Any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade- union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU's legislative competence).
Data from which no individuals can be identified or re-identified. These are outside the scope of GDPR.
Data that is altered in such a way that no individuals can be identified from those data (whether directly or indirectly) without a "key" that allows the data to be re-identified. The key should be stored separately from the pseudonymous data. Pseudonymizing data can be a way to comply with the "Privacy by design / default" requirement.
A freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed. Displaying pre-checked checkboxes and forcing customers to uncheck these, in order to revoke consent is not allowed, since this is no longer a clear affirmative action.
Anything that is done to, or with, personal data (such as collecting, storing, deleting)