FAQ — PII, GDPR & AI Privacy Questions
Quick answers about PII, GDPR, AI privacy risks, and how PrivacyPromptAI works
Showing 20 questions
PII stands for Personally Identifiable Information — any data that can identify a specific person, directly or in combination with other data. Examples include names, email addresses, phone numbers, national ID numbers, IP addresses, and dates of birth.
It depends on context. A common first name on its own is unlikely to identify anyone. However, a full name combined with any other data point — such as an employer, email address, or location — almost certainly constitutes PII. Under GDPR, even a first name can be personal data if it identifies a specific person within a given context.
PII is a US concept used in HIPAA and CCPA. Personal data is the GDPR term, defined as any information relating to an identified or identifiable natural person. Personal data under GDPR is broader — it covers indirect identifiers, online identifiers, and combinations of data that together identify someone.
It depends on what's in the document. If it contains personal data, sending it to an AI tool means that data leaves your organisation and is processed on external servers — potentially a GDPR violation. Remove PII first with PrivacyPromptAI and the risk disappears.
Removing names is not sufficient on its own. Under HIPAA's Safe Harbor method, 18 identifiers must all be removed. Under GDPR you must also consider re-identification risk. PrivacyPromptAI detects all 18 HIPAA Safe Harbor identifiers automatically.
Public Wi-Fi adds network-level risk. While AI platforms use HTTPS, public networks can be monitored. You should use a VPN and redact all PII before pasting into any AI tool. PrivacyPromptAI processes everything locally so using it on public Wi-Fi carries zero additional risk.
A DPIA is required by GDPR Article 35 before processing activities that are likely to result in high risk to individuals, such as large-scale processing of sensitive data or using new technologies including AI. Using PrivacyPromptAI to redact data before AI processing is itself a risk mitigation measure that strengthens a DPIA.
GDPR sets two tiers: up to €10 million or 2% of global turnover for less serious violations, and up to €20 million or 4% for the most serious. Notable fines include Meta (€1.2 billion), Amazon (€746 million), and WhatsApp (€225 million).
Yes. GDPR has extraterritorial reach under Article 3. It applies to any organisation that processes personal data of EU residents in connection with offering goods or services to them, or monitoring their behaviour — regardless of where the organisation is based.
Not directly. PrivacyPromptAI detects PII from text-based content. For scanned documents, first run OCR to extract the text, then paste into PrivacyPromptAI. Free OCR options include Adobe Acrobat online, Google Drive, or Microsoft Word.
Student data is highly sensitive and protected by GDPR for EU students and FERPA in the US. Before using AI for grading or lesson planning, remove all student names, ID numbers, dates of birth, and any identifying information. Anonymised assignments can be safely processed by AI.
Act quickly: delete the conversation immediately, clear any memory features, opt out of training data use, and assess whether the breach is notifiable under GDPR Article 33 (72-hour notification requirement if there is risk of harm to individuals). Notify your DPO immediately in any professional context.
ChatGPT is not automatically GDPR compliant for your use case. OpenAI offers a Data Processing Agreement (DPA) and an opt-out from training data use, but you remain responsible for establishing a lawful basis for processing, completing a Transfer Impact Assessment for data leaving the EU, and removing PII before inputting documents. Using ChatGPT with personal data — even with a DPA — may still violate GDPR if you lack a valid legal basis. See our GDPR & AI Compliance guide for a full breakdown.
You can use customer data in AI tools only if you have a lawful basis under GDPR Article 6, a signed Data Processing Agreement with the AI provider, and have conducted a Transfer Impact Assessment if data leaves the EU. The safest and simplest approach is to redact all PII first — eliminating these compliance obligations entirely and allowing you to use AI tools freely with no legal exposure.
True anonymisation for machine learning requires removing all direct identifiers (names, emails, IDs), pseudonymising indirect identifiers, and testing for re-identification risk. For document-based workflows, PrivacyPromptAI automates the first step — detecting and replacing all PII with neutral tokens (e.g.
[NAME_1], [EMAIL_1]) across 23 languages — reducing re-identification risk before data enters any ML pipeline. Learn more about PII types we detect.
Yes, if you are subject to GDPR. When you paste a document into ChatGPT, its content is transmitted to OpenAI's servers — a third-party data processor. Under GDPR Article 28, this requires a Data Processing Agreement and a lawful basis for processing. Removing PII first eliminates this obligation entirely. Read our full step-by-step guide on how to do this in under 60 seconds.
Using Claude (Anthropic) or Gemini (Google) with personal data is not automatically a GDPR violation — but it may become one if you have not signed a Data Processing Agreement with the provider, established a lawful basis for processing, or conducted a Transfer Impact Assessment for cross-border transfers. Redacting all PII before use is the safest approach and removes all of these requirements. See our GDPR AI Compliance guide.
All cloud-based AI tools require PII removal if you are subject to GDPR or other data protection law. This includes ChatGPT (OpenAI), Claude (Anthropic), Gemini (Google), Microsoft Copilot, Perplexity, Mistral, and any other AI assistant that processes text on external servers. The rule is simple: if your text leaves your device, remove the PII first. Read our full guide for tool-specific guidance.
Manual removal can satisfy GDPR in principle, but it is error-prone and time-consuming. A single missed identifier — a date of birth, an indirect reference, or a combination of non-obvious data points — can constitute a reportable personal data breach. Automated tools like PrivacyPromptAI reduce this risk by systematically detecting all common PII types using pattern matching and Named Entity Recognition across 23 languages. Learn about the PII types we detect.
A Data Processing Agreement (DPA) is a contract required by GDPR Article 28 whenever you share personal data with a third-party processor — including AI providers. If you use ChatGPT, Claude, or Gemini with personal data, you need a signed DPA with that provider. Alternatively, redacting all PII before use means no personal data is ever shared, which eliminates the DPA requirement entirely. See our Compliance page for more detail.
No questions match this filter
👆 Click a question to get started!
I get excited when you learn about privacy 🛡️
Help & FAQs
Still Have Questions?
Browse the full list of 20+ questions above, or contact us if you need more help.
PII stands for Personally Identifiable Information — any data that can identify a specific person, directly or in combination with other data. Examples include names, email addresses, phone numbers, national ID numbers, IP addresses, and dates of birth.
It depends on what is in the document. If it contains personal data, sending it to an AI tool means that data leaves your organisation and is processed on external servers — potentially a GDPR violation. Remove PII first with PrivacyPromptAI and the risk disappears.
Yes. GDPR has extraterritorial reach under Article 3. It applies to any organisation that processes personal data of EU residents in connection with offering goods or services to them, or monitoring their behaviour — regardless of where the organisation is based.
Anonymisation permanently removes all identifying information so that re-identification is impossible — anonymised data falls outside GDPR entirely. Pseudonymisation replaces identifiers with tokens or codes, but re-identification is still possible if you have the key. PrivacyPromptAI performs pseudonymisation: PII is replaced with tokens like
[NAME_1] or [EMAIL_1], preserving document structure while removing exposed identifiers. True anonymisation requires additional steps and careful verification.PrivacyPromptAI can help reduce HIPAA risk when sharing medical documents with AI tools. It detects and redacts Protected Health Information (PHI) including names, dates, phone numbers, email addresses, and other identifiers listed under HIPAA's Safe Harbour method. However, PrivacyPromptAI is not a certified HIPAA compliance solution and does not replace a formal risk assessment or Business Associate Agreement. It is a practical tool for reducing exposure before AI use.
If personal data about real individuals is submitted to ChatGPT, it is processed by OpenAI's servers and may be used to train future models unless you have opted out or are using a paid API plan with data retention controls. Under GDPR, this constitutes a transfer of personal data to a third-party processor. You should document the incident, assess whether individuals are at risk, and consider notifying your Data Protection Officer. Going forward, use PrivacyPromptAI to redact all PII before pasting any document into an AI tool.
Yes. PrivacyPromptAI runs entirely in your browser, so it works on any modern mobile browser including Chrome for Android and Safari for iOS. The text paste tool and file upload section are both mobile-friendly. The browser extension is currently Chrome/Chromium desktop only and is not available as a mobile app.
No. Once a document is redacted with PrivacyPromptAI and the original is discarded, the redacted version cannot be reversed. The tool replaces PII with tokens such as
[NAME_1] or [EMAIL_1] — the original values are never stored on any server. If you need to recover the originals, you must keep a copy of the unredacted document yourself before redacting.A personal data breach is any incident where personal data is accidentally or unlawfully accessed, disclosed, altered, or lost. Under GDPR, most breaches must be reported to your supervisory authority within 72 hours. Redacting PII before sharing documents with AI tools or third parties significantly reduces breach risk: if a redacted document is accidentally exposed, no personal data is present to be compromised.