The commercialization of technologies that interface with the human brain has caught attention of the international community, as they allow the collection of data from dimensions that, until now, were considered unobservable by the general public: brain activity data, commonly referred to as "neurodata". The insertion of such devices in the consumer market is especially relevant in the current technological context, in which Artificial Intelligence (AI) systems allow the processing of raw neurodata (inputs) and the generation of decoded neurodata (outputs) on the cognitive, affective and/or conative state of the subjects to which they refer. This new factual reality presents legal challenges regarding the protection of neurodata in the European Union (EU), raising questions as to whether neurodata qualifies as personal data for the purposes of applying the General Data Protection Regulation (GDPR) - and, consequently, as to the nature of information relating to emotions, memories, thoughts, and intentions. Focusing on these issues, this paper aims to investigate the degree of protection that the GDPR gives to neurodata in the EU today. To this end, the hypothetical-deductive method is used, starting from the hypothesis that neurodata is not formally included in the traditional GDPR model of "personal data" and "sensitive personal data". To achieve the general objective, the work is divided into two main parts: (1) the first investigates key concepts involving the subject, to explore the research hypothesis raised; while (2) the second is dedicated to the impacts that the processing has on the data subject. The results show that there is a legal gap regarding neurodata, as it is a sui generis type of personal data, that deserves multidisciplinary and specialized study in the context of emerging (neuro)technologies for the protection of the data subject's (neuro)privacy.