What are personal data?

In order to know whether you should comply with the GDPR in your research project, the first question to answer is: do you process personal data? To answer this question, we need to know: (1) What exactly are personal data, and (2) how do you know if you are working with personal data in your research?

Definition of personal data

According to the GDPR, personal data are “any information relating to an identified or identifiable natural person” (art. 4(1)):

  • Natural person: Data by themselves (numbers, text, pictures, audio, etc.) are not inherently personal. They only become personal when they refer to or relate to a living individual. When data refer to an organisation, deceased person, or group of individuals, they are not considered personal data under the GDPR.
  • Data are personal if they relate to an individual. This means practically anything that someone is, has said or done, owns, may think, etc.
  • The person should be identified or identifiable. This is the case not only through directly identifying information, such as names and contact information, but also through indirectly identifying information, for example if you can single someone out or identify them by combining datasets (see the next page).

Utrecht University logo

Data Privacy Handbook

The information presented here is provided as is, with no guarantees of accuracy or completeness. For the most up-to-date information, please refer to your privacy officer, the university website or intranet. We cannot be held responsible for any negative consequences due to incorrect interpretation or use, and inconsistencies with policies/views of other institutions.

💡 Give feedback about this page | Privacy policy