Personal data is any information relating to an identified or identifiable natural person (the 'data subject'). A person is identifiable if they can be singled out directly — by name, ID number, or email — or indirectly, by combining quasi-identifiers such as age, ZIP code, and occupation. Under GDPR Article 4(1) — the most globally influential definition — personal data spans four tiers: (1) Direct identifiers: name, national ID, passport number, email address, phone number. (2) Quasi-identifiers: date of birth, gender, ZIP code, IP address, device ID, location data — individually non-identifying but identifying in combination. (3) Sensitive/special category data: health records, biometric data, genetic data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation (GDPR Article 9) — requires heightened protection and an explicit additional lawful basis. (4) Inferred/derived data: behavioral profiles, credit risk scores, health predictions — generated by analysis of other personal data; increasingly regulated under the EU AI Act and US state privacy laws. Personal data governance is the organizational capability to identify, classify, inventory, and manage all such data across its full lifecycle — from collection through deletion or anonymization — while maintaining lawful basis, honoring data subject rights, and controlling cross-border flows.
Where it stops · what it isn't
- —IS personal data: any information — regardless of format (digital, paper, audio, video) — that can identify a living natural person, directly or indirectly, including through combination with other data reasonably available to the controller.
- —IS personal data: metadata (IP addresses, timestamps, device identifiers, cookies) where linkage to a real person is possible — confirmed by the CJEU in Breyer v. Germany (2016).
- —IS personal data: inferred or derived data (e.g., a predicted health risk score derived from behavioral patterns), increasingly recognized under the EU AI Act and US state privacy laws.
- —IS NOT personal data: truly anonymous data — where re-identification risk has been irreversibly eliminated to a standard regulators accept. The EDPB Opinion 05/2014 sets a very high bar; most datasets described as 'anonymized' fail this test.
- —IS NOT personal data: information about legal entities (companies, organizations) — GDPR and most frameworks protect natural persons only.
- —IS NOT personal data: deceased persons' data under GDPR, though some national laws (e.g., France) extend protections.
- —BOUNDARY CASE: Pseudonymized data — where names are replaced with tokens but a re-identification key exists — IS still personal data under GDPR Recital 26.
- —SCOPE LIMIT: 'Personal data' definitions vary by jurisdiction — CCPA uses 'personal information'; PIPEDA uses 'personal information about an identifiable individual'; LGPD uses 'dado pessoal'. This cubelet is GDPR-centric; governance principles apply cross-jurisdictionally.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFPrivacy Governance Domain (ISACA CDPSE Domain 1)
REQUIRESLawful Basis for Processing (GDPR Article 6)Data Subject Rights Management (GDPR Articles 12–22)Third-Party / Vendor Data Processing Agreements (DPAs)
ENABLESPrivacy Risk Assessment and DPIACross-Border Data Transfer Governance (SCCs, BCRs, Adequacy Decisions)
RELATED TOPrivacy by Design and Default (GDPR Article 25)Information Security Governance and Data Classification
CONSTRAINSData Retention and Storage Limitation Policies