Types of PII Data: Complete Guide to Personal Information

Every type of Personally Identifiable Information (PII): from names and emails to GDPR special categories

Personally Identifiable Information (PII) is any data that can identify a specific individual, either on its own (like a full name or passport number) or combined with other information (like a date of birth and zip code).

Remove PII from your documents now → Try our free cleaning tool

📌 TL;DR: Quick Summary

PII (Personally Identifiable Information) includes 10+ standard types: names, emails, phone numbers, SSN, credit cards, IBANs, addresses, national IDs, passports, and IP addresses, plus 7 GDPR special categories (health data, biometric data, genetic data, racial/ethnic origin, religious beliefs, political opinions, and sexual orientation). Always remove all PII before using ChatGPT, Claude, or any AI tool to stay GDPR-compliant. Use our free cleaning tool → Not sure how to start? Follow our step-by-step guide to removing PII before AI.

What Is PII?

The foundational definition, and why it matters more than ever in the age of AI.

The Privacy Herald
Reporting on personal data exposure since GDPR day one
Millions of records exposed — regulators ask: did you even know what PII was?
As GDPR fines surpass €4 billion globally, investigators find the same root cause in breach after breach: organisations failed to recognise personal data sitting in plain sight inside everyday documents.
👉 Click the black bars in the article below to reveal hidden personal data
Dr. Elena Vasquez elena.vasquez@acmecorp.com GB29 NWBK 6016 1331 9268 19 DOB: 15 March 1985
Every document you write contains data worth protecting. PrivacyPromptAI finds it before anyone else does.

PII stands for Personally Identifiable Information — any data, or combination of data, that can identify a specific living person, directly or indirectly. In the most recent case reviewed by this publication, a contractor shared a routine project update containing the name Dr. Elena Vasquez, her work email elena@acmecorp.com, and a bank reference GB29 NWBK 6016 1331 9268 19 with an unvetted AI tool. None of it was flagged internally.

Under GDPR Article 4(1), this is called "personal data": "any information relating to an identified or identifiable natural person." The document also contained a note referencing a chronic respiratory condition — special category data under Article 9 — and a date of birth: 15 March 1985. The contractor had no idea either qualified as personal data.

"Most breaches we investigate don't begin with a cyberattack," said the supervising authority. "They begin with someone emailing a spreadsheet."

GDPR fine calculator
Company annual revenue
€1M€25M€100M+
Breach type
Standard PII (Art. 6) Special category (Art. 9)
€0.5M
or 2% of global turnover — whichever is higher
Notable GDPR fines
Meta — health tracking€1.2B
Amazon — consent failures€746M
TikTok — children's data€345M
WhatsApp — transparency€225M
10+
Standard PII types detected
7
GDPR special categories
23
Languages supported
€20M
Max GDPR fine for breaches

PII vs Non-PII. Real Examples

Not all data about a person is PII. The key test is whether the information can identify a specific individual, either directly or in combination with other data.

Data Item PII? Why / Why Not
john.smith@email.com ✓ PII Directly identifies an individual. Unique to a person or household.
support@company.com ✗ Not PII Generic business address. Does not identify a specific individual.
Date of birth: 15/04/1985 ~ Context Alone: weak identifier. Combined with a name or postcode: strong PII
Revenue: £4.2 million ✗ Not PII Business figure. Does not identify an individual, unless the business is a sole trader.
SSN: 123-45-6789 ✓ PII Government-issued direct identifier. Uniquely identifies one individual.
Country: Germany ✗ Not PII Too broad to identify anyone. Applies to 84+ million people.
12 Baker Street, London, W1U 3BL ✓ PII Full postal address with postcode. Narrows to a specific property and resident.
User satisfaction: 87% ✗ Not PII Aggregate statistic: no individual is identifiable from this figure
IP: 203.0.113.42 ✓ PII Personal data under GDPR (Breyer v Germany, 2016). Can identify a household via ISP.
Age range: 35–44 ✗ Not PII Demographic bucket. Covers millions of people, not an individual.
Diagnosis: Type 2 Diabetes 🔴 Special PII GDPR Article 9 special category health data. Highest protection level.
Product category: electronics ✗ Not PII Category label. Describes a product, not a person.
IBAN: GB29 NWBK 6016 1331 9268 19 ✓ PII Financial identifier directly linked to an individual's bank account

Legend: ✓ PII = always personal data  |  ✗ Not PII = not identifiable on its own  |  ~ Context = depends on combination with other data

Direct vs. Indirect Identifiers: How PII Is Classified

Not all personal data works the same way. Understanding the difference helps you spot risk in places you might not expect.

Direct identifiers

A direct identifier points to one specific person on its own, no extra information needed. A full name, an email address, a passport number, or a national ID number all work this way. Most of the entries in the type library below fall into this category.

Indirect identifiers (quasi-identifiers)

An indirect identifier does not name anyone by itself, but becomes identifying once it is combined with other details. A ZIP code alone means nothing. A ZIP code, a date of birth, and a job title together can narrow a search down to one household or one employee record. Common examples include:

  • ZIP or postal code, harmless alone, but a strong narrowing factor when paired with age or gender
  • Education history, such as a school name and graduation year
  • Browsing or behavioral patterns, such as a repeated sequence of pages visited or purchases made
  • Job titles and employer names can play the same role. See the FAQ further down this page for how GDPR treats those.

To see how few indirect identifiers it takes to single someone out, our visual guide to PII walks through a real re-identification example.

Device and digital identifiers

Beyond IP addresses and device fingerprinting (covered in the FAQ below), other technical values fall into the same bucket: a MAC address tied to one piece of hardware, or a mobile advertising ID tied to one phone. None of these carry a name, but all of them can be traced back to one device, and from there, to one person.

Metadata hidden inside files

A photo does not need to show a face to carry personal data. Most phone cameras embed EXIF metadata inside every image, invisible in the picture itself, including the exact GPS coordinates where it was taken, the device model, and the timestamp. Forwarding a photo with its metadata intact can reveal someone's home address even if the image shows nothing but a coffee cup on a table.

A quick classification checklist

Before sharing a document, ask:

  • Does it contain a direct identifier on its own: name, ID number, email, phone?
  • Could two or more indirect details in the document be combined to point to one person?
  • Do any embedded files, like photos, still carry their original metadata?
  • Would a stranger reading this document be able to work out who it is about?

If the answer to any of these is yes, the document contains personal data and should be handled accordingly.

Standard PII Types

These are the most common categories of personally identifiable information found in everyday documents, emails, and records. Click any card to expand the detail.

Still have questions?

Browse the FAQ

Plain-language answers to common questions about PII, GDPR, AI privacy risks, and how PrivacyPromptAI works.

No cards match this filter.

Full Name

✓ Auto-detected Medium risk

A person's first name, last name, or full name is direct PII. Even partial names (e.g. "Mr. John") can identify someone when combined with other data in a document.

John Smith María García

Email Address

✓ Auto-detected High risk

Email addresses directly identify a person and are one of the most commonly exposed PII types in business documents, contracts, and reports.

john.smith@company.com

Phone Number

✓ Auto-detected High risk

Mobile and landline numbers are direct identifiers. They appear in contracts, HR records, invoices, and customer data exports, often alongside names.

+44 7700 900123 +1 555 867 5309

Home / Postal Address

✓ Auto-detected High risk

Postal addresses, including street, city, postcode and country, identify a person's residence and are classified as direct PII under GDPR.

12 Baker Street, London, NW1 6XE

National ID / SSN

✓ Auto-detected Critical risk

National identity numbers (SSN, NIN, BSN, CNP, etc.) are among the highest-risk PII types. Exposure can lead to identity theft and is a reportable GDPR breach.

078-05-1120 AB 12 34 56 C

Passport / Driver's Licence

✓ Auto-detected Critical risk

Passport and driver's licence numbers are government-issued identifiers that uniquely identify individuals. They frequently appear in KYC, legal, and HR documents.

P123456789 SMITH701031JS9IJ

Date of Birth

✓ Auto-detected High risk

Date of birth is a key identifier used in identity verification. Combined with a name or postcode, it almost always uniquely identifies a person under GDPR.

15/03/1985 March 15, 1985

IP Address

✓ Auto-detected Medium risk

The CJEU confirmed in Breyer v Germany (2016) that dynamic IP addresses are personal data. They appear in log files, analytics exports, and server records.

192.168.1.1 2001:db8::1

Credit / Debit Card Number

✓ Auto-detected Critical risk

Card numbers (PAN) are both PII and payment card data under PCI-DSS. Exposure carries GDPR fines and potential card fraud liability. Must be removed before sharing any document.

4111 1111 1111 1111

IBAN / Bank Account Number

✓ Auto-detected Critical risk

IBANs and bank account numbers identify an individual's financial account. Common in invoices and contracts, these are high-risk PII that must be cleaned before AI use.

GB29 NWBK 6016 1331 9268 19

Health & Medical Data

🔥 Special Category Critical risk

Health records, diagnoses, prescriptions, disability status, and the 18 HIPAA Safe Harbor identifiers are special category data under GDPR Article 9. Processing requires explicit consent or a specific legal basis.

Biometric Data

🔥 Special Category Critical risk

Fingerprints, facial recognition data, iris scans, and voice patterns are GDPR Article 9 special category data when used for unique identification. Requires explicit consent to process.

Racial / Ethnic Origin

🔥 Special Category Critical risk

Any data revealing racial or ethnic origin is classified as special category data under GDPR Article 9. This includes demographic records, diversity surveys, and background check documents.

Religious Beliefs

🔥 Special Category Critical risk

References to a person's religion, faith, or church membership are special category data. Documents containing this information require explicit legal justification to process under GDPR Article 9.

Political Opinions

🔥 Special Category Critical risk

Political party membership, voting behaviour, and political views are special category data under GDPR Article 9. Fines for unlawful processing can reach €20M or 4% of global turnover.

Sexual Orientation

🔥 Special Category Critical risk

Data revealing a person's sexual orientation or gender identity is special category data under GDPR Article 9. Its exposure can cause significant harm and requires the highest level of legal justification to process.

Salary / Income

✓ Auto-detected High risk

A person's salary, income, or financial details are personal data under GDPR when linked to an identifiable individual. Common in HR documents, payroll records, and employment contracts.

£65,000 per annum

Vehicle Registration Number

✓ Auto-detected Medium risk

A vehicle registration (licence plate) can identify its registered owner via public records. Appears in incident reports, insurance records, and parking logs. Treat as PII before sharing documents.

AB12 CDE

Username / Online Handle

Medium risk

A pseudonymous handle consistently linked to a real person (via profile photo, location, or real name elsewhere) is personal data under GDPR. Most usernames in business records qualify.

@jsmith_london

Photos / Images

High risk

Photographs of individuals are personal data under GDPR. When processed via facial recognition, they additionally qualify as special category biometric data requiring explicit consent.

Frequently Asked Questions. What Is PII?

Standard PII identifies a person: name, email, phone, address. Special category data (GDPR Article 9) is a higher-risk subset that includes health records, biometric data, racial or ethnic origin, religious beliefs, and sexual orientation. Special category data cannot be processed without explicit legal justification and carries fines up to €20M if mishandled. See our compliance page → for more.
Yes. The Court of Justice of the EU confirmed in Breyer v Germany (2016) that dynamic IP addresses constitute personal data when the data controller has the means to identify the person. This applies to log files, analytics exports, and any document containing IPv4 or IPv6 addresses. PrivacyPromptAI detects and cleans both formats automatically in the homepage tool →
Yes, this is called indirect identification. A name alone may not identify someone in a large dataset. But a name combined with a date of birth and postcode almost certainly will. GDPR treats any combination of data that makes a person identifiable as personal data, regardless of whether individual fields appear innocuous. This is why PrivacyPromptAI cleans multiple data types together.
The most frequent PII in business documents are: full names and email addresses (contracts, invoices, emails), phone numbers (HR records, client files), IBANs and bank details (invoices, payment records), and national ID or VAT numbers (legal contracts, onboarding forms). Our Features page → lists every category PrivacyPromptAI detects.
Yes. Biometric data is any data resulting from specific technical processing of physical, physiological or behavioural characteristics that allows or confirms unique identification, including fingerprints, facial recognition data, iris scans, voice patterns, and gait data. Under GDPR Article 9, biometric data processed for the purpose of uniquely identifying a natural person is classified as special category data, requiring explicit consent or another Article 9(2) legal basis. It cannot be used in AI tools without removing it first. PrivacyPromptAI detects textual references to biometric identifiers in documents.
A job title alone, such as "Marketing Manager" or "Senior Developer", is generally not PII because it does not identify a specific individual. However, a job title combined with an employer name and location can narrow the field to a single person and therefore constitute PII. Under GDPR, the test is always whether the combination of data allows identification of a specific natural person. When a job title appears alongside a name, email, or other identifiers in a document, the entire record is personal data. See our FAQ → for more examples.
It depends. A VAT number belonging to a limited company is generally not personal data, as it identifies the legal entity, not an individual. However, a VAT number registered to a sole trader or self-employed person is personal data, because it directly identifies that individual. Treat sole-trader VAT numbers, UK UTR numbers, and similar self-employment identifiers as PII and clean them before sharing documents with AI tools. PrivacyPromptAI detects VAT numbers in documents as part of its financial identifier detection. See Features → for all detected types.
Yes. A person's salary, income, or financial details are personal data under GDPR because they relate to an identifiable individual. When combined with a name or employee ID in a document, salary data becomes directly identifiable PII. It should be cleaned before sharing HR documents, payroll records, or contracts with AI tools.
Yes. Photographs of individuals are personal data under GDPR because they can identify a specific person. If processed through facial recognition or biometric analysis, photos additionally qualify as special category biometric data requiring explicit consent. Any document containing embedded photos of individuals should be treated as containing personal data.
Yes. Device fingerprinting, collecting combinations of browser type, screen resolution, installed fonts, time zone, and similar attributes, constitutes personal data under GDPR when it can single out an individual. The GDPR recitals explicitly state that online identifiers such as device fingerprints may leave traces that can be used to identify individuals. If your documents reference device fingerprint data tied to individuals, treat it as PII.
Yes. A vehicle registration number (licence plate) is personal data under GDPR because it can be used, directly or through publicly available records, to identify the registered owner. This applies even if the owner is a company, where the employee who uses the vehicle may be identifiable. Documents such as incident reports, insurance records or parking logs containing registration numbers should be treated as containing personal data before being shared with AI tools or third parties.
It depends on whether the username can be linked to a real person. A pseudonymous handle used consistently across platforms, particularly one associated with a profile photo, location or real name elsewhere, is personal data under GDPR, because the person is indirectly identifiable. A truly anonymous throwaway account with no connection to a real individual is not. In practice, most usernames in business documents or customer records are linked to real accounts and should be treated as personal data.
Yes. Under GDPR Article 9, both religious beliefs and political opinions are classified as special category data, the highest-risk category of personal information. Processing this data requires explicit consent or another specific legal basis under Article 9(2). These are among the most sensitive identifiers a document can contain. Any file referencing a named individual's faith, church membership, political party affiliation, trade union involvement, or voting behaviour should be treated with the highest level of care before being shared with AI tools or third parties.
A direct identifier, such as a full name, email address, or passport number, identifies a specific person on its own. A quasi-identifier (also called an indirect identifier), such as a ZIP code, date of birth, or job title, does not identify anyone by itself but can become identifying when combined with other quasi-identifiers or with publicly available data. Documents containing several quasi-identifiers together should be treated with the same care as documents containing direct identifiers.
Yes. Most smartphone photos embed EXIF metadata that is invisible in the image itself but readable by software, including GPS coordinates, device model, and the exact date and time the photo was taken. Under GDPR, this metadata is personal data when it can be linked to an identifiable individual, for example, a home address revealed through GPS coordinates. Removing or checking EXIF data before sharing photos is as important as reviewing the visible content.