What counts as personal data under GDPR?

Personal data per AVG Art. 4 is any information that can identify a living, identifiable person. The definition is broad — much broader than most people assume. Direct identifiers: name, address, phone number, email, ID number, IP address, face photo, fingerprint, voice. Indirect identifiers: data that seems harmless alone but in combination identifies someone — e.g. "woman, 34, postcode 1015, works at Amsterdam municipality, has a Tesla" → uniquely traceable to one person. Special category data (AVG Art. 9) gets extra protection and may not normally be processed without explicit consent or a legal exception: race or ethnicity, political views, religion, union membership, health, sex life, biometrics (fingerprint, face recognition), genetics. What's NOT personal data? Truly anonymous data (genuinely not re-identifiable), data of deceased persons (in NL usually outside the AVG), data of legal entities (companies, foundations — they have no GDPR rights, only their natural-person representatives do). Pseudonymisation (encrypting data with a key) does NOT make data anonymous — it remains personal data because the key makes it identifiable. Practical rule: if you're unsure, treat it as personal data. Safer and matches the spirit of the law.