How do these laws define personally identifiable information (PII) versus sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?

Data Protection & Cyber Security

Russia Small Flag Russia

Personal Data Law defines PII as any information relating to (directly or indirectly) identified or identifiable individual (data subject). This definition is construed in a very broad manner by the courts and Roskomnadzor. In this regard, information will likely be considered PII if it allows even indirect identification of a data subject. However, quite often defining whether this or that information constitutes PII is case-by-case analyses.

Other important definitions under Personal Data Law are as follows:

Data controller means a legal entity arranging (alone or jointly with others) and/or carrying out processing of PII, as well as defining the purposes of processing, the operations performed on the PII (types of processing), the scope and the categories of the PII.

Data Processor means a person carrying out processing of PII upon assignment of the data controller.

Processing of PII means any action (operation) or set of actions (operations) performed with the use of automated means or without such, including collection, recording, systematization, accumulation, storage, specifications (updating, modification), retrieval, use, transfer (dissemination, provision, access), depersonalization, blockage, deletion, destruction of PII.

Automated processing of PII means processing of PII using means of computer technology.

Distribution of PII means any actions aimed at disclosure of PII to an unlimited number of people (audience).

Provision of PII means actions aimed at disclosure of PII to a specified (limited) number of people (audience).

Blocking of PII means the temporary termination of the data processing.

Destruction of PII means actions which make it impossible to recover PII from information systems and/or the destruction of media holding PII.

Anonymization of PII means actions which make it impossible to identify the data subject from PII without additional information.

Information system of PII means set of PII contained in databases and information technologies and technical means ensuring their processing.

Cross-border (international) transfer of PII means the transfer of PII abroad to foreign state authorities, foreign citizens or foreign legal entities.

For details regarding processing of sensitive PII, please refer to Q.6.

Argentina Small Flag Argentina

The Data Protection Law defines personal data as any kind of information referring to individuals or legal entities, whether identified or identifiable.

Moreover, the Data Protection Law defines sensitive personal data as personal data revealing racial or ethnic origin, political affiliation, religious, moral or philosophical convictions, union activity or information related to health or sexual orientation.

Among other definitions, the Data Protection Law also defines: (i) data subject, as any individual or legal entity with legal domicile, offices, or branches in Argentina, and whose data falls under the scope of the Data Protection Law; (ii) database, as any organized collection of personal data that is processed, electronically or otherwise, regardless of the means for its establishment, storage, organization or access; and (iii) data controller, as the individual or legal entity that is the owner of a database.

Brazil Small Flag Brazil

The LGPD defines:

  • Personal data as information regarding an identified or identifiable natural person;
  • Sensitive information such as personal data concerning racial or ethnic origin, religious beliefs, political opinions, philosophical membership of trade unions or religious, philosophical or political organizations, data concerning health or sexual life, genetic or biometric data, when related to a natural person.

Other key definitions are:

  • Data subject: a natural person to whom the personal data object of processing refers to;
  • Data controller: natural person or legal entity, of public or private law, responsible for making decisions about the processing of personal data;
  • Data processor: natural person or legal entity, of public or private law, that processes personal data in the name of the controller;
  • Data protection officer: person appointed by the controller, who acts as a channel of communication between the controller and the data subjects and the supervisory authority;
  • National authority: agency of the indirect public administration responsible for supervising, implementing and monitoring compliance with this Law.

Bulgaria Small Flag Bulgaria

All the key definitions related to data protection and privacy are set forth in GDPR. The definition of personally identifiable information (PII) stems from the definition of personal data, which is data relating to an identified or identifiable natural person (Article 4(1) GDPR). An identifiable natural person is one who can be identified directly or indirectly by reference to:

  • An identifier, such as a name;
  • An identification number;
  • Location data;
  • An online identifier, such as an internet protocol (IP) address;
  • One or more factors specific to the person’s physical, physiological, genetic, mental, economic, cultural, or social identity.

As personal data is also considered information relating an identified or identifiable natural person that have undergone pseudonymization, since pseudonymised data could still be attributed to a natural person with the use of additional information (Recital 26 GDPR; for more information on pseudonymised data, see Practice Note, Anonymization and Pseudonymization Under the GDPR (W-007-4624).

Sensitive PII relates the special categories of personal data as defined to Article 9, para. 1 GDPR, namely data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or relating to trade union membership, genetic or biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

The PDPA provides for some specific definitions, incl.

  • ‘processing on a large scale’ is monitoring and/or processing of personal data of a significant or unlimited number of data subjects or volume of personal data in cases where the main activities of the data controller or the data processor of personal data, including the means for their execution, consist in such operations (para. 1, it. 15 of the Addition provisions of the PDPA);
  • ‘public body’ is a state or local authority or structure, the main purpose of which is related to the spending of public funds.

Switzerland Small Flag Switzerland

Personal data are defined as all information relating to an identified or identifiable person (art. 3 lit. a FADP). It is important to mention that Swiss law currently still covers not only information relating to individual persons, but also to legal entities (see the definition of data subjects in art. 3 lit. b FADP where both categories of persons are mentioned).

In a landmark decision dealing with the question on whether an IP-address is a personal data, the Swiss Federal Court, the highest Swiss court, has defined personal data as follows (see BGE 136 II 508): "A person is identified when it is clear from the information itself that it is precisely that person. The person is identifiable if he or she can be inferred on the basis of additional information. However, not every theoretical possibility of identification is sufficient for the determinability. If the effort is so great that, according to general life experience, it is not to be expected that an interested party will take it upon himself, there is no identifiability. The question is to be answered depending on the concrete case, whereby in particular also the possibilities provided by technology are to be considered, so for example the search tools available in the Internet. Of importance, however, is not only what effort is objectively required to be able to assign a certain piece of information to a person, but also what interest the data processor or a third party has in identification."

Regarding the definition of sensitive personal data, see Question 2 above.

Spain Small Flag Spain

The definition of the personally identifiable information is established in the GDPR, article 4, where personal data are deemed any information relating to an identified or identifiable natural person. On the other hand, sensitive PII is defined, in article 9 GDPR, as any information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

All the key definitions for the purposes of the GDPR are set out in article 4, where is defined also the concepts of genetic data, biometric data and data concerning health.

In Spain, the previous personal data protection law (Organic Law 15/1999, of 13 December) already used the same definition of "personal data", which was established by the Directive 95/46/CE, now repealed by the GDPR.

With regard to the concept of health, the GDPR defines it as any «personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status». This definition should be considered in relation to recital 35 of the GDPR, where it is supplemented including information relating to the past, current or future physical or mental health status, disease risk, medical history, genetic and biological data or samples, among others.

This concept of health is broader than the one defined by the Spanish previous data protection law, the only legal text where a legal definition of this concept could be found, although it was not an own definition for “health data”, since that definition was given by the repealed Directive 95/46/EC. Moreover, Spanish law regulating patient autonomy gives only definitions for Medical information and history, which is very limited and exclusive to health centers and services. Therefore, the definition given by the has to be used in more general terms.

Chile Small Flag Chile

According to the Data Privacy Act: personal data is referred to as any information concerning natural persons, identified or identifiable.

Sensitive Data: The Data Privacy Act enacts more severe rules regarding sensitive data; which refers to the physical or moral characteristics or circumstances of the private life or intimacy of the persons, such as personal habits, racial origin, ideologies and political opinions, beliefs or religious convictions, conditions of physical or mental health and sex life.

China Small Flag China

Personal information under the CSL is defined as the information that is recorded in electronic or any other form and used alone or in combination with other information to recognize the identity of a natural person.4 The PI Specification expands the definition of “personal information” to include the information that reflects a person’s activities.5

Personal sensitive information is defined in the PI Specification as information that, if leaked, illegally provided or used without authorization, will endanger human rights and property interest, or cause damages to reputation, physical and mental health, or lead to discriminatory treatment.

Another key concept is the “important data” that is defined as data closely related to national security, economic development, and social and public interests.6

4 - CSL. § 76.5.

5 - PI Specification. 3.1.

6 - Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data (Draft) (《个人信息和重要数据出境安全评估办法》(草案)). § 17 (stipulating that specific scope of “important data” needs to refer to relevant national standards and important data identification guidelines for its specific scope. The official national standards and guidelines have not come out yet).

Germany Small Flag Germany

‘Personal data’ is the European equivalent of PII, but the term does not quite match the PII definition used in the United States. Basically, PII is more narrowly defined than the definition of personal data in the GDPR. For example, the IP address belongs to personal data under the GDPR, but conversely, does not fall under the term PII. Nevertheless, most people also classify personal data as PII.

In the European sense, ‘personal data’ constitutes any information relating to an identified or identifiable natural person (‘data subject’). Amongst other key definitions Art. 4 GDPR provides a wide margin of interpretation for the term. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The concept of sensitive data is covered under the term ‘special categories of personal data’ in Art. 9 GDPR. The article defines these special categories as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. While Art. 9 GDPR stipulates several exceptions, the general rule is that the processing of such data shall be prohibited.

Further definitions for the terms ‘genetic data’, ‘biometric data’ and ‘data concerning health’ used in Art. 9 GDPR can - again - be found in Art. 4 GDPR. As the central section for definitions Art. 4 GDPR is well worth a look. Some other examples of key definitions therein include ‘processing’, ‘cross border processing’, ‘consent’, ‘pseudonymisation’, ‘controller’, ‘processor’ and ‘recipient’.

India Small Flag India

Privacy Rules

The Privacy Rules define PII and sensitive PII as follows: -

(a) PII - means "any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person".

(b) Sensitive PII of a person means "such personal information which consists of information relating to:

(i) password;

(ii) financial information such as Bank account or credit card or debit card or other payment instrument details;

(iii) physical, physiological and mental health condition;

(iv) sexual orientation;

(v) medical records and history;

(vi) Biometric information;

(vii) any detail relating to the above clauses as provided to body corporate for providing service; and

(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

provided that any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules".

Privacy Bill

The Privacy Bill renames the terms PII and sensitive PII as "personal data" ("PD") and "sensitive personal data" ("SPD"), respectively. In this guide, any reference to PD and SPD in context of the Privacy Bill will mean PII, and sensitive PII respectively.

No material amendment is proposed in respect of PD;15 however, the scope of SPD is proposed to be enhanced.

SPD has been defined under the Privacy Bill to include passwords, financial data, health data, official identifier, information regarding sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation, and any other category of data as may be specified by the Authority.16 Therefore, the proposed definition will bring in new concepts to the definition of SPD such as official identifier,17 information regarding sex life, genetic data,18 transgender status,19 intersex status,20 caste or tribe, and religious or political belief or affiliation.

15 - "Personal data" is defined in the Privacy Bill to mean "data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information".

16 - Note that SPD is a sub-set of PD.

17 - Official identifier" is defined in the Privacy Bill to mean "any number, code, or other identifier, including Aadhaar number, assigned to a data principal under a law made by Parliament or any State Legislature which may be used for the purpose of verifying the identity of a data principal".

18 - "Genetic data" is defined in the Privacy Bill to mean "personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the behavioural characteristics, physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question".

19 - "Transgender status" is defined in the Privacy Bill to mean "the condition of a data principal whose sense of gender does not match with the gender assigned to that data principal at birth, whether or not they have undergone sex reassignment surgery, hormone therapy, laser therapy, or any other similar medical procedure".

20 - "Intersex status" is defined under the Privacy Bill to mean "the condition of a data principal who is - (i) a combination of female or male; (ii) neither wholly female nor wholly male; or (iii) neither female nor male".

Indonesia Small Flag Indonesia

The current prevailing regulations have not differentiated between personally identifiable information (“PII”) and sensitive PII. The broad definition of Personal Data under MCI Regulation 20/2016 covers both PII and Sensitive PII.

Portugal Small Flag Portugal

Since 25 May 2018 the definition of PII is the one resulting from the GDPR, i.e., any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; and the same applies to sensitive PII, known as special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation) and to the data relating to criminal convictions and offences or related security measures.

Both Portuguese Constitution and the Data Protection Law also consider as sensitive data information related to the private life of the data subject (data of a highly personal nature, such as, data linked to household and private activities). We shall wait to see how the new Data Protection Law will and on what terms address this information.

United Kingdom Small Flag United Kingdom

The UK (along with the EU) uses the terms personal data and special category data. These concepts are not identical to the term personally identifiable information (PII).

Personal data is any information relating to an identified or identifiable natural person (a ‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special categories of personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors. If a business is considering whether an individual is identifiable the business will need to take into account the information it is processing together with all the means reasonably likely to be used to identify that individual. Even if an individual is identified or identifiable, directly or indirectly, from the data, it is not personal data unless it ‘relates to’ the individual. When considering whether information ‘relates to’ an individual, the business needs to take into account a range of factors, including the content of the information, the purpose or purposes for which it is processing it and the likely impact or effect of that processing on the individual.

Other key definitions include:

  • a 'controller' who is the party that determines the purposes and the means by which the personal data is processed. For example a business decides what data it collects on, and how it uses it in respect of its employees. It will be a controller in respect of that data.
  • a 'processor' is the person which processes personal data on behalf of the controller. For example a service provider who provides payroll services for an employer.

Sweden Small Flag Sweden

The terms personally identifiable information (PII) and sensitive PII are not used. Instead, key definitions are personal data and special categories of personal data. Both of these terms are defined in article 4 of the GDPR.

The term ”personal data” is defined in article 4 of the GDPR as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

The term “special categories of personal data” is explained in article 9 of the GDPR as “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited”.

Other key definitions which are defined in article 4 of the GDPR are controller, processor and processing.
The term “controller” is defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”.

The term “processor” is defined as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

The term “processing” is defined as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.

Greece Small Flag Greece

According to article 4 of the GDPR, as well as article 3 par. 1 (a) of the Greek draft law, personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Furthermore, according to article 9 par. 1 of the GDPR, as well as article 3 par. 1 (ja) of the Greek draft law, special categories of personal data (‘sensitive’ personal data) refer to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Finally, article 3 par. 1 of the Greek draft law includes definitions of genetic data (par. jb), biometric data (par. jc) and health data (par. jd).

Turkey Small Flag Turkey

Within the purposes of the Law No. 6698, personal data is construed as all information relating to an identified or identifiable natural person; whereas the types of special categories of personal data are exclusively enumerated. Pursuant to Article 6 of the Law No. 6698, special categories of personal data include data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of associations, foundations or trade-unions, data relating to health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. Notably, data relating to “appearance and dressing” is not provided under the exhaustive list of special categories of personal data under the GDPR but is considered as such under the Law No. 6698.

Austria Small Flag Austria

The definitions of the GDPR apply (in particular. art. 4 GDPR).

France Small Flag France

The definition of personally identifiable information ('PII') provided for by the French DPA 1978 is consistent with GDPR's definition of personal data in its Article 4(1).

The GDPR defines personal data as any information relating to an identified or identifiable natural person (‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

What identifies an individual could be as simple as a name, a number or an identifier such as an IP. Personal data can also be data that are not associated with the name of a person but can easily be used to identify him or her. For example, data which reveal a person's habit or taste can be personal data insofar as he or she can be identified. Even if an individual is identified or identifiable, directly or indirectly, from the data, it is not personal data unless it ‘relates to’ the individual. When considering whether information ‘relates to’ an individual, the business needs to take into account a range of factors, including the content of the information, the purpose or purposes for which it is processing it and the likely impact or effect of that processing on the individual.

To consider whether data constitutes personal data, account must be taken of all the means available to the data controller to determine whether a person is identifiable. Of particular relevance here is the possibility for data controller to aggregate different set of data so as to enable the identification of individuals. As a result of the possibility to combine data, some sets of data may be personal data for some organizations due to the additional sets of data available to them, but it may not be personal data for other organizations.

In the EU including France, sensitive PII is now known as 'special categories of personal data'. Special categories of personal data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (GDPR, Article 9(1); and French DPA 1978, Article 6(I)).

Other key definitions include:

  • a 'controller' who is the party that determines the purposes and the means by which the personal data is processed. For example a business decides what data it collects on, and how it uses it in respect of its employees. It will be a controller in respect of that data;
  • a 'processor' is the person which processes personal data on behalf of the controller. For example a service provider who provides payroll services for an employer.

United States Small Flag United States

Because there is no single, overarching privacy law in the U.S., there is no one concept of personal data or personal information. In general, all U.S. privacy laws protect some form of “personal data,” “personal information (PI),” or “personally identifiable information” (PII), but the scope of coverage varies significantly. Some of these laws may also have special designations for sensitive information, such as health information, and Social Security numbers (SSNs) or tax identification numbers, requiring additional disclosures or protections before that data can be collected or processed. PII generally refers to information used to distinguish or trace an individual’s identity, such as name, SSN, date of birth, mother’s maiden name or biometric records, or any other information that is linked or linkable to an individual.

For data breach notification purposes, the definition of “personal information” is usually laid out in each state’s data breach notification law and may vary by state. However, most breach notification laws define personal information as an individual’s name plus:

  • SSN;
  • driver’s license number; or
  • financial account number, if paired with sufficient information to access funds in the account.

Other definitions of “personal information” or “personal data” under federal law include:

  • personal information, broadly defined under COPPA;
  • protected health information (PHI), defined in HIPAA;
  • nonpublic personal information, defined in GLBA; and
  • consumer credit and other information, defined in FCRA.

State definitions of PII and PI vary as well. The California attorney general, for example, has stated that mobile device identifiers are PI. Additionally, California’s privacy laws set out their own definitions of “personal information.” For example, California’s Shine the Light law identifies 27 categories of personal information, including – in addition to common PII categories – the number, age and gender of children; political party affiliation; products purchased, leased or rented by a consumer; real property purchased, leased or rented; payment history; and type of service provided. The forthcoming CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” and specifically includes unique ID, IP address, device ID, demographics and classifications, usage data, transactions and inquiries; biometric information; geolocation data; audio, electronic, visual, thermal, olfactory or similar information; preferences; inferences drawn to create a profile about a consumer; and educational information. Under the CCPA, there are 11 categories of personal information, and these categories must be used when providing required notices of purposes of collection, use and disclosure.

Malaysia Small Flag Malaysia

“Personal Data” has been defined in the PDPA as any information in respect of commercial transactions, which-

(a) Is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;

(b) Is recorded with the intention that it should wholly or partly be processed by means of such equipment; or

(c) Is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,

that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject; but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2009. Sensitive personal data on the other hand is defined as personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister may determine by order published in the Gazette. The PDPA defines the ‘Data Subject’ as the individual who is the subject of the Personal Data whereas, ‘Data User’ is a person who either alone or jointly with other persons ‘processes’ Personal Data, has control or authorizes the processing of any Personal Data.

Gibraltar Small Flag Gibraltar

GDPR draws a distinction between “personal data” (i.e. PII) and “special categories of personal data” (i.e. sensitive PII). Personal data means any information relating to a data subject. A data subject is a natural person who can be identified by reference to an identifier (i.e. a name, an identification number, location data, an IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Sensitive PII includes personal data revealing:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs or trade union membership;
  • genetic data;
  • biometric data for the purpose of uniquely identifying a natural person;
  • data concerning health; or
  • data concerning a natural person’s sex life or sexual orientation.

Ireland Small Flag Ireland

Ireland (along with the EU) uses the terms personal data and special category data. These concepts are not identical to the term personally identifiable information (PII).

Personal data is any information relating to an identified or identifiable natural person (a ‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data is treated as 'special category' personal data if the data reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or if it is genetic data or biometric data that is processed for the purpose of uniquely identifying a natural person, or if it is data concerning health or data concerning a natural person’s sex life or sexual orientation ('special category data').

What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors. If a business is considering whether an individual is identifiable, the business will need to take into account the information it is processing together with all the means reasonably likely to be used to identify that individual. Even if an individual is identified or identifiable, directly or indirectly, from the data, it is not personal data unless it ‘relates to’ the individual. When considering whether information ‘relates to’ (or tells something about) an individual.

The GDPR gives examples of identifiers, including names, identification numbers, and location data. A person may also be identifiable by reference to factors which are specific to their identity, such as physical, genetic or cultural factors.

Other key definitions include:

  • a 'controller', being the party that determines the purposes and the means by which the personal data is processed. For example, a business may determine what data it collects, and how it uses it in respect of its employees. It will be a controller in respect of that data; and
  • a 'processor', being the party that processes personal data on behalf of a controller. For example, a service provider that provides payroll services for an employer will typically be a processor.

Japan Small Flag Japan

  1. The definition of personal information is stipulated in Article 2, Paragraph 1 of APPI.
  2. (Definitions)
    Article 2 The term "personal information" as used in this Act shall mean information about a living individual applicable to any of the following items:

    (i) information containing a name, date of birth, or other descriptions, etc. (meaning any and all matters (excluding an individual identification code) stated, recorded or otherwise expressed using voice, movement or other methods in a document, drawing or electromagnetic record (meaning a record kept in an electromagnetic form (meaning an electronic, magnetic or other forms that cannot be recognized through the human senses; the same shall apply in the succeeding paragraph, item (ii)); the same shall apply in Article 18, paragraph (2)); hereinafter the same) whereby a specific individual can be identified (including those which can be readily collated with other information and thereby identify a specific individual); or

    (ii) information containing an individual identification code.

  3. The definition of special care-required personal information is stipulated in Article 2, Paragraph 3 of APPI, and Article 2 of the Cabinet Order.
  4. "Special care-required personal information" in this Act means personal information comprising a data subject's race, creed, social status, medical history, criminal record, fact of having suffered damages by a crime, or other descriptions, etc. designated by a cabinet order as those of which the handling requires special care so as not to cause unfair discrimination, prejudice or other disadvantages to the data subject.
  5. Article 2 of the Cabinet Order
    (Special care-required personal information)
    Article 2 The descriptions, etc., referred to by the Cabinet Order stipulated in Article 2, Paragraph 3 of APPI shall be descriptions, etc., that contain any of the following matters (excluding those that would qualify as a person's medical history or criminal background):

    (i) Physical disabilities, mental disabilities, mental disorders (including developmental disorders), or other mental or physical functional disorders as defined by rules of the Personal Information Protection Commission;

    (ii) Results of medical examinations and other tests (referred to as “medical examinations, etc.” in this same item) of data subjects for the prevention and early detection of diseases conducted by doctors and other persons engaged in medical-related duties (referred to as “doctors, etc.” in the succeeding item);

    (iii) Guidance, medical treatment or dispensing medicines for the improvement of mental and physical conditions of the data subject by doctors, etc. based on the results of medical examinations, etc. , illness, injury or other mental or physical changes;

    (iv) Procedures related to arrest, search, seizure, detention, prosecution and other criminal cases involving the data subject as the suspect or accused; or

    (v) Procedures related to investigations, measures for observation and protection of juveniles, hearings and decisions, protective measures and other juvenile protection cases involving the data subject as the juvenile or suspected person as stipulated in Article 3, Paragraph 1 of the Juvenile Act (Act No. 168 of 1947).

  6. Other key Definition: Personal data

"Personal data" means personal information which constitutes a personal information database. Under Japanese law, the terms “personal data” and “personal information” are defined separately. The law imposes special obligations on business operators that handle personal data. This is because personal data requires a greater level of protection than personal information.

Updated: September 25, 2019