What are personal data?

The privacy law General Data Protection Regulation (GDPR) gives the following definition of personal data: ‘any information relating to an identified or identifiable natural person’. This means that information is either directly about someone, or can be traced back to this person.

On this page

The definition of personal data can be found in Article 4, paragraph 1 GDPR.

Examples of personal data

There are many kinds of personal data. Obvious personal data are someone's name, address, telephone number, and passport photo. But personal data are also, for example, information about what someone buys on the Internet, whether someone has allergies, and images of a security camera in which someone can be recognised. 

Some personal data are directly about someone (direct personal data). In addition, there are data that are not directly about someone, but can be traced back to that person (indirect personal data). In that case, it concerns data that in combination with other data say something about a person. For example, an IP address can be a personal data. 

No personal data

The following data are not personal data according to the GDPR:

  • data about organisations (legal entities);
  • data of dead persons. 

This means that the GDPR does not apply to these data unless the information also says something about a (natural) person.

Information about a legal entity

Information about a legal entity can also say something about a natural person. For example, if:

  • the name of the legal entity has been derived from the name of a natural person;
  • the email address of a company is used by a specific employee only;
  • information about a small company also says something about the owner's behaviour.

In such case, they are personal data. And the GDPR applies to them.

Information about a dead person

Data about a dead person can also say something about a living person. For example, in the case of a hereditary disease. Then they are personal data of the living person. And the GDPR applies to them. 

This may, for example, play a role in the case of a family tree on the Internet. Are diseases mentioned there that killed people? Then that information may also apply to the surviving relatives. In that case, the information may only be published on the Internet if the surviving relatives have given consent for this. Also see: Removing data from a website.

Want to know more about when data about legal entities and dead persons are personal data? Read chapter 3.4 of the Opinion 4/2007 on the concept of personal data of the European data protection authorities.

Special categories of personal data

The GDPR makes a distinction between ‘ordinary’ and ‘special’ personal data (the literal term in the GDPR is: ‘special categories of personal data’).

Special categories of personal data are data that are so privacy-sensitive that processing of these data may have a (more) significant impact on someone. That is why special categories of personal data are given extra protection in the GDPR. This can be found in Article 9 GDPR.

Strict requirements apply for processing special categories of personal data. The bottom line is that processing of special categories of personal data is prohibited, unless a statutory exception applies. You can read more about this at Special rules for special categories of personal data.

The GDPR regards the following personal data as special personal data:

  • Personal data from which someone's race or ethnic origin is apparent.
  • Personal data from which someone's political opinions are apparent.
  • Personal data from which someone's religious or philosophical convictions are apparent.
  • Personal data from which trade union membership is apparent.
  • Data about someone's health.
  • Data about someone's sexual behaviour or sexual orientation.
  • Genetic data. 
    Genetic personal data give unique information about someone's physiological health and/or the health of family members. This makes the information so sensitive. In practice, this particularly concerns information about heredity and genetic features that is the result of a biological sample. For example, information from DNA analysis.
  • Biometric data (intended for the unique identification of a person).
    Biometric personal data are personal data that are the result of a specific technical processing of someone's characteristics, which enables unique identification of that person. For example, a fingerprint scan, facial recognition, an iris scan or a digital voice recording.

Criminal data are not special personal data

Criminal data are highly sensitive personal data too, but they do not fall under the term ‘special categories of personal data’ according to the GDPR. Special rules apply for the processing of criminal data, though. 

BSN is not a special personal data

According to the GDPR, a national personal identification number is not a special personal data either. But the EU Member States may set their own requirements to the processing of such number. In the Netherlands, this is the citizen service number (BSN). The GDPR Implementation Act contains rules for the use of the BSN.

Sensitive personal data

The GDPR states explicitly that special categories of personal data and criminal data are so sensitive that they require special rules. But these are not all the data that may be sensitive.

There are also data that have not been named explicitly as sensitive in the GDPR, but have a bigger impact on someone's privacy than ordinary personal data. We call these data sensitive personal data.

Personal data that generally are considered privacy-sensitive are:

  • data about electronic communication;
  • location data;
  • financial data (such as income or buying patterns);
  • the citizen service number (Dutch BSN).

Sensitive data are not a separate category in the GDPR. As a result, there is no complete list of sensitive personal data.

Criminal data

Criminal data are data relating to:

  • Criminal convictions and offences. This includes both convictions and possibly well-founded suspicions. This means that there are concrete indications that someone has committed a criminal offence.
  • Related security measures. By this we mean personal data related to a ban imposed by the court because of unlawful or disruptive conduct.

Criminal data are called 'personal data relating to criminal convictions and offences' in the GDPR. 

There are special rules for processing of criminal data. These can be found in Article 10 GDPR. In addition, the Dutch GDPR Implementation Act gives a number of important general regulations for possibilities of processing criminal data.

Protection of personal data

The protection of privacy is a fundamental right, with a somewhat broader scope than merely that of processing personal data. This right has been arranged in:

  • Article 10, paragraph 1 of the Constitution
  • Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR)
  • Article 7 of the Charter of Fundamental Rights of the European Union
  • Article 17 of the International Covenant on Civil and Political Rights (ICCPR)

In addition:

  • an explicit right to protection of personal data has been included in Article 8 of the Charter;
  • there is a convention of the Council of Europe that specifically pertains to personal data processing;
  • Article 10, paragraphs 2 and 3 of the Constitution requires that legislation for the protection of personal data applies in the Netherlands.

In the Netherlands, this legislation consists of the GDPR and the GDPR Implementation Act and the Directive on data protection in the law enforcement sector, implemented in the Police Data Act (Wpg) and the Judicial Data and Criminal Records Act (Wjsg).