Which of the following is considered personal data under GDPR?

The focus of the General Data Protection Regulation (GDPR) is on the protection of personal data, which is defined as any information that relates to an identified or identifiable natural person. This means that for data to be categorized as personal data under GDPR, it must have the capacity to directly or indirectly identify an individual.

Information that can identify a living individual is therefore considered personal data. It encompasses not only names and identification numbers but also any data that could be used to pinpoint an individual’s identity when combined with other available data. This broad definition ensures that various forms of data that could lead to identifying a person are covered under the regulation.

In contrast, a company's financial records do not pertain to individual people in the context of personal data because they relate to the organization rather than individual identities. Similarly, anonymous data without identifiers, by definition, cannot be linked to any individual and therefore is not classified as personal data under GDPR. Data that is already publicly available can still be personal data if it can identify an individual—it is the context and potential to identify a person that matters under the GDPR framework. Thus, the correct identification of information that can pinpoint an individual is essential in understanding what constitutes personal data.