Types of PII Data: Complete Guide to Personal Information
Every type of Personally Identifiable Information (PII): from names and emails to GDPR special categories
Personally Identifiable Information (PII) is any data that can identify a specific individual, either on its own (like a full name or passport number) or combined with other information (like a date of birth and zip code).
Remove PII from your documents now → Try our free cleaning tool
PII (Personally Identifiable Information) includes 10+ standard types: names, emails, phone numbers, SSN, credit cards, IBANs, addresses, national IDs, passports, and IP addresses, plus 7 GDPR special categories (health data, biometric data, genetic data, racial/ethnic origin, religious beliefs, political opinions, and sexual orientation). Always remove all PII before using ChatGPT, Claude, or any AI tool to stay GDPR-compliant. Use our free cleaning tool → Not sure how to start? Follow our step-by-step guide to removing PII before AI.
What Is PII?
The foundational definition, and why it matters more than ever in the age of AI.
PII stands for Personally Identifiable Information — any data, or combination of data, that can identify a specific living person, directly or indirectly. In the most recent case reviewed by this publication, a contractor shared a routine project update containing the name Dr. Elena Vasquez, her work email elena@acmecorp.com, and a bank reference GB29 NWBK 6016 1331 9268 19 with an unvetted AI tool. None of it was flagged internally.
Under GDPR Article 4(1), this is called "personal data": "any information relating to an identified or identifiable natural person." The document also contained a note referencing a chronic respiratory condition — special category data under Article 9 — and a date of birth: 15 March 1985. The contractor had no idea either qualified as personal data.
"Most breaches we investigate don't begin with a cyberattack," said the supervising authority. "They begin with someone emailing a spreadsheet."
PII vs Non-PII. Real Examples
Not all data about a person is PII. The key test is whether the information can identify a specific individual, either directly or in combination with other data.
| Data Item | PII? | Why / Why Not |
|---|---|---|
| john.smith@email.com | ✓ PII | Directly identifies an individual. Unique to a person or household. |
| support@company.com | ✗ Not PII | Generic business address. Does not identify a specific individual. |
| Date of birth: 15/04/1985 | ~ Context | Alone: weak identifier. Combined with a name or postcode: strong PII |
| Revenue: £4.2 million | ✗ Not PII | Business figure. Does not identify an individual, unless the business is a sole trader. |
| SSN: 123-45-6789 | ✓ PII | Government-issued direct identifier. Uniquely identifies one individual. |
| Country: Germany | ✗ Not PII | Too broad to identify anyone. Applies to 84+ million people. |
| 12 Baker Street, London, W1U 3BL | ✓ PII | Full postal address with postcode. Narrows to a specific property and resident. |
| User satisfaction: 87% | ✗ Not PII | Aggregate statistic: no individual is identifiable from this figure |
| IP: 203.0.113.42 | ✓ PII | Personal data under GDPR (Breyer v Germany, 2016). Can identify a household via ISP. |
| Age range: 35–44 | ✗ Not PII | Demographic bucket. Covers millions of people, not an individual. |
| Diagnosis: Type 2 Diabetes | 🔴 Special PII | GDPR Article 9 special category health data. Highest protection level. |
| Product category: electronics | ✗ Not PII | Category label. Describes a product, not a person. |
| IBAN: GB29 NWBK 6016 1331 9268 19 | ✓ PII | Financial identifier directly linked to an individual's bank account |
Legend: ✓ PII = always personal data | ✗ Not PII = not identifiable on its own | ~ Context = depends on combination with other data
Direct vs. Indirect Identifiers: How PII Is Classified
Not all personal data works the same way. Understanding the difference helps you spot risk in places you might not expect.
Direct identifiers
A direct identifier points to one specific person on its own, no extra information needed. A full name, an email address, a passport number, or a national ID number all work this way. Most of the entries in the type library below fall into this category.
Indirect identifiers (quasi-identifiers)
An indirect identifier does not name anyone by itself, but becomes identifying once it is combined with other details. A ZIP code alone means nothing. A ZIP code, a date of birth, and a job title together can narrow a search down to one household or one employee record. Common examples include:
- ZIP or postal code, harmless alone, but a strong narrowing factor when paired with age or gender
- Education history, such as a school name and graduation year
- Browsing or behavioral patterns, such as a repeated sequence of pages visited or purchases made
- Job titles and employer names can play the same role. See the FAQ further down this page for how GDPR treats those.
To see how few indirect identifiers it takes to single someone out, our visual guide to PII walks through a real re-identification example.
Device and digital identifiers
Beyond IP addresses and device fingerprinting (covered in the FAQ below), other technical values fall into the same bucket: a MAC address tied to one piece of hardware, or a mobile advertising ID tied to one phone. None of these carry a name, but all of them can be traced back to one device, and from there, to one person.
Metadata hidden inside files
A photo does not need to show a face to carry personal data. Most phone cameras embed EXIF metadata inside every image, invisible in the picture itself, including the exact GPS coordinates where it was taken, the device model, and the timestamp. Forwarding a photo with its metadata intact can reveal someone's home address even if the image shows nothing but a coffee cup on a table.
A quick classification checklist
Before sharing a document, ask:
- Does it contain a direct identifier on its own: name, ID number, email, phone?
- Could two or more indirect details in the document be combined to point to one person?
- Do any embedded files, like photos, still carry their original metadata?
- Would a stranger reading this document be able to work out who it is about?
If the answer to any of these is yes, the document contains personal data and should be handled accordingly.
Standard PII Types
These are the most common categories of personally identifiable information found in everyday documents, emails, and records. Click any card to expand the detail.
Still have questions?
Browse the FAQ
Plain-language answers to common questions about PII, GDPR, AI privacy risks, and how PrivacyPromptAI works.
Full Name
A person's first name, last name, or full name is direct PII. Even partial names (e.g. "Mr. John") can identify someone when combined with other data in a document.
John Smith María GarcíaEmail Address
Email addresses directly identify a person and are one of the most commonly exposed PII types in business documents, contracts, and reports.
john.smith@company.comPhone Number
Mobile and landline numbers are direct identifiers. They appear in contracts, HR records, invoices, and customer data exports, often alongside names.
+44 7700 900123 +1 555 867 5309Home / Postal Address
Postal addresses, including street, city, postcode and country, identify a person's residence and are classified as direct PII under GDPR.
12 Baker Street, London, NW1 6XENational ID / SSN
National identity numbers (SSN, NIN, BSN, CNP, etc.) are among the highest-risk PII types. Exposure can lead to identity theft and is a reportable GDPR breach.
078-05-1120 AB 12 34 56 CPassport / Driver's Licence
Passport and driver's licence numbers are government-issued identifiers that uniquely identify individuals. They frequently appear in KYC, legal, and HR documents.
P123456789 SMITH701031JS9IJDate of Birth
Date of birth is a key identifier used in identity verification. Combined with a name or postcode, it almost always uniquely identifies a person under GDPR.
15/03/1985 March 15, 1985IP Address
The CJEU confirmed in Breyer v Germany (2016) that dynamic IP addresses are personal data. They appear in log files, analytics exports, and server records.
192.168.1.1 2001:db8::1Credit / Debit Card Number
Card numbers (PAN) are both PII and payment card data under PCI-DSS. Exposure carries GDPR fines and potential card fraud liability. Must be removed before sharing any document.
4111 1111 1111 1111IBAN / Bank Account Number
IBANs and bank account numbers identify an individual's financial account. Common in invoices and contracts, these are high-risk PII that must be cleaned before AI use.
GB29 NWBK 6016 1331 9268 19Health & Medical Data
Health records, diagnoses, prescriptions, disability status, and the 18 HIPAA Safe Harbor identifiers are special category data under GDPR Article 9. Processing requires explicit consent or a specific legal basis.
Biometric Data
Fingerprints, facial recognition data, iris scans, and voice patterns are GDPR Article 9 special category data when used for unique identification. Requires explicit consent to process.
Racial / Ethnic Origin
Any data revealing racial or ethnic origin is classified as special category data under GDPR Article 9. This includes demographic records, diversity surveys, and background check documents.
Religious Beliefs
References to a person's religion, faith, or church membership are special category data. Documents containing this information require explicit legal justification to process under GDPR Article 9.
Political Opinions
Political party membership, voting behaviour, and political views are special category data under GDPR Article 9. Fines for unlawful processing can reach €20M or 4% of global turnover.
Sexual Orientation
Data revealing a person's sexual orientation or gender identity is special category data under GDPR Article 9. Its exposure can cause significant harm and requires the highest level of legal justification to process.
Salary / Income
A person's salary, income, or financial details are personal data under GDPR when linked to an identifiable individual. Common in HR documents, payroll records, and employment contracts.
£65,000 per annumVehicle Registration Number
A vehicle registration (licence plate) can identify its registered owner via public records. Appears in incident reports, insurance records, and parking logs. Treat as PII before sharing documents.
AB12 CDEUsername / Online Handle
A pseudonymous handle consistently linked to a real person (via profile photo, location, or real name elsewhere) is personal data under GDPR. Most usernames in business records qualify.
@jsmith_londonPhotos / Images
Photographs of individuals are personal data under GDPR. When processed via facial recognition, they additionally qualify as special category biometric data requiring explicit consent.