Personal Data and Sensitive Personal Data
Personal data is any data relating to an identified or identifiable natural person, directly or indirectly. Sensitive personal data is a special category needing explicit consent, and data is only anonymized if the process is irreversible.
Personal data is broadly defined as any data related to an identified or identifiable natural person, directly or indirectly. If pieces can be grouped to lead to identification, they constitute personal data. Deidentified, encrypted, or pseudonymized data remains personal data if it can be used to reidentify the person. Data is only Anonymized data if the process is irreversible.
Under the GDPR, an IP address and a cookie ID are examples of personal data - even though they are often not considered PII in the United States. Watch for stems contrasting EU and U.S. treatment.
- Personal data examples: name, home address, email with a name, ID card number, location data, IP address, cookie ID, phone advertising ID, data held by a doctor even if separated from the patient's name
- NOT personal data: a company registration number, generic role addresses like support@business.com, and anonymized data
Sensitive personal data is a special category receiving additional protection: race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, and sex life or sexual orientation. Unless an exception applies, processing it requires explicit consent for a specified purpose.