To be considered personal data by the GDPR, data must meet these criteria:
- It must be any information relating to an identified or identifiable natural person (data subject).
- The person can be identified directly or indirectly, for example by name, identification number, location data, online identifier, or factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
- The identification can be through one or more identifiers or characteristics linked to that natural person.
- Personal data includes not only objective information but also subjective data such as opinions, judgments, or assessments related to the individual.
- The data must concern a natural person, meaning a living individual, not a corporate entity.
In summary, personal data under GDPR is broadly defined as any information relating to a living individual who can be identified either directly or indirectly by reference to an identifier or specific factors about their identity.
