What Is Personal Data?
You will see the terms “personal data”, “personal information”, “personally identifiable information” (and the abbreviation “PII”) used throughout this website. The GDPR articles and recitals and the Information Commissioner’s Office in the UK use the term, “Personal Data”. PII is used in the USA and the definition od what constitues PII is more limited than the definition of personal data in the GDPR.
Personal Data – A Definition
GDPR Article 4 gives us a definition of Personal Data:
“Any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
This is not a definitive list.
What Is Sensitive Data?
GDPR offers examples of “Special Categories” of sensitive data as follows:
- Racial or Ethnic Origin
- Political Opinion or Affiliation
- Religious or Political beliefs
- Trade Union membership
- Genetic or Biometric data (for the purpose of uniquely identifying a natural person)
- Health related
- Sex life or Sexual Orientation
There are additional obligations to control the processing of sensitive data. As you can imagine, a breach involving this kind of data could bring extreme harm to a private individual. Which is why Article 9 of the GDPR prohibits processing special categories of personal data unless one of several very specific conditions apply.