Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.
It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
There are two sub-categories in personal data:
- Personally identifiable information (PII) such as a person’s name, surname, phone number, etc.
- Pseudonymous data or non-directly identifying information, which does not allow the direct identification of users but allows the singling out of individual behaviors (for instance to serve the right ad to the right user at the right moment). Examples: cookie ID, hashed email, device ID ...
Note that directly identifying information can be pseudonymized. Pseudonymization is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately.
GDPR establishes a clear distinction between directly identifying information and pseudonymous data. It
encourages the use of pseudonymous information and expressly provides that “the application of
pseudonymisation to personal data can reduce the risks to the data subjects concerned and help
controllers and processors to meet their data-protection obligations”.