What is the legal definition of PII under GDPR?

Under GDPR, PII is referred to as 'personal data' and is defined in Article 4(1) as any information relating to an identified or identifiable natural person. This includes direct identifiers (name, email, ID number) and indirect identifiers (IP address, location data, or any combination of data that could identify a person).

What are the types of PII?

The main types of PII include: full names, email addresses, phone numbers, home addresses, national ID numbers (e.g. SSN, NIN), passport and driver's licence numbers, financial account numbers and IBANs, credit and debit card numbers, IP addresses, dates of birth, and biometric data. Under GDPR, special categories of PII include health data, racial or ethnic origin, religious beliefs, and sexual orientation.

What is the difference between PII and sensitive PII?

Standard PII can identify a person directly or indirectly (e.g. name, email, phone). Sensitive PII — called 'special category data' under GDPR — requires a higher level of protection because its exposure could cause greater harm. This includes health and medical data, biometric data, racial or ethnic origin, religious beliefs, and sexual orientation.

Why is PII a risk when using AI tools like ChatGPT?

When you paste documents into AI tools like ChatGPT, Claude, or Gemini, that content is typically sent to and processed on external servers. If your document contains PII, you may be in breach of GDPR or other privacy regulations. Redacting PII before using AI tools eliminates this risk.

What types of PII does PrivacyPromptAI detect?

PrivacyPromptAI detects names, email addresses, phone numbers, postal addresses, national IDs, Social Security Numbers, IBANs, credit card numbers, IP addresses, dates of birth, and custom keywords — across 23 European languages, entirely in your browser.

What types of PII most commonly appear in business documents?

In invoices and contracts: names, addresses, emails, phone numbers, VAT IDs, IBANs and bank details. In HR documents: dates of birth, national ID numbers, salary figures, health information and employment history. In legal files: passport numbers, signatures and case reference numbers. In healthcare records: diagnoses, prescription details and the 18 HIPAA Safe Harbor identifiers. PrivacyPromptAI detects all of these automatically — free on the homepage.

Are IP addresses considered personal data under GDPR?

Yes. The Court of Justice of the EU confirmed in Breyer v Germany (2016) that dynamic IP addresses can constitute personal data when the data controller has legal means to identify the individual. This applies to log files, analytics exports, server records, and any document containing IP addresses. PrivacyPromptAI detects and redacts both IPv4 and IPv6 addresses automatically on the homepage.

Types of PII Data — Complete Guide to Personal Information Types

Q: What is biometric data and is it considered PII under GDPR?

Yes. Biometric data — fingerprints, facial recognition data, iris scans, voice patterns — is classified as special category data under GDPR Article 9 when processed for unique identification. It requires explicit consent or another Article 9(2) legal basis and must be removed before use in AI tools.

Q: Does a person's job title count as PII?

A job title alone is generally not PII. However, a job title combined with an employer name and location can narrow to a single identifiable person, making the combination personal data under GDPR. When a job title appears alongside a name or email in a document, the entire record is personal data.

Remove PII from your documents now → Try our free redaction tool

📌 TL;DR — Quick Summary

PII (Personally Identifiable Information) includes 10+ standard types — names, emails, phone numbers, SSN, credit cards, IBANs, addresses, national IDs, passports, and IP addresses — plus 7 GDPR special categories (health data, biometric data, genetic data, racial/ethnic origin, religious beliefs, political opinions, and sexual orientation). Always remove all PII before using ChatGPT, Claude, or any AI tool to stay GDPR-compliant. Use our free redaction tool →

What Is PII?

The foundational definition — and why it matters more than ever in the age of AI.

PII stands for Personally Identifiable Information. It is any piece of data — or combination of data — that can be used to identify a specific living individual, either directly or indirectly.

Under the EU's General Data Protection Regulation (GDPR), this is called "personal data" and is defined in Article 4(1) as: "any information relating to an identified or identifiable natural person." The US equivalent — used in CCPA, HIPAA and other laws — uses the term PII.

The key word is "identifiable". A name alone may not identify someone. But a name combined with a date of birth, postcode, or employer almost certainly will. This is why organisations must treat combinations of data with the same care as obviously sensitive identifiers.

10+

Standard PII types detected

GDPR special categories

Languages supported

€20M

Max GDPR fine for breaches

If you collect or process PII

Collecting PII means you need a GDPR-compliant privacy policy and a cookie consent banner on your website — or you risk those fines. These tools make that straightforward:

📋

Privacy Policy Generator — Termly Generate a GDPR-ready privacy policy, cookie banner and terms of service in minutes. Used by thousands of EU businesses. Affiliate link.

🍪

Cookie Consent Banner — Cookiebot Automatically scan, categorise and manage cookie consent on your site. GDPR Article 7 compliant. Widely used across the EU. Affiliate link.

PII vs Non-PII — Real Examples

Not all data about a person is PII. The key test is whether the information can identify a specific individual — directly, or in combination with other data.

Data Item	PII?	Why / Why Not
john.smith@email.com	✓ PII	Directly identifies an individual — unique to a person or household
support@company.com	✗ Not PII	Generic business address — does not identify a specific individual
Date of birth: 15/04/1985	~ Context	Alone: weak identifier. Combined with a name or postcode: strong PII
Revenue: £4.2 million	✗ Not PII	Business figure — does not identify an individual (unless the business is a sole trader)
SSN: 123-45-6789	✓ PII	Government-issued direct identifier — uniquely identifies one individual
Country: Germany	✗ Not PII	Too broad to identify anyone — applies to 84+ million people
12 Baker Street, London, W1U 3BL	✓ PII	Full postal address with postcode — narrows to a specific property and resident
User satisfaction: 87%	✗ Not PII	Aggregate statistic — no individual is identifiable from this figure
IP: 203.0.113.42	✓ PII	Personal data under GDPR (Breyer v Germany, 2016) — can identify a household via ISP
Age range: 35–44	✗ Not PII	Demographic bucket — covers millions of people, not an individual
Diagnosis: Type 2 Diabetes	🔴 Special PII	GDPR Article 9 special category health data — highest protection level
Product category: electronics	✗ Not PII	Category label — describes a product, not a person
IBAN: GB29 NWBK 6016 1331 9268 19	✓ PII	Financial identifier directly linked to an individual's bank account

Legend: ✓ PII = always personal data | ✗ Not PII = not identifiable on its own | ~ Context = depends on combination with other data

Standard PII Types

These are the most common categories of personally identifiable information found in everyday documents, emails, and records. Click any card to expand the detail.

No cards match this filter.

Full Name

✓ Detected🟡 Medium

A person's first name, last name, or full name. Names are the most common form of PII and appear in virtually every document. Even partial names (e.g. "John S.") can identify someone in context.

John Smith · María García · 张伟

✉️

Email Address

✓ Detected🟡 Medium

Email addresses are direct identifiers — unique to an individual or household, used to contact, track, and authenticate users across virtually every online service.

john.smith@email.com

Phone Number

✓ Detected🟡 Medium

Mobile and landline numbers — including international formats — are direct identifiers. Used for two-factor authentication, marketing, and contact tracking across borders.

+44 7700 900123 · +1 (555) 000-1234

Postal Address

✓ Detected🟡 Medium

Home and work addresses — including street, city, postcode and country — can pinpoint someone's physical location. Combined with a name, they represent a powerful and dangerous combination of PII.

12 Baker Street, London, W1U 3BL

🪪

National ID Number

✓ Detected🔴 High

Government-issued identity numbers — such as the UK National Insurance Number, US Social Security Number, Romanian CNP, or German Personalausweis number — are among the most sensitive standard PII identifiers.

SSN: 123-45-6789 · NIN: AB 12 34 56 C

🛂

Passport & Licence Numbers

✓ Detected🔴 High

Passport numbers, driver's licence numbers, and other travel document identifiers. Commonly found in HR records, onboarding documents, and legal contracts.

Passport: GBR 123456789

🏦

IBAN & Bank Account Numbers

✓ Detected🔴 High

International Bank Account Numbers (IBANs) and sort code / account number combinations directly identify a person's financial account. Exposure can enable fraud and unauthorised transactions.

GB29 NWBK 6016 1331 9268 19

Credit & Debit Card Numbers

✓ Detected🔴 High

16-digit card numbers — including Visa, Mastercard, and Amex formats — are regulated under PCI DSS as well as GDPR. Exposure can result in immediate financial fraud.

4532 0151 1283 0366

IP Address

✓ Detected🟡 Medium

Under GDPR, IP addresses are considered personal data. They can identify a household's approximate location and internet service provider, and are routinely used to track user behaviour online.

192.168.1.1 · 203.0.113.42

Date of Birth

✓ Detected🟡 Medium

On its own, a date of birth is a weak identifier. Combined with a name or postcode, it becomes a strong one. DOBs appear frequently in HR documents, medical records, and legal forms.

15/04/1985 · April 15, 1985

📍

Location Data

🟡 Medium

GPS coordinates, geolocation data from apps, and precise location histories can identify where a person lives, works, or travels. Increasingly regulated under GDPR and CCPA.

51.5074° N, 0.1278° W

🍪

Online Identifiers

🟡 Medium

Cookie IDs, device identifiers, advertising IDs, and similar tokens can identify users across sessions and platforms. GDPR explicitly names these as personal data in Recital 30.

IDFA: A1B2-C3D4-E5F6-G7H8

🏛️

VAT & Tax ID Numbers

✓ Detected🟡 Medium

Value Added Tax (VAT) numbers, tax identification numbers (TINs), and national tax reference numbers directly identify businesses and individuals in government systems. Classified as personal data under GDPR when linked to an individual.

GB123456789 · DE987654321 · TIN: 12-3456789

🪪

Employee ID Numbers

✓ Detected🟡 Medium

Internal employee reference numbers linking an individual to their employment records, payroll, performance reviews, and HR files. Common in HR documents and payslips — constitute personal data under GDPR.

EMP-00421 · HR/2024/0082

🚗

Vehicle Registration Numbers

🟡 Medium

Licence plate numbers and VINs can identify the registered owner, linking to a person's home address and identity via government databases. Relevant in insurance documents, incident reports, and logistics records.

AB12 CDE · VIN: 1HGBH41JXMN109186

✍️

Digital Signatures

🟡 Medium

Electronic signatures — typed names, drawn signatures, or cryptographic tokens — uniquely identify a signatory's intent and identity. Found in contracts, NDAs, and legal documents.

DocuSign signature blocks · e-sign tokens

Social Media Handles

🟡 Medium

Usernames, screen names, and social media handles (e.g. @username on X/Twitter, LinkedIn profile URLs) can directly identify individuals. Under GDPR, they qualify as online identifiers and are considered personal data.

@john_smith · linkedin.com/in/johnsmith

GDPR Special Categories (Sensitive PII)

Under GDPR Article 9, these categories require a higher level of protection and cannot be processed without explicit legal justification. Use the filter bar above to show only Special Category cards, or click any card to expand.

⚠ Processing special category data without a valid legal basis under Article 9(2) is prohibited under GDPR and can result in fines of up to €20 million or 4% of global annual turnover — whichever is higher.

🏥

Health & Medical Data

Art. 9🔴 Critical

Medical diagnoses, prescriptions, treatment records, disability status, and health insurance data. This is the most commonly encountered special category in professional documents.

Diagnoses · Lab results · Prescriptions

🧬

Biometric Data

Art. 9🔴 Critical

Fingerprints, facial recognition data, iris scans, and voice prints. Biometric data is unique, permanent, and cannot be changed — making its exposure irreversible.

Fingerprint IDs · Facial geometry

🧪

Genetic Data

Art. 9🔴 Critical

DNA profiles, genetic test results, and hereditary medical information. Genetic data can reveal information not just about the individual but about their family members.

DNA profiles · Ancestry data

Racial or Ethnic Origin

Art. 9🔴 Critical

Information revealing a person's racial or ethnic background. Protected due to the significant risk of discrimination if disclosed without consent.

Nationality · Ethnicity declarations

🕌

Religious Beliefs

Art. 9🔴 Critical

Religious or philosophical beliefs, including membership of religious organisations. Protected due to the risk of discrimination, persecution, or social harm.

Church membership · Faith declarations

🗳️

Political Opinions

Art. 9🔴 Critical

Political views and party affiliation. Particularly sensitive in jurisdictions where political views could expose individuals to retaliation, discrimination, or safety risks.

Party membership · Voting records

🏳️

Sexual Orientation

Art. 9🔴 Critical

Data revealing a person's sexual orientation or gender identity. Protected due to the significant risk of discrimination, harassment, or harm if disclosed.

Relationship status · Identity declarations

🎯 Think you know your PII?

Test your GDPR knowledge with our interactive PII Info Test — standard vs special category, real-world examples, instant feedback.

Take the Quiz →

PII vs PHI: What's the Difference? Comparison table, HIPAA Safe Harbor identifiers, GDPR health data rules, and real-world use cases.

Why PII Is a Risk When Using AI Tools

Using ChatGPT, Claude, or Gemini with unredacted documents creates serious GDPR and data protection exposure.

When you paste a document into an AI tool, that content is transmitted to and processed on the AI provider's external servers. This means any PII in that document has left your organisation's control. Under GDPR Article 28, this constitutes a transfer to a third-party processor — which requires a Data Processing Agreement (DPA), a lawful basis, and potentially a Transfer Impact Assessment if the servers are outside the EU.

Most organisations using AI tools for drafting emails, summarising reports, or analysing data are unknowingly transferring PII every day. This includes names and contact details in email threads, patient information in medical notes, financial identifiers in spreadsheets, and employee data in HR documents.

The solution is simple: redact PII before it reaches the AI tool. By replacing names, emails, IDs, and financial data with neutral tokens (like [NAME_1] or [EMAIL_1]), you can use AI tools freely without transmitting personal data.

⚖️

GDPR Article 28

AI providers are third-party processors. Sending PII to them without a DPA may violate GDPR.

🌍

International Transfers

US-based AI servers mean cross-border data transfers — potentially requiring SCCs or a TIA under GDPR Chapter V.

💰

Fines Up to €20M

GDPR fines for unlawful processing can reach €20M or 4% of global turnover — whichever is greater.

✅

The Fix: Redact First

Removing PII before pasting into any AI tool eliminates the data protection risk entirely.

Document privacy is one layer. Network privacy is another.

PrivacyPromptAI protects the content of your documents. A VPN encrypts your internet connection so your ISP and network operators can't see which AI services you're accessing — especially important on public or shared Wi-Fi.

🔐

NordVPN Trusted no-logs VPN with RAM-only servers and Panama jurisdiction. Strong privacy track record. Affiliate link.

🛡️

Surfshark Unlimited simultaneous devices, verified no-logs policy. Good for teams or households with multiple devices. Affiliate link.

🔒

TrustZone VPN Privacy-focused VPN with strict no-logs policy and strong encryption. A solid, no-frills choice. Affiliate link.

PII in Specific Document Types

Every document type carries a different profile of personal data. Select a document type to see what PII it typically contains.

📄 CVs & Resumes

Among the most PII-dense documents in everyday use. Typically contain: full name, home address, phone number, personal email, date of birth, nationality, photo, LinkedIn URL, employment history with employer names and dates, and educational institution names. Some CVs also include national ID numbers, driving licence details, and references with third-party personal data.

Full NameAddressDate of BirthEmailPhoneLinkedIn URLNational IDDriving Licence

🏥 Medical Records

Contain GDPR special category data and all 18 HIPAA Safe Harbor identifiers: patient name, date of birth, address, phone, email, NHS/insurance number, dates of admission and discharge, diagnoses, prescriptions, test results, and treating clinician names. The combination of health status and identity makes these the highest-risk documents for PII exposure.

Patient NameDate of BirthNHS NumberDiagnosisPrescriptionsTest ResultsClinician Names

🧾 Invoices & Purchase Orders

Contain: full name or company name, billing address, email, phone number, VAT/tax ID, IBAN or bank account number, and transaction amounts. When issued to sole traders or individuals, every field is personal data under GDPR. Even business invoices can contain personal data if the named contact is identifiable as an individual.

Full NameIBANVAT IDBilling AddressEmailPhone

📋 Contracts & NDAs

Legal agreements typically include: full legal names, home or business addresses, national ID or passport numbers, dates of birth, signatures, and sometimes financial terms tied to individuals. Employment contracts additionally include salary figures, bank details, and personal references. All of this is personal data requiring protection before sharing with AI tools or third parties.

Legal NamePassport No.SignatureAddressSalaryBank Details

Once you've redacted the PII, you still need to sign it securely. These GDPR-compliant e-signature tools handle the rest:

✍️

BoldSignEnterprise e-signatures with audit trails, HR & legal workflows. GDPR-ready. Affiliate link.

📝

SignableUK-based GDPR-compliant e-signatures for SMBs. Clean audit trail, no per-user bloat. Affiliate link.

✉️ Email Threads

Often overlooked as a source of PII. An email thread accumulates: sender and recipient names and email addresses, phone numbers and job titles in signatures, and personal details mentioned in the body — including third-party information about clients, colleagues, or customers who never consented to their data being shared. Always redact the full thread before analysing with AI tools.

Sender NamesEmail AddressesPhone NumbersJob TitlesClient Details

📊 Spreadsheets & Databases

The highest-volume PII risk — a single spreadsheet can contain thousands of records each with multiple PII fields: names, emails, phone numbers, addresses, customer IDs, purchase history, and financial data. Hidden rows, filtered views, and metadata can contain additional PII not visible on screen. Pro plan supports XLSX and CSV redaction for bulk data files.

Customer ListsEmployee RecordsEmailsFinancial DataHidden Metadata

How PrivacyPromptAI Detects PII

Our detection engine identifies all standard PII types automatically — locally in your browser, with nothing uploaded anywhere.

🔍

Pattern Matching

Advanced regular expressions detect emails, phone numbers, IBANs, credit card numbers, IP addresses, postcodes and dates — adapting to country-specific formats across 23 languages.

🧠

Named Entity Recognition

Our NER engine identifies personal names and organisation names even without a fixed format — handling language-specific name structures across European languages.

🔑

Custom Keywords

Add your own terms to the detection list — project codenames, internal identifiers, or any custom phrase you want redacted every time. Available on the Pro plan.

🛡️

100% Local

Every detection and redaction runs entirely inside your browser. No document content is ever sent to our servers. You can even use it offline.

✅ Detected PII types: Names · Email addresses · Phone numbers · Postal addresses · National IDs · IBANs · Credit card numbers · IP addresses · Dates · Custom keywords — across 23 European languages.

Test your PII knowledge — take the PII Info Test Remove personal information from your documents — free tool GDPR compliance for AI tools — complete guide

Still have questions?

Browse the FAQ

Plain-language answers to the most common questions about PII, GDPR, AI privacy risks, and how PrivacyPromptAI works.

Frequently Asked Questions — What Is PII?

Standard PII identifies a person — name, email, phone, address. Special category data (GDPR Article 9) is a higher-risk subset that includes health records, biometric data, racial or ethnic origin, religious beliefs, and sexual orientation. Special category data cannot be processed without explicit legal justification and carries fines up to €20M if mishandled. See our compliance page → for more.

Yes. The Court of Justice of the EU confirmed in Breyer v Germany (2016) that dynamic IP addresses constitute personal data when the data controller has the means to identify the person. This applies to log files, analytics exports, and any document containing IPv4 or IPv6 addresses. PrivacyPromptAI detects and redacts both formats automatically in the homepage tool →

Yes — this is called indirect identification. A name alone may not identify someone in a large dataset. But a name combined with a date of birth and postcode almost certainly will. GDPR treats any combination of data that makes a person identifiable as personal data, regardless of whether individual fields appear innocuous. This is why PrivacyPromptAI redacts multiple data types together.

The most frequent PII in business documents are: full names and email addresses (contracts, invoices, emails), phone numbers (HR records, client files), IBANs and bank details (invoices, payment records), and national ID or VAT numbers (legal contracts, onboarding forms). Our Features page → lists every category PrivacyPromptAI detects.

What is biometric data and is it considered PII under GDPR?

Yes. Biometric data is any data resulting from specific technical processing of physical, physiological or behavioural characteristics that allows or confirms unique identification — including fingerprints, facial recognition data, iris scans, voice patterns, and gait data. Under GDPR Article 9, biometric data processed for the purpose of uniquely identifying a natural person is classified as special category data, requiring explicit consent or another Article 9(2) legal basis. It cannot be used in AI tools without removing it first. PrivacyPromptAI detects textual references to biometric identifiers in documents.

Does a person's job title count as PII?

A job title alone — "Marketing Manager" or "Senior Developer" — is generally not PII because it does not identify a specific individual. However, a job title combined with an employer name and location can narrow the field to a single person and therefore constitute PII. Under GDPR, the test is always whether the combination of data allows identification of a specific natural person. When a job title appears alongside a name, email, or other identifiers in a document, the entire record is personal data. See our FAQ → for more examples.

Is a company VAT number considered personal data under GDPR?

It depends. A VAT number belonging to a limited company is generally not personal data — it identifies the legal entity, not an individual. However, a VAT number registered to a sole trader or self-employed person is personal data, because it directly identifies that individual. Treat sole-trader VAT numbers, UK UTR numbers, and similar self-employment identifiers as PII and redact them before sharing documents with AI tools. PrivacyPromptAI detects VAT numbers in documents as part of its financial identifier detection. See Features → for all detected types.

Is a person's salary or income considered personal information (PII)?

Yes. A person's salary, income, or financial details are personal data under GDPR because they relate to an identifiable individual. When combined with a name or employee ID in a document, salary data becomes directly identifiable PII. It should be redacted before sharing HR documents, payroll records, or contracts with AI tools.

Are photos and images considered personal data under GDPR?

Yes. Photographs of individuals are personal data under GDPR because they can identify a specific person. If processed through facial recognition or biometric analysis, photos additionally qualify as special category biometric data requiring explicit consent. Any document containing embedded photos of individuals should be treated as containing personal data.

Does device fingerprinting count as personal information (PII)?

Yes. Device fingerprinting — collecting combinations of browser type, screen resolution, installed fonts, time zone, and similar attributes — constitutes personal data under GDPR when it can single out an individual. The GDPR recitals explicitly state that online identifiers such as device fingerprints may leave traces that can be used to identify individuals. If your documents reference device fingerprint data tied to individuals, treat it as PII.

Ready to Remove PII from Your Documents?

Our free tool removes all PII types automatically — names, emails, phone numbers, SSNs, credit cards, IBANs and more. 100% local processing. GDPR-compliant.

Try Free Redaction Tool

Once your document is clean

Removing PII is the first step. Here's what privacy-conscious users typically do next:

☁️

Store it — pCloudSwiss encrypted cloud storage with client-side encryption. Your files, unreadable to anyone but you. Affiliate link.

✍️

Sign it — SignableUK-based GDPR-compliant e-signatures for contracts and agreements. Simple, with a full audit trail. Affiliate link.

📋

Publish a privacy policy — TermlyGenerate a GDPR-ready privacy policy and cookie consent banner for your site. Affiliate link.