In one sentence. GDPR Article 4 contains the 26 legal definitions that govern the entire regulation — from “personal data” (4(1)) to “international organisation” (4(26)). Every other Article references back to these definitions. Misreading them — for example, confusing “controller” with “processor”, or assuming pseudonymized data is anonymous — is the most common cause of structural compliance failures.
Article 4 is the definitional foundation of the GDPR. It looks dry but it determines who is bound by what. A “controller” under Article 4(7) has different obligations from a “processor” under Article 4(8). “Personal data” under Article 4(1) is much broader than most companies assume. “Pseudonymization” under Article 4(5) reduces risk but doesn’t remove the data from GDPR scope.
For deep-dives: GDPR data controller vs processor, GDPR Article 6 lawful basis, GDPR Articles index.
Key takeaways
- 26 definitions cover the entire GDPR. Reading any other Article correctly requires reference to Article 4.
- “Personal data” (4(1)) is intentionally broad: any information relating to an identified or identifiable natural person.
- “Controller” (4(7)) and “processor” (4(8)) are mutually exclusive for a given processing operation.
- “Pseudonymisation” (4(5)) reduces risk but pseudonymised data remains personal data — still in scope.
- “Consent” (4(11)) is one of the most-litigated definitions — strict criteria for validity.
1. Article 4 — the 26 definitions
| # | Term | Brief definition |
|---|---|---|
| 1 | Personal data | Any information relating to an identified or identifiable natural person |
| 2 | Processing | Any operation performed on personal data |
| 3 | Restriction of processing | Marking stored data to limit future processing |
| 4 | Profiling | Automated processing to evaluate personal aspects |
| 5 | Pseudonymisation | Data that can’t be attributed to a subject without additional information |
| 6 | Filing system | Structured set of personal data accessible by specific criteria |
| 7 | Controller | Determines purposes and means of processing |
| 8 | Processor | Processes personal data on behalf of the controller |
| 9 | Recipient | Natural/legal person who receives personal data |
| 10 | Third party | Anyone other than the data subject, controller, processor, authorised person |
| 11 | Consent | Freely given, specific, informed, unambiguous indication |
| 12 | Personal data breach | Breach leading to destruction, loss, alteration, unauthorised disclosure or access |
| 13 | Genetic data | Data relating to inherited or acquired genetic characteristics |
| 14 | Biometric data | Data resulting from specific technical processing allowing unique identification |
| 15 | Data concerning health | Data relating to physical or mental health |
| 16 | Main establishment | Place of central administration (controller) or main processing place (processor) |
| 17 | Representative | Natural/legal person designated by non-EU controller/processor under Article 27 |
| 18 | Enterprise | Natural or legal person engaged in economic activity |
| 19 | Group of undertakings | Controlling and controlled undertakings |
| 20 | Binding corporate rules | Internal data protection policies binding members of a group of undertakings |
| 21 | Supervisory authority | Independent public authority established by a Member State |
| 22 | Supervisory authority concerned | A supervisory authority involved in cross-border processing |
| 23 | Cross-border processing | Processing in context of multiple establishments OR affecting subjects in multiple Member States |
| 24 | Relevant and reasoned objection | Objection on infringement risks or compliance issues |
| 25 | Information society service | A service provided at distance by electronic means |
| 26 | International organisation | An organisation governed by international public law |
2. The most consequential definitions
Personal data (4(1)) — broader than most assume
Personal data includes:
- Direct identifiers (name, email, phone, address)
- Indirect identifiers (IP address, cookie ID, device ID)
- Pseudonymised data (still personal data)
- Inferred data (profile attributes derived from behavior)
- Photos and videos showing identifiable people
- Voice recordings
- Biometric data
- Location data
- Behavioral data tied to an identifier
The CJEU has confirmed that even IP addresses are personal data (Breyer C-582/14). See is an IP address personal data.
Processing (4(2)) — practically any operation
“Processing” includes: collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, destruction.
Translation: if you’re doing anything with data other than ignoring it, you’re processing it.
Controller vs Processor (4(7) and 4(8))
The most consequential distinction in the GDPR. The controller determines the purposes and means. The processor acts on the controller’s behalf following instructions.
For a given processing activity, a party is either controller or processor — not both. The same entity can be controller for some processing and processor for other processing.
For the full analysis: GDPR data controller vs processor.
Pseudonymisation (4(5)) — risk reduction, not removal
Pseudonymised data:
- Cannot be attributed to a subject without additional information
- That additional information is kept separately and subject to technical and organisational measures ensuring non-attribution
Pseudonymised data remains personal data — still in scope of GDPR. The benefit: lower risk profile, more favorable balancing tests, often exemption from notification of specific breaches.
Contrast with anonymisation (not defined in Article 4 but established in Recital 26): truly anonymous data is outside the scope of GDPR. The bar for anonymisation is high — irreversibly disconnected from any identifier.
Consent (4(11)) — strict validity criteria
Consent must be:
- Freely given — no detriment for refusing
- Specific — one purpose at a time
- Informed — controller, purposes, retention
- Unambiguous — clear affirmative action
- Indicated by a statement or clear affirmative action
For the operational conditions, see GDPR Article 7 consent.
Personal data breach (4(12)) — broader than expected
A “breach” includes any incident leading to:
- Destruction (intentional or accidental)
- Loss (lost USB key, deleted backup)
- Alteration (data corruption, unauthorized modification)
- Unauthorised disclosure (sent to wrong recipient)
- Unauthorised access (insider misuse, external attack)
A ransomware attack that encrypts data without exfiltration is still a breach (availability + integrity). A misdirected email containing personal data is a breach.
Profiling (4(4)) — gateway to Article 22
“Profiling” means automated processing used to evaluate personal aspects of a natural person — work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, movements.
Profiling alone doesn’t trigger Article 22 (which requires solely automated decisions with legal effects). But profiling triggers higher transparency obligations and often a DPIA.
Cross-border processing (4(23))
Processing in the context of activities of establishments in more than one Member State, OR processing that substantially affects data subjects in more than one Member State. Triggers the lead supervisory authority mechanism under Article 56.
3. Definitions that interact across multiple Articles
| Definition | Articles that depend on it |
|---|---|
| Personal data (4(1)) | All of GDPR |
| Processing (4(2)) | Articles 5, 6, 9, 24, 30, 32, 35 |
| Controller (4(7)) | Articles 24, 25, 26, 28, 30, 32, 33, 34, 35, 37 |
| Processor (4(8)) | Articles 28, 30, 32, 33 |
| Consent (4(11)) | Articles 6, 7, 8, 9, 22 |
| Personal data breach (4(12)) | Articles 33, 34 |
| Cross-border processing (4(23)) | Articles 56, 60, 65 (lead authority + EDPB consistency) |
4. Common definitional mistakes
| Mistake | Reality |
|---|---|
| “Pseudonymized data is anonymous” | Pseudonymised remains personal data — still in scope |
| “Just IP addresses, not personal data” | CJEU Breyer: IPs are personal data |
| “We’re a processor — we don’t need a lawful basis” | Controller needs one; processor needs Article 28 contract |
| “Anonymous = aggregated counts” | Aggregation alone doesn’t anonymize if re-identification possible |
| “Profiling = bad” | Profiling itself is allowed; Article 22 restricts only certain automated decisions |
| “Consent boxes pre-ticked count if user doesn’t uncheck” | CJEU Planet49: pre-ticked invalid |
| “Backup deletion of corrupted file isn’t a breach” | Loss of availability is a breach |
5. Where Article 4 sits in the GDPR
Article 4 is the definitional spine referenced by every operational Article:
- Lawful basis (Art. 6) references “personal data”, “processing”, “consent”
- ROPA (Art. 30) requires listing “categories of personal data”, “categories of data subjects”, “categories of recipients”
- Security (Art. 32) requires measures appropriate to “processing”
- Breach notification (Art. 33) is triggered by “personal data breach”
- DPIA (Art. 35) is required for high-risk “processing”, especially involving “profiling”
Misreading Article 4 cascades through everything.
6. National variations
Member States cannot redefine the Article 4 terms, but their national laws sometimes add subcategories. For example:
- France: Loi Informatique et Libertés adds specific provisions on “données de santé” and “numéro de sécurité sociale”
- Germany: BDSG adds employment-specific provisions
- Spain: LOPDGDD adds provisions on deceased persons
These national overlays apply on top of Article 4 definitions, not in place of them.
7. Tooling
Legiscope maintains a definitional layer that classifies every data category in your ROPA according to Article 4 (and where applicable, Article 9 special categories, Article 10 criminal data). This ensures the right Article 4 definitions trigger the right downstream obligations.
For deep-dives on individual definitions: GDPR data controller vs processor, GDPR Article 7 consent, GDPR Article 9 special categories, is an IP address personal data.
Conclusion
Article 4 is the foundation everyone uses without thinking about it. Reading it carefully — especially the boundary cases on personal data, the controller-processor distinction, the consent criteria — eliminates a class of compliance mistakes that cascade through every other obligation. The 26 definitions are short individually but consequential collectively.
FAQ
What is “personal data” under GDPR Article 4?
Any information relating to an identified or identifiable natural person. Includes direct identifiers (name, email), indirect identifiers (IP, cookie), pseudonymised data, inferred data, photos, biometrics, location data. The CJEU has confirmed that even IP addresses are personal data (Breyer C-582/14).
Is pseudonymised data still personal data?
Yes. Article 4(5) defines pseudonymisation as a security measure that reduces risk but doesn’t take data out of GDPR scope. Only true anonymisation (irreversible) puts data outside GDPR.
What’s the difference between controller and processor?
The controller (4(7)) determines purposes and means of processing. The processor (4(8)) acts on the controller’s behalf following instructions. For a given processing activity, a party is either controller or processor — not both.
What counts as a “personal data breach”?
Article 4(12): any breach of security leading to destruction, loss, alteration, unauthorised disclosure or access. Includes ransomware (availability), misdirected emails (disclosure), corruption (integrity), deleted data (loss).
Is profiling prohibited under GDPR?
No. Profiling itself is allowed (Article 4(4) defines it). What’s restricted is solely automated decision-making with legal or similarly significant effects under Article 22. Profiling for non-significant purposes (recommendations, ad targeting in some cases) is generally lawful.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope
