One of the key components of the General Data Protection Regulation (GDPR) is the concept of ‘Personally Identifiable Information’, or PII.  Since a person can be identified by certain unique identifiers or by a combination of identifiers, it pays to understand what PII is and to know which data you are collecting and potentially processing on employees, prospects, recruiting candidates, or customers.

You might be surprised what is considered PII and how easy it is to identify someone with a couple of identifiers; therefore, knowing what falls into the PII bucket is key.  And it goes without saying, if you are collecting the PII of EU citizens, you are subject to GDPR.

The General Data Privacy Regulation, not surprisingly, is spelled out in a lengthy document. You may want to view the entire GDPR Document with all of its chapters, sections, and articles and in multiple languages and formats. Alternatively, the GDPR links found in the remainder of this post are from a helpful website that presents the GDPR in an easily searchable and linked format. 

So, what is Personally Identifiable Information, or PII? PII  is defined as any unique identifier or a combination of the following:

First Name or Initial + Full Last Name + any one of other personal characteristics (‘Personal Data’)

The logical next question is, what is considered Personal Data?

Many such answers can be found within the GDPR document, especially if you know where to look.  In the GDPR’s Chapter 1 – General ProvisionsArticle 4 has a number of GDPR definitions, including for Personal Data:

‘personal data’ means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’

In shorthand, personal data  is information about a person that can be used to uniquely identify that person. Here are some examples of what would be characterized as Personal Data. 

Full name Email Address Home Address Date of Birth Gender National ID #/Social Security #/Military ID
Disability Information Passport Number Visa Permits Number Drivers License # Vehicle Registration Plate # Location Information, IP Address
Education History  Employment History Grades Events Attended Customer Account # History Balance What you are doing, when / status
Sites Registered On Salary & Wage Info Job Position/ Title Photos Anything Commercially Sensitive Credit Card #, credit score, credit record
Digital or Physical Copy of Signature History / Background Mother’s Maiden Name Place of Birth Pin, Password, Password Prompts Insurance Details

 

Special Categories of PII – Articles 9 & 10

Article 9 – Special Categories Requiring Additional Protections

Article 9 of the GDPR introduces special categories (those that are even more sensitive and require additional protections) of data and also introduces special regulations concerning the  processing of those categories of data. These regulations apply when data processing reveals political opinions, philosophical or religious beliefs, ethnic or racial origin, or trade union membership and when data processing relates to a natural person’s sex life or sexual orientation, genetics, health, and in instances when bio-metric data is used for the purpose of uniquely identifying a person.  

Racial/Ethnic Background Political Opinions Philosophical/Religious Beliefs Trade Union Membership Sex Life/Sexual Orientation Health Genetics Bio-Metric Data used for the purpose of uniquely identifying a person(s)

 

Is It Ever Ok To Process Personal Data In These Article 9 Special Categories?

Though this type of personal information has additional protections, there are times when it is acceptable to process it. Keep in mind that these are high level summaries to give you a sense – not to give you permission. Individual Member States may also have their own requirements. You should always seek legal advice if you are considering processing this type of personal data and never assume that you could have lower standards for protecting any personal data, regardless of your permissions. 

In order to be able to process data in one of these categories, one the following conditions is required:

Explicit Consent

In this case, the Data Subject has given explicit consent for the processing of a given number of specificed purposes. Please note: Explicit consent does not apply in Member/Union states where there is a specific law that would overrule the need for explicit consent to carry out data processing activities of these categories of data. It also doesn’t apply when there is an un-even power structure such as data processing children’s or employees’ information.

To uphold the rights of the Data Controller or Data Subject

It is required processing in order to to do. This type of data processing is connected to the exercise of social security, employment, and social protection law, as long as the processing is authorized by the Union or Member State’s law or by a collective agreement in accordance with Member State law and as long as it provides appropriate safeguards for the fundamental rights and interests of the Data Subject.

The Data Subject is physically or mentally incapable of giving consent

In this case, the processing of data is required to protect the vital interests of that person or another natural person(s)

For a non-profit organization whose interest or pursuit is relate.d to a religious, philosophical, trade union, or political aim 

In this case, the non-profit organization is applying appropriate safeguards to secure its data and is processing the data in a legitimate way.  The processing of this sensitive information must relate only to the members, former members, or those who have regular contact with the organization. The sensitive personal data may also not be shared outside of that organization without the consent of the Data Subjects.

The Data Subject has made their own sensitive data public

This is pretty clear. If the Data Subject has already made the sensitive data public, it is not longer private.

Related to certain legal claims or court activities

When the processing of sensitive data is required for the exercise, establishment, or defense of a legal claim or whenever courts are acting in their judicial capacity.

Substantial public interest

When processing is necessary for reasons of substantial public interest, given that safeguards to protect the fundamental rights and freedoms of the Data Subject are provided.

When related to health conditions in certain situations 

When processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis by a health professional, the provision of health or social care or treatment or the management of health or social care systems and services.

To protect public health

The processing of sensitive data may be necessary to protect public health, such as to protect against serious cross-border threats to health or to ensure high standards of quality and safety of health care and of medicinal products or medical devices. 

To archive, or for scientific or historical research, or statistical purposes

Consistent with GDPR Article 89, where data processing’s purpose is to archive for the public interest, statistical purposes, and/or scientific or historical research. In any of these cases, of course, strict data protection measures must be in place. 

Article 10 – Special Categories Related To Criminal Convictions And Offenses

Article 10 of the GDPR explains that the processing of personal data relating to criminal convictions and offenses shall only be carried out by the official authorities and that any comprehensive register of such offenses should only be kept under the control of those authorities. An exception is when the processing of this particular data is authorized by European Union Member State law as long as those laws provide for appropriate safeguards to those individuals’ fundamental rights and freedoms. 

Know What Data You Are Processing

Clearly there are lots of different data types to take into consideration, and its important that you discern which types of data you are processing and that you have the lawful reasons for doing so. Be especially aware of the restricted data, the risks and potential fines are even higher.

Are you collecting and processing employee PII, but aren’t sure if your storage, sharing, and processing systems are compliant? Globig offers an affordable and elegant platform that is compliant “by design”, so you don’t have to worry about GDPR and can allocate your resources where they are used best – for effectively managing your company or organization. Take a quick tour and see how Globig can help you. 


As a disclaimer, this information is not intended to provide professional legal advice, nor is it our recommendation that you use it as the sole basis for making organizational decisions, especially in relation to the GDPR. Instead, it is our highest level recommendation that you use it for informative purposes and in preparation for working with legal counsel or other data protection experts before finalizing any decision that will affect the future of your business or organization.

Globig Newsletter

* indicates required