You will see the terms “personal data”, “personal information”, “personally identifiable information” (and the abbreviation “PII”) used throughout this website. The GDPR articles and recitals and the Information Commissioner’s Office in the UK use the term “Personal Data”. We use the former terms here because they were used by the data protection experts with whom we worked in our own preparation and awareness. Some people will like to use the term, “personal data”, we like to use “PII”. It’s a bit more descriptive and for the layman it says what it means.
GDPR Article 4 gives us a definition of Personal Data:
“Any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
This is not a definitive list.
GDPR offers examples of “Special Categories” of sensitive data as follows:
There are additional obligations to control the processing of sensitive data. As you can imagine, a breach involving this kind of data could bring extreme harm to a private individual. Which is why Article 9 of the GDPR prohibits processing special categories of personal data unless one of several very specific conditions apply.