?

What are online identifiers?

What else can identify an individual?

What if we are still unsure if information is personal data?

Can we identify an individual directly from the information we have?

How do we directly identify someone?

What if we don’t know the individual’s name?

 

What is the meaning of ‘relates to’?

Does the data ‘relate to’ an identifiable data subject?

Is the content about an individual?

Does the purpose of the processing make information personal data?

Does the data impact, or have the potential to impact, on an individual?

Is data that refers to an identifiable individual, but does not relate to them, personal data?

Is inaccurate information about an individual still personal data? 

Can we identify an individual indirectly from the information we have (together with other available information)?

How do we identify someone indirectly?

What kind of information could allow an individual to be indirectly identified?

Can we identify someone from other information we hold?

Can we or someone else identify an individual from information we hold and they hold?

If there is only a very slight possibility that an individual could be indirectly identified, is it still personal data?

What factors should we consider when assessing the possibility of identification?

What happens when different organisations process the same data for different purposes?

What happens when different organisations process the same data for different purposes?