Which people belong in the UR category

GDPR Personal data

The concept of personal data is the gateway to the application of the General Data Protection Regulation and is defined in Art. 4 No. 1. According to this, this is all information that relates to an identified or identifiable natural person.

Those affected can be identified if they can be identified directly or indirectly, in particular by means of assignment to an identifier such as a name, an identification number, location data, an online identifier or one or more special features that express the physical, physiological , genetic, psychological, economic, cultural or social identity of these natural persons. In practice, this includes all data that is or can be assigned to a person in any way. For example, a person's telephone number, credit card or personnel number, account details, license plate number, appearance, customer number or address are personal data.

Since the definition includes the term “all information”, it can be assumed that the term “personal data” should be interpreted as broadly as possible. This is also evident from the constant case law of the European Court of Justice. Less unambiguous information such as records of working hours, which contain information about the time at which an employee begins and ends his working day, as well as the breaks or times that do not fall within the working hours, also fall into the category of personal data. The written answers of a candidate and any comments by the examiner on these answers are also "personal data" if the candidate can be theoretically identified. The same applies to IP addresses. If the processor has the legal option to oblige the provider to provide additional information that can identify the user behind the IP address, this is personal data. In addition, it must be ensured that not only objective information can be personal. Subjective information such as opinions, assessments or assessments can also be personal data. For example, the assessment of a person's creditworthiness or the assessment of the work performance of an employee.

Last but not least, the law states that the information for a personal reference must relate to a natural person. Conversely, this means that data protection does not apply to information about legal entities such as corporations, foundations and institutions. For natural persons, however, protection begins and ends with their legal capacity. Basically, a person acquires this ability when he is born and loses it when he dies. For a personal reference, data must therefore be assigned to specific or identifiable living persons.

In addition to general personal data, the special categories of personal data are particularly relevant, as they enjoy a higher level of protection. These include genetic, biometric and health data, as well as personal data, from which the racial and ethnic origin, political opinions, religious or ideological convictions or the trade union membership of the person concerned can be derived.

External links


  • Data Protection Authority Bavaria ► Special categories of personal data - Art. 9 GDPR (Link)
  • Data protection authority North Rhine-Westphalia ► What are personal data? (Link)
  • Data protection conference DSK ► Short paper No. 17 - Special categories of personal data (Link)
  • EU Commission ► What are personal data? (Link)
  • EU Commission ► Which personal data are considered sensitive? (Link)
  • European Data Protection Supervisor ► Security Measures for Personal Data Processing (Link)
  • Data Protection Authority Isle of Man ► Know your data - Mapping the 5 W’s (Link)
  • Data Protection Authority UK ► Key definitions (Link)

Technical articles

  • ZENDAS ► What are personal data? (Link)
  • Dr. Data protection ► Personal data: definition and practical examples (link)