What is Personal Data under the GDPR?

This is an INEXHAUSTIVE list of what may be considered as personal data. The definition of personal data is deliberately wide. Personal Data is not the same as PII. Personal Data is contextual too. It is direct and indirect, identified and identifiable, given the context.

For example, a person in a crowd in a photo may not be personal data but that person is still identifiable to someone, their friends, neighbours, colleagues etc. Just because they are not identifiable to you and in the context does not mean it is not personal data. With personal data, you must think of how it can become identifiable not just if it is currently identifiable. Not identifiable with the data in hand but with combination of other data  or context you or someone may have now and in the future.  And just because in your processing the person cannot  be identified does not make the data not personal. It is still personal but the risk of identification is not there at that point in time. Therefore, if you are not sure, you should carry out a DPIA to understand the risk.

This list will be updated and we welcome your suggestions and assistance in providing a more improved and complete list.

Special Categories of data is denoted with (SC). 

Personal Data TypePersonal Data
Personal InformationFull name (if not common)
Name, such as full name, maiden name, mother‘s maiden name, or alias
Date of Birth
Place of Birth

Name, such as full name, maiden name, mother‘s maiden name, or alias
Full Home Address
Country, state, postcode or city of residence
Marital Status
Telephone numbers, including mobile, business, and personal numbers
Information identifying personally owned property, such as vehicle registration
Personalised vehicle number plates
Number or title number and related information
Passport Number
Residence and geographic records
Digital footprint
Digital Identities, such as avatars, usernames/handles, Gamer IDs
Email address (if private from an association/club membership, etc.)
Login name, screen name, nickname, or handle
IP addresses (when linked, but not PII by itself in US - it IS in EU)
Geo-Tracking Data, Location-based services
Web surfing behavior or user preferences using persistent cookies
Asset information, such as Internet Protocol (IP) or Media Access Control
(MAC) address or other host-specific persistent static identifier that consistently
links to a particular person or small, well- defined group of people
Medical or Heath Data
NHS number
Sick Days
Information about Sick Leave
Doctor's Visits
Medical Data (SC)
Biological traits, such as genetic material
Fitness Data
Patient Reference Numbers (e.g. Patient Identification Number, Medical ID)
X-rays, fingerprints, or other biometric image or template data (e.g., retina
scan, voice signature, facial geometry)
Biographical Data
Age, if specific
Photographic image (especially of face or other distinguishing characteristic)
Racial or ethnic origin (SC)
Hair Colour
Defining Characteristics
Eye Colour
Biometrics (SC)
Voter record
Employment Data
Social Security Number (SSN) / National Insurance Number
Working Hours / Time Tracking
Salary Information
Job Position
School, College, University, Workplace Names & Addresses
Certificates / Testimonials
Assessments / References
Performance / Appraisals
Tax Information
Student Number
Education Information, including grades
Financial Information
Financial Accounts, Institutions and Transactions
Bank Information
Salary Information
Credit Card Numbers (especially Personal Credit Cards)
Spending Habits, Transaction History, Debt Information
Credit Score
Special Categories
Political opinions (SC)
Religious or other similar beliefs (SC)
Membership of trade unions (SC)
Physical or mental health or condition (SC)
Sexual life (SC)
Convictions, proceedings and criminal acts (SC)
Political opinions (SC)
Ethnicity/Race (SC)
Council tax details