GDPR Personal Data Classification

By Andrew

Decision tree gdprprivacycompliancedatalegal

Processing personal data without a clear lawful basis is one of the highest-risk compliance failures under GDPR — fines reach 4% of global annual turnover. This tree walks you through the key classification questions for a specific dataset or processing activity, from identifying whether data is personal at all, through lawful basis and special category checks, to international transfer requirements.

Open interactive version →

Overview

Type: Decision tree
Tags: gdpr, privacy, compliance, data, legal
Entry: Q1
Questions: 6
Outcomes: 0
Author: Andrew
Last updated: 2026-05-12

Decision Tree

Start: Does this dataset contain information that directly or indirectly identifies a living natural person?

yes

Continues to question: Do you have a documented lawful basis for this specific processing activity?

no

Outcome: NOT-PERSONAL-DATA

Machine-Readable JSON (Canonical Model)

View JSON

{
  "_meta": {
    "schema": "https://www.drawdecisiontree.com/decision-dag.schema.json",
    "source": "https://www.drawdecisiontree.com",
    "description": "DrawDecisionTree.com is a free tool for building, sharing, and embedding interactive decision trees. This file is the machine-readable export of a published decision tree. The `dsl` field contains the original source in the Decision DAG DSL; the `dag` schema is documented at the URL in `schema` above.",
    "links": {
      "interactive": "https://www.drawdecisiontree.com/t/drawdecisiontree/gdpr-data-classification.html",
      "embed": "https://www.drawdecisiontree.com/embed/path/drawdecisiontree/gdpr-data-classification",
      "dsl_reference": "https://www.drawdecisiontree.com/decision-tree-dsl-reference.html",
      "guides": "https://www.drawdecisiontree.com/guides",
      "schema_docs": "https://www.drawdecisiontree.com/decision-dag.schema.json",
      "author_trees": "https://www.drawdecisiontree.com/trees/drawdecisiontree"
    },
    "generated_at": "2026-05-29T12:05:39.294Z"
  },
  "author": {
    "handle": "drawdecisiontree",
    "first_name": "Andrew",
    "last_name": null,
    "avatar_url": "1d32d828-b6ca-40ec-bdd7-771fe7b9c36a/avatar-1778531481027.svg",
    "display_name": "Andrew"
  },
  "file": {
    "id": "bfbc8fe6-514a-4be4-906e-fc2a93bb9351",
    "name": "GDPR Personal Data Classification",
    "public_slug": "gdpr-data-classification",
    "updated_at": "2026-05-12T16:53:43.587978+00:00",
    "url": "https://www.drawdecisiontree.com/t/drawdecisiontree/gdpr-data-classification.html",
    "json_url": "https://www.drawdecisiontree.com/t/drawdecisiontree/gdpr-data-classification/tree.json",
    "dsl_url": "https://www.drawdecisiontree.com/t/drawdecisiontree/gdpr-data-classification/tree.dag"
  },
  "meta": {
    "description": "Processing personal data without a clear lawful basis is one of the highest-risk compliance failures under GDPR — fines reach 4% of global annual turnover. This tree walks you through the key classification questions for a specific dataset or processing activity, from identifying whether data is personal at all, through lawful basis and special category checks, to international transfer requirements.",
    "mode": "decision",
    "entry": "Q1",
    "tags": [
      "gdpr",
      "privacy",
      "compliance",
      "data",
      "legal"
    ],
    "image": "https://images.unsplash.com/photo-1563013544-824ae1b704d3?w=1200&q=80"
  },
  "questions": [
    {
      "id": "Q1",
      "text": "Does this dataset contain information that directly or indirectly identifies a living natural person?"
    },
    {
      "id": "Q2",
      "text": "Do you have a documented lawful basis for this specific processing activity?"
    },
    {
      "id": "Q3",
      "text": "Does the data fall into a special category under GDPR Article 9?"
    },
    {
      "id": "Q4",
      "text": "Do you have explicit consent from the data subject AND does a specific Article 9(2) exemption apply?"
    },
    {
      "id": "Q5",
      "text": "Will this data be transferred to, or accessed from, a country or organisation outside the EEA or UK?"
    },
    {
      "id": "Q6",
      "text": "Is there an adequacy decision for the destination country, or do you have appropriate transfer safeguards in place?"
    }
  ],
  "outcomes": [],
  "dsl": "dag: GDPR Personal Data Classification\nversion: 1.0.0\nimage: https://images.unsplash.com/photo-1563013544-824ae1b704d3?w=1200&q=80\ndescription: Processing personal data without a clear lawful basis is one of the highest-risk compliance failures under GDPR — fines reach 4% of global annual turnover. This tree walks you through the key classification questions for a specific dataset or processing activity, from identifying whether data is personal at all, through lawful basis and special category checks, to international transfer requirements.\ntags: gdpr, privacy, compliance, data, legal\nentry: Q1\n\nQ1: Does this dataset contain information that directly or indirectly identifies a living natural person?\n  hint: Direct identifiers include name, email address, national ID number, passport number, phone number, and precise GPS location. Indirect identifiers include IP addresses, device IDs, cookie values, account numbers, and demographic combinations narrow enough to single out an individual. When in doubt, treat the data as personal — the burden of proof for anonymisation under GDPR is high, and pseudonymised data (where re-identification is possible with a separate key) still counts as personal data.\n  yes -> Q2\n  no  -> [NOT-PERSONAL-DATA]\n\nQ2: Do you have a documented lawful basis for this specific processing activity?\n  hint: The six lawful bases under GDPR Article 6 are: (1) Consent — freely given, specific, informed, and unambiguous; (2) Contract — processing necessary to fulfil a contract with the data subject; (3) Legal obligation — required by law; (4) Vital interests — necessary to protect life; (5) Public task — exercising official authority; (6) Legitimate interests — your interests override the data subject's rights after a balancing test. Legitimate interests requires a documented Legitimate Interest Assessment (LIA). If none of these apply to this processing activity, you cannot lawfully process the data.\n  yes -> Q3\n  no  -> [NO-LAWFUL-BASIS]\n\nQ3: Does the data fall into a special category under GDPR Article 9?\n  hint: Special categories require explicit consent or a specific exemption and carry significantly higher compliance obligations. They include: health and medical data, genetic data, biometric data used for identification, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation or sex life, and criminal convictions and offences (Article 10).\n  yes -> Q4\n  no  -> Q5\n\nQ4: Do you have explicit consent from the data subject AND does a specific Article 9(2) exemption apply?\n  hint: Processing special category data requires both a lawful basis under Article 6 AND a separate condition under Article 9(2). Explicit consent is the most common condition for commercial organisations, but others include employment law obligations (health data for occupational medicine), vital interests (medical emergencies), and research or archiving purposes with appropriate safeguards. Both conditions must be met simultaneously — one without the other is insufficient.\n  yes -> [SPECIAL-CATEGORY]\n  no  -> [CANNOT-PROCESS]\n\nQ5: Will this data be transferred to, or accessed from, a country or organisation outside the EEA or UK?\n  hint: \"Transfer\" includes any situation where personal data becomes accessible outside the EEA — data stored on servers in the US, a US-headquartered SaaS tool with access to the data, a subsidiary in a non-adequate country, or a vendor whose support staff are based outside the EEA. AWS eu-west-1 (Ireland) is within the EEA; AWS us-east-1 is not. Check your vendor data processing agreements for sub-processor locations.\n  yes -> Q6\n  no  -> [STANDARD-PROCESSING]\n\nQ6: Is there an adequacy decision for the destination country, or do you have appropriate transfer safeguards in place?\n  hint: Adequate countries (as of 2024) include the UK, Switzerland, Canada (commercial organisations), Japan, South Korea, New Zealand, and others. For transfers to the US, the EU-US Data Privacy Framework provides adequacy for certified US organisations. For other destinations, Standard Contractual Clauses (SCCs, 2021 version), Binding Corporate Rules (BCRs), or an approved code of conduct provide the required safeguards. The SCC must be signed before the transfer begins, not after.\n  yes -> [STANDARD-PROCESSING]\n  no  -> [TRANSFER-BLOCKED]\n\n[NOT-PERSONAL-DATA]: Not Personal Data — Standard Handling\n  color: #27AE60\n  description: This dataset does not contain personal data as defined by GDPR — it either contains no information relating to individuals, or the data has been genuinely anonymised such that re-identification is not reasonably possible by any party. GDPR does not apply to this processing activity. Standard data governance practices still apply: document what the data contains and how it is used, apply appropriate access controls, and review the classification periodically as the dataset or processing activities evolve. Note that combining non-personal datasets can sometimes create personal data through inference — re-assess if datasets are joined or enriched with additional fields.\n  code: GDPR_NOT_PERSONAL\n\n[NO-LAWFUL-BASIS]: Cannot Process — Establish Lawful Basis First\n  color: #E74C3C\n  description: This processing activity lacks a documented lawful basis under GDPR Article 6. Processing personal data without a lawful basis is unlawful and exposes your organisation to regulatory enforcement, fines of up to €20 million or 4% of global annual turnover (whichever is higher), and potential civil claims from data subjects. Do not proceed with this processing activity until you have identified and documented a lawful basis. Review the six available bases: consent (document the consent mechanism and ensure it meets the freely-given, specific, informed, unambiguous standard), contract (can you demonstrate the processing is necessary for the contract?), legitimate interest (complete a Legitimate Interest Assessment balancing your interests against the data subject's rights), or legal obligation (identify the specific legal requirement). If no basis applies, the processing cannot be undertaken.\n  code: GDPR_NO_BASIS\n\n[SPECIAL-CATEGORY]: Process with Enhanced Controls (Special Category)\n  color: #F5A623\n  description: Special category data can be processed, but it requires enhanced technical and organisational measures beyond standard personal data handling. Apply the following controls as a minimum: data minimisation (collect only what is strictly necessary for the documented purpose), explicit consent records with a clear withdrawal mechanism, strict access controls limited to staff with a specific need to process this data, encryption at rest and in transit, a completed Data Protection Impact Assessment (DPIA) documenting the risks and mitigations, and a documented retention schedule with secure deletion at end of retention. Record this processing activity in your Article 30 Record of Processing Activities with the specific Article 9(2) condition identified. Inform your Data Protection Officer (DPO) if your organisation has one. Review the processing activity annually to confirm the Article 9 condition still applies.\n  code: GDPR_SPECIAL_CATEGORY\n\n[CANNOT-PROCESS]: Cannot Process — Conditions Not Met\n  color: #C0392B\n  description: This special category processing activity cannot proceed because either explicit consent has not been obtained or no Article 9(2) exemption applies. Special category data is subject to a prohibition on processing under Article 9(1) that can only be lifted by meeting both an Article 6 lawful basis AND a specific Article 9(2) condition simultaneously. The most common path forward is to obtain explicit consent from each data subject — but explicit consent must be freely given (no detriment for refusal), specific to this processing purpose, and clearly distinguishable from other consent requests. If the processing is genuinely necessary and consent is impractical, consult your DPO or legal counsel to determine whether another Article 9(2) condition (employment law, vital interests, legitimate activities of a non-profit, public interest, research) could apply with appropriate safeguards.\n  code: GDPR_CANNOT_PROCESS\n\n[STANDARD-PROCESSING]: Standard Processing — Proceed with Controls\n  color: #2980B9\n  description: This processing activity is lawful under GDPR. Proceed with standard data protection controls: document the processing activity in your Article 30 Record of Processing Activities (purpose, categories of data, categories of data subjects, retention period, recipients, and transfer safeguards where applicable); apply data minimisation — collect only what is necessary for the stated purpose; implement appropriate technical measures (encryption at rest and in transit, access controls, pseudonymisation where feasible); establish a clear retention schedule and deletion process; ensure data subjects can exercise their rights (access, rectification, erasure, portability, objection) through your privacy notice and internal processes; and review the processing activity if the purpose or data categories change materially. Conduct a DPIA if the processing is likely to result in high risk to data subjects.\n  code: GDPR_STANDARD\n\n[TRANSFER-BLOCKED]: Transfer Blocked — Establish Safeguards First\n  color: #8E44AD\n  description: This international transfer cannot proceed because no adequacy decision covers the destination country and no appropriate transfer safeguard is in place. Transferring personal data to a third country without an adequacy decision or appropriate safeguard is unlawful under GDPR Chapter V and has been the subject of significant regulatory enforcement (Schrems I, Schrems II, and subsequent actions). The most practical path for most organisations is Standard Contractual Clauses (SCCs) — use the 2021 EU SCC templates, complete the relevant module (controller-to-controller, controller-to-processor, or processor-to-processor), attach your Transfer Impact Assessment (TIA) documenting the legal framework of the destination country and any supplementary measures, and have both parties sign before any data is transferred. If you use a SaaS vendor as the data importer, request their completed DPA and SCCs — most major providers (AWS, Google, Microsoft, Salesforce) have these available.\n  code: GDPR_TRANSFER_BLOCKED\n"
}

DSL Representation

dag: GDPR Personal Data Classification
version: 1.0.0
image: https://images.unsplash.com/photo-1563013544-824ae1b704d3?w=1200&q=80
description: Processing personal data without a clear lawful basis is one of the highest-risk compliance failures under GDPR — fines reach 4% of global annual turnover. This tree walks you through the key classification questions for a specific dataset or processing activity, from identifying whether data is personal at all, through lawful basis and special category checks, to international transfer requirements.
tags: gdpr, privacy, compliance, data, legal
entry: Q1

Q1: Does this dataset contain information that directly or indirectly identifies a living natural person?
  hint: Direct identifiers include name, email address, national ID number, passport number, phone number, and precise GPS location. Indirect identifiers include IP addresses, device IDs, cookie values, account numbers, and demographic combinations narrow enough to single out an individual. When in doubt, treat the data as personal — the burden of proof for anonymisation under GDPR is high, and pseudonymised data (where re-identification is possible with a separate key) still counts as personal data.
  yes -> Q2
  no  -> [NOT-PERSONAL-DATA]

Q2: Do you have a documented lawful basis for this specific processing activity?
  hint: The six lawful bases under GDPR Article 6 are: (1) Consent — freely given, specific, informed, and unambiguous; (2) Contract — processing necessary to fulfil a contract with the data subject; (3) Legal obligation — required by law; (4) Vital interests — necessary to protect life; (5) Public task — exercising official authority; (6) Legitimate interests — your interests override the data subject's rights after a balancing test. Legitimate interests requires a documented Legitimate Interest Assessment (LIA). If none of these apply to this processing activity, you cannot lawfully process the data.
  yes -> Q3
  no  -> [NO-LAWFUL-BASIS]

Q3: Does the data fall into a special category under GDPR Article 9?
  hint: Special categories require explicit consent or a specific exemption and carry significantly higher compliance obligations. They include: health and medical data, genetic data, biometric data used for identification, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation or sex life, and criminal convictions and offences (Article 10).
  yes -> Q4
  no  -> Q5

Q4: Do you have explicit consent from the data subject AND does a specific Article 9(2) exemption apply?
  hint: Processing special category data requires both a lawful basis under Article 6 AND a separate condition under Article 9(2). Explicit consent is the most common condition for commercial organisations, but others include employment law obligations (health data for occupational medicine), vital interests (medical emergencies), and research or archiving purposes with appropriate safeguards. Both conditions must be met simultaneously — one without the other is insufficient.
  yes -> [SPECIAL-CATEGORY]
  no  -> [CANNOT-PROCESS]

Q5: Will this data be transferred to, or accessed from, a country or organisation outside the EEA or UK?
  hint: "Transfer" includes any situation where personal data becomes accessible outside the EEA — data stored on servers in the US, a US-headquartered SaaS tool with access to the data, a subsidiary in a non-adequate country, or a vendor whose support staff are based outside the EEA. AWS eu-west-1 (Ireland) is within the EEA; AWS us-east-1 is not. Check your vendor data processing agreements for sub-processor locations.
  yes -> Q6
  no  -> [STANDARD-PROCESSING]

Q6: Is there an adequacy decision for the destination country, or do you have appropriate transfer safeguards in place?
  hint: Adequate countries (as of 2024) include the UK, Switzerland, Canada (commercial organisations), Japan, South Korea, New Zealand, and others. For transfers to the US, the EU-US Data Privacy Framework provides adequacy for certified US organisations. For other destinations, Standard Contractual Clauses (SCCs, 2021 version), Binding Corporate Rules (BCRs), or an approved code of conduct provide the required safeguards. The SCC must be signed before the transfer begins, not after.
  yes -> [STANDARD-PROCESSING]
  no  -> [TRANSFER-BLOCKED]

[NOT-PERSONAL-DATA]: Not Personal Data — Standard Handling
  color: #27AE60
  description: This dataset does not contain personal data as defined by GDPR — it either contains no information relating to individuals, or the data has been genuinely anonymised such that re-identification is not reasonably possible by any party. GDPR does not apply to this processing activity. Standard data governance practices still apply: document what the data contains and how it is used, apply appropriate access controls, and review the classification periodically as the dataset or processing activities evolve. Note that combining non-personal datasets can sometimes create personal data through inference — re-assess if datasets are joined or enriched with additional fields.
  code: GDPR_NOT_PERSONAL

[NO-LAWFUL-BASIS]: Cannot Process — Establish Lawful Basis First
  color: #E74C3C
  description: This processing activity lacks a documented lawful basis under GDPR Article 6. Processing personal data without a lawful basis is unlawful and exposes your organisation to regulatory enforcement, fines of up to €20 million or 4% of global annual turnover (whichever is higher), and potential civil claims from data subjects. Do not proceed with this processing activity until you have identified and documented a lawful basis. Review the six available bases: consent (document the consent mechanism and ensure it meets the freely-given, specific, informed, unambiguous standard), contract (can you demonstrate the processing is necessary for the contract?), legitimate interest (complete a Legitimate Interest Assessment balancing your interests against the data subject's rights), or legal obligation (identify the specific legal requirement). If no basis applies, the processing cannot be undertaken.
  code: GDPR_NO_BASIS

[SPECIAL-CATEGORY]: Process with Enhanced Controls (Special Category)
  color: #F5A623
  description: Special category data can be processed, but it requires enhanced technical and organisational measures beyond standard personal data handling. Apply the following controls as a minimum: data minimisation (collect only what is strictly necessary for the documented purpose), explicit consent records with a clear withdrawal mechanism, strict access controls limited to staff with a specific need to process this data, encryption at rest and in transit, a completed Data Protection Impact Assessment (DPIA) documenting the risks and mitigations, and a documented retention schedule with secure deletion at end of retention. Record this processing activity in your Article 30 Record of Processing Activities with the specific Article 9(2) condition identified. Inform your Data Protection Officer (DPO) if your organisation has one. Review the processing activity annually to confirm the Article 9 condition still applies.
  code: GDPR_SPECIAL_CATEGORY

[CANNOT-PROCESS]: Cannot Process — Conditions Not Met
  color: #C0392B
  description: This special category processing activity cannot proceed because either explicit consent has not been obtained or no Article 9(2) exemption applies. Special category data is subject to a prohibition on processing under Article 9(1) that can only be lifted by meeting both an Article 6 lawful basis AND a specific Article 9(2) condition simultaneously. The most common path forward is to obtain explicit consent from each data subject — but explicit consent must be freely given (no detriment for refusal), specific to this processing purpose, and clearly distinguishable from other consent requests. If the processing is genuinely necessary and consent is impractical, consult your DPO or legal counsel to determine whether another Article 9(2) condition (employment law, vital interests, legitimate activities of a non-profit, public interest, research) could apply with appropriate safeguards.
  code: GDPR_CANNOT_PROCESS

[STANDARD-PROCESSING]: Standard Processing — Proceed with Controls
  color: #2980B9
  description: This processing activity is lawful under GDPR. Proceed with standard data protection controls: document the processing activity in your Article 30 Record of Processing Activities (purpose, categories of data, categories of data subjects, retention period, recipients, and transfer safeguards where applicable); apply data minimisation — collect only what is necessary for the stated purpose; implement appropriate technical measures (encryption at rest and in transit, access controls, pseudonymisation where feasible); establish a clear retention schedule and deletion process; ensure data subjects can exercise their rights (access, rectification, erasure, portability, objection) through your privacy notice and internal processes; and review the processing activity if the purpose or data categories change materially. Conduct a DPIA if the processing is likely to result in high risk to data subjects.
  code: GDPR_STANDARD

[TRANSFER-BLOCKED]: Transfer Blocked — Establish Safeguards First
  color: #8E44AD
  description: This international transfer cannot proceed because no adequacy decision covers the destination country and no appropriate transfer safeguard is in place. Transferring personal data to a third country without an adequacy decision or appropriate safeguard is unlawful under GDPR Chapter V and has been the subject of significant regulatory enforcement (Schrems I, Schrems II, and subsequent actions). The most practical path for most organisations is Standard Contractual Clauses (SCCs) — use the 2021 EU SCC templates, complete the relevant module (controller-to-controller, controller-to-processor, or processor-to-processor), attach your Transfer Impact Assessment (TIA) documenting the legal framework of the destination country and any supplementary measures, and have both parties sign before any data is transferred. If you use a SaaS vendor as the data importer, request their completed DPA and SCCs — most major providers (AWS, Google, Microsoft, Salesforce) have these available.
  code: GDPR_TRANSFER_BLOCKED

Machine Access

Static JSON: /t/drawdecisiontree/gdpr-data-classification/tree.json
Live JSON (SPA): /json/drawdecisiontree/gdpr-data-classification
Raw DSL: /t/drawdecisiontree/gdpr-data-classification/tree.dag
Canonical HTML: /t/drawdecisiontree/gdpr-data-classification.html

Questions in this decision tree

Does this dataset contain information that directly or indirectly identifies a living natural person?
Do you have a documented lawful basis for this specific processing activity?
Does the data fall into a special category under GDPR Article 9?
Do you have explicit consent from the data subject AND does a specific Article 9(2) exemption apply?
Will this data be transferred to, or accessed from, a country or organisation outside the EEA or UK?
Is there an adequacy decision for the destination country, or do you have appropriate transfer safeguards in place?

How to use this decision tree

Click "Open interactive version" to step through the questions. Your answers narrow the tree until a recommended outcome is reached. You can also embed this tree on your own site.