Definition · Plain-language
Personal data (GDPR)
Personal data is the EU GDPR term for any information relating to an identified or identifiable natural person — a deliberately broad definition set out in Article 4.
The step most authors miss
Doing CRediT right? Don’t stop at the statement.
A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.
Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.
The Article 4 definition
Under GDPR Article 4, personal data is any information relating to an identified or identifiable natural person, called the data subject. An identifiable person is one who can be singled out directly or indirectly — for example by reference to a name, an identification number, location data, an online identifier such as an IP address or cookie, or factors specific to their physical, genetic, economic, cultural or social identity. The phrase “relating to” is interpreted broadly, so even seemingly innocuous data can be personal data when it concerns a person.
Broader than US PII
Personal data is generally wider in scope than the US notion of personally identifiable information. Online identifiers, location traces and indirect attributes are explicitly within scope, and the test is whether a person can be identified rather than whether a specific identifier is present. Special category data — such as health, biometric or ethnicity information — is a sub-set that attracts extra protection under Article 9. Understanding this breadth matters when datasets cross jurisdictions, because data that escapes one regime may be regulated under another.
Personal data in research
Research projects frequently process personal data through recruitment, consent and the data they collect. Recognising data as personal triggers the principles and accountability duties that run through GDPR, and shapes how data can be stored, shared and reused. Anonymised data — where individuals can no longer reasonably be identified — generally falls outside the definition, which is why anonymisation and pseudonymisation are such important tools for open and FAIR research-data sharing.
Key facts
At a glance
- Definition: any information relating to an identified or identifiable person
- Source: GDPR Article 4(1)
- Region: EU/UK term (contrast US “PII”)
- Scope: includes online identifiers, location data, indirect attributes
- Sub-set: special category data (Art. 9) gets extra protection
- Excluded: truly anonymised data falls outside the definition
Common misconceptions
What people often get wrong
Often heard: Personal data only covers things like name, address and date of birth.
Actually: GDPR defines personal data broadly to include online identifiers, IP addresses, location data and any factor that can single out a person directly or indirectly — far wider than a fixed list of fields.
Often heard: Personal data and PII are interchangeable terms.
Actually: They overlap but differ. Personal data is the EU GDPR concept and is generally broader, whereas PII is the US-originated term. Data outside US PII may still be EU personal data.
Often heard: Pseudonymised data is no longer personal data.
Actually: Pseudonymised data remains personal data under GDPR because it can be re-linked to a person using the separate key. Only genuinely anonymised data falls outside the definition.
