From Antonio García Martínez in The right to never be forgotten

Two foundational concepts in GDPR:

  1. presence and persistence of personal data
  2. who keeps that data around (further distinguished into two classes of data holders)
    1. controllers (first-party). liability falls on this party to get end-user opt-in and face consequences if found in violation
    2. processers (third-party)

Personal data is “an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” In other words, it’s things that can be traced unambiguously to the real you