Personal data is ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’ (Article 4(1)).
In other words, anything that can be used to identify the individual is considered personal data. This includes addresses, credit card numbers, photos, salary, opinions, etc. Note that cookies, IP addresses and location data are also considered personal, which caused quite an uproar for online marketers. The protections of the GDPR are afforded only to the living persons.
Data that is not considered personal, or if it has been anonymised, does not fall under the scope of the GDPR.
Find out more information here.