What is PII under GDPR?
Under GDPR Article 4(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Here's a good resource that explains in detail from the European Commission: https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
Examples of personal data
- a name and surname;
- a home address;
- an email address such as firstname.lastname@example.org;
- an identification card number;
- location data (for example the location data function on a mobile phone)*;
- an Internet Protocol (IP) address;
- the advertising identifier of your phone;
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.
Examples of data not considered personal data
- a company registration number;
- an email address such as email@example.com;
- anonymized data.