Personal Data and Its Four Building Blocks

Personal data is any information relating to an identified or identifiable natural person (the 'data subject'). The definition is intentionally broad. The Article 29 Working Party's Opinion 4/2007 breaks it into four building blocks: 'any information', 'relating to', 'an identified or identifiable', and 'a natural person'. 'Any information' is broad in nature (objective and subjective statements - and information need not be true), content (private and professional life alike, including online identifiers) and format (paper, electronic, audio, CCTV - manual data count if they form part of a filing system).

The GDPR defines personal data as any information relating to an identified or identifiable natural person. The EU deliberately aimed for a wide notion, far broader than many U.S. state breach laws, so even a tenuous link to an identifiable person can bring information within scope.

The four building blocks of 'personal data' (WP29 Opinion 4/2007)
Building block	What it means
'Any information'	Any statement - objective or subjective - in any content or format; need not be true
'Relating to'	Information must be about the individual (via content, purpose or result element)
'Identified or identifiable'	The person is known, or can reasonably likely be identified directly or indirectly
'Natural person'	A living human being; legal persons (companies) are excluded

The four building blocks of 'personal data' (WP29 Opinion 4/2007)

Building block

What it means

'Any information'

Any statement - objective or subjective - in any content or format; need not be true

'Relating to'

Information must be about the individual (via content, purpose or result element)

'Identified or identifiable'

The person is known, or can reasonably likely be identified directly or indirectly

'Natural person'

A living human being; legal persons (companies) are excluded

'Any information' - nature, content and format
Aspect	Scope	Example
Nature	Objective and subjective statements; information need not be true	'Head of IT' (objective); 'a good worker who merits promotion' (subjective)
Content	Private and professional/public life; includes online identifiers	Work contact details; IP address, cookie, RFID tag (Recital 30)
Format	Any form - automated or manual; manual data only if part of a filing system	Paper clinic notes, bank records, recorded calls, CCTV images

'Any information' - nature, content and format

Aspect

Scope

Example

Nature

Objective and subjective statements; information need not be true

'Head of IT' (objective); 'a good worker who merits promotion' (subjective)

Content

Private and professional/public life; includes online identifiers

Work contact details; IP address, cookie, RFID tag (Recital 30)

Format

Any form - automated or manual; manual data only if part of a filing system

Paper clinic notes, bank records, recorded calls, CCTV images

Key terms - quick answers

What is “personal data”?

Any information relating to an identified or identifiable natural person (the data subject) - Article 4(1) GDPR.

What is “data subject”?

The identified or identifiable natural person to whom personal data relate.

What is “Article 29 Working Party”?

WP29 - the advisory body of EU data protection authorities under the Directive; its Opinion 4/2007 set out the four building blocks of personal data. Replaced by the EDPB.

What is “filing system”?

A structured set of personal data accessible according to specific criteria; manual (non-automated) records are only caught by the GDPR if they form part of one.