Definition of Personal Data – A Comprehensive Guide for CIPP/E Exam Preparation
Why Is the Definition of Personal Data Important?
The definition of personal data is the gateway concept of European data protection law. It determines the scope of application of the General Data Protection Regulation (GDPR) and virtually every other European data protection instrument. If information does not qualify as personal data, the GDPR simply does not apply. Conversely, if it does qualify, a full suite of obligations, rights, and enforcement mechanisms is triggered. Getting this definition right is therefore critical for:
• Compliance: Organisations must know whether the data they process falls within scope so they can apply the correct legal framework.
• Risk management: Misclassifying data can lead to regulatory fines of up to €20 million or 4% of annual worldwide turnover, whichever is higher.
• Exam success: The CIPP/E exam frequently tests candidates on boundary cases—pseudonymised data, online identifiers, IP addresses, employee numbers—all of which hinge on the definition.
What Is Personal Data?
Article 4(1) GDPR defines personal data as:
"any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
This definition contains four building blocks that you must understand individually:
1. "Any information"
This is interpreted extremely broadly. It covers:
• Objective facts (date of birth, blood type, salary)
• Subjective opinions (performance appraisals, credit ratings)
• Any format: text, images, audio, video, biometric templates, metadata, CCTV footage
• Both true and false information about a person
2. "Relating to"
Information relates to a person when it is about that person, or when it can be used to evaluate, treat, or influence that person. The Article 29 Working Party (now EDPB) Opinion 4/2007 identified three alternative elements to assess the "relating to" criterion:
• Content: The information is about the individual (e.g., medical records).
• Purpose: The data is used or likely to be used to evaluate or affect the individual.
• Result: The use of the data has or is likely to have an impact on the individual's rights or interests.
If any one of these three elements is satisfied, the data "relates to" the individual.
3. "Identified or identifiable"
• Identified: The person is already distinguished from the group (e.g., by name or photograph).
• Identifiable: There is a reasonable possibility that the person could be identified, directly or indirectly. This is the more complex part.
Recital 26 GDPR clarifies the identifiability test: account should be taken of all the means reasonably likely to be used by the controller or any other person to identify the natural person. This includes consideration of:
• The cost of identification
• The time required
• Available technology at the time of processing
• Technological developments
Direct identification – singling out through a single piece of data (e.g., full name, national ID number).
Indirect identification – combining multiple data points (e.g., date of birth + postcode + gender may identify a person in a small community).
4. "Natural person"
The GDPR protects only living individuals. It does not apply to:
• Deceased persons (though Member States may enact separate rules)
• Legal persons (companies, associations). However, information about a one-person company may simultaneously be personal data of the individual behind it.
Key Concepts Related to the Definition
Pseudonymised Data
Pseudonymisation (Article 4(5) GDPR) means processing personal data so that it can no longer be attributed to a specific data subject without the use of additional information, provided that additional information is kept separately. Pseudonymised data remains personal data because re-identification is still possible. It is encouraged as a security measure and can help with data-protection-by-design, but it does not remove data from the GDPR's scope.
Anonymous Data
Truly anonymised data—where re-identification is no longer reasonably possible—falls outside the scope of the GDPR (Recital 26). The threshold for anonymisation is high: no party, using all means reasonably likely to be used, should be able to re-identify the individual.
Online Identifiers
Recital 30 GDPR explicitly states that IP addresses, cookie identifiers, RFID tags, and other online identifiers may be combined with other information to create profiles and identify individuals. The CJEU confirmed in Breyer v. Bundesrepublik Deutschland (C-582/14) that even dynamic IP addresses can constitute personal data when the controller has legal means to obtain additional data enabling identification.
Special Categories of Personal Data (Article 9 GDPR)
Certain types of personal data receive heightened protection: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (when processed for unique identification), health data, and data concerning sex life or sexual orientation. Processing these categories is prohibited unless a specific exception applies.
How the Definition Works in Practice
Step-by-step, when determining whether data is personal data:
Step 1: Is there information? (Almost always yes—any content or metadata qualifies.)
Step 2: Does the information relate to a natural person? Apply the content/purpose/result test.
Step 3: Is that natural person identified or identifiable? Consider all means reasonably likely to be used by the controller or any other person. Consider technological developments, cost, and available additional data.
Step 4: Is the individual a living natural person?
If all four elements are met, the GDPR applies, and all obligations (lawful basis, transparency, data subject rights, security measures, breach notification, DPIAs, etc.) are triggered.
Landmark Case Law
• Breyer v. Bundesrepublik Deutschland (CJEU, C-582/14, 2016): Dynamic IP addresses are personal data for a website operator when the operator has legal means (e.g., through law enforcement cooperation) to obtain the subscriber's identity from the ISP.
• Nowak v. Data Protection Commissioner (CJEU, C-434/16, 2017): Exam scripts and examiner comments constitute personal data of the candidate.
• YS and Others (CJEU, Joined Cases C-141/12 and C-372/12, 2014): A legal analysis in an administrative document contains personal data about the applicant to the extent it concerns information relating to that person.
• Lindqvist (CJEU, C-101/01, 2003): Mentioning people by name on a website constitutes processing of personal data.
Common Exam Scenarios and How to Approach Them
• Employee ID numbers: Personal data—they single out an individual within the organisation.
• Encrypted data: Still personal data if the key exists and re-identification is reasonably possible.
• Statistical/aggregated data: Not personal data if the aggregation is genuine and individuals cannot be singled out. But be cautious: small sample sizes or unique combinations may still allow identification.
• Vehicle registration plates: Personal data, as they can be linked to the registered keeper.
• CCTV footage: Personal data if individuals are recognisable or identifiable.
• Genetic and biometric data: Personal data; also special category data when used for unique identification.
Exam Tips: Answering Questions on Definition of Personal Data
Tip 1: Know the four building blocks. When a question asks whether something is personal data, systematically check: (a) any information, (b) relating to, (c) identified or identifiable, (d) natural person. Many questions test just one of these elements.
Tip 2: Pay close attention to identifiability. The exam loves grey-area scenarios—pseudonymised datasets, coded data, dynamic IPs. Always apply the Recital 26 reasonableness test: consider the means reasonably likely to be used, not just those available to the data controller alone.
Tip 3: Remember Breyer. If a question involves IP addresses or online identifiers, the Breyer judgment is almost certainly relevant. Know the reasoning: even if the website operator cannot alone identify the user, the existence of legal channels to obtain additional data (e.g., from an ISP) means identification is reasonably likely.
Tip 4: Distinguish pseudonymisation from anonymisation. This is one of the most commonly tested distinctions. Pseudonymised data = still personal data = GDPR applies. Anonymous data = not personal data = GDPR does not apply. The exam may present a scenario and ask you to classify the data; look for whether a re-identification key or additional information exists somewhere.
Tip 5: Don't forget the "relating to" element. Some questions test whether data about an object (e.g., a house's value, a car's location) is also personal data of a person. Apply the content/purpose/result test from WP29 Opinion 4/2007.
Tip 6: Legal persons vs. natural persons. Company data is generally not personal data. But watch for sole traders or one-person companies—information about the company may simultaneously be personal data about the individual.
Tip 7: Deceased persons. The GDPR does not cover deceased individuals (Recital 27), but Member States may legislate on this. If the question is about GDPR scope, deceased persons are excluded.
Tip 8: Read the question carefully for qualifiers. Words like "always," "never," "only," or "may" are significant. The definition of personal data is deliberately broad, so absolute statements ("X is never personal data") are usually incorrect.
Tip 9: Special categories. If the scenario involves health data, biometric data, or other Article 9 categories, recognise that these are personal data and subject to additional restrictions. The question may be testing whether you know the extra layer of protection.
Tip 10: Practice with real-world examples. The CIPP/E exam is scenario-based. Familiarise yourself with cases like Nowak (exam scripts), Breyer (dynamic IPs), and Lindqvist (names on a website) so you can quickly recognise the principle being tested.
Summary Checklist for Exam Day
✓ Four elements: any information + relating to + identified/identifiable + natural person
✓ Recital 26: "means reasonably likely to be used" test for identifiability
✓ Pseudonymised ≠ anonymous; pseudonymised data is personal data
✓ Online identifiers (IPs, cookies) can be personal data (Breyer)
✓ Exam scripts are personal data (Nowak)
✓ Content/Purpose/Result test for "relating to" (WP29 Opinion 4/2007)
✓ Special categories of data require Article 9 exceptions
✓ GDPR covers living natural persons only
✓ Broad interpretation is the default—when in doubt, it is likely personal data
