Ch 4.2.4 - 'Natural person'

Natural Person, Deceased Persons and PII

Personal data protects natural persons (living humans) universally, regardless of nationality or residence (subject to Article 3 territorial scope). The GDPR does not define 'natural person' - that is left to member state law. Per Recital 27, the GDPR does not apply to the personal data of deceased persons, although member states may make their own rules in this area. Watch the terminology: PII ('personally identifiable information') is not a GDPR term and cannot be assumed to mean the same as personal data.

Protection applies to natural persons universally - any nationality or residence - subject to Article 3 territorial scope.
The GDPR does not define 'natural person'; that is left to member state legislation.
By Recital 27, the GDPR does not apply to deceased persons - but member states may legislate for this area.
PII is not a GDPR term; a U.S. site may state it collects no PII because it does not treat IP addresses as PII, while those IPs may still be personal data under the GDPR.

Deceased persons

The GDPR itself does not cover the data of deceased people (Recital 27), but this is a point member states can regulate - so national rules may still protect such data. Do not say 'dead people have no data protection' without that caveat.

Key terms - quick answers

What is “natural person”?

A living human being. Personal data protects natural persons; the GDPR leaves the precise definition to member state law.

What is “Recital 27”?

States the GDPR does not apply to the personal data of deceased persons, though member states may provide rules for it.

What is “PII”?

Personally identifiable information - a U.S.-style term not defined in the GDPR; it cannot be assumed to mean the same as 'personal data'.

← Identifiability, Anonymisation and Pseudonymisation Special Categories of Personal Data →